22 notable government cybersecurity initiatives in 2022

Cybersecurity continues to be high on the agenda of governments across the globe, with both national and local levels increasingly working to counter cybersecurity threats. Much like last year, 2022 has seen significant, government-led initiatives launched to help to address diverse security issues.

Here are 22 notable cybersecurity initiatives introduced around the world in 2022.

February

Israel commits to IDB cybersecurity initiative in Latin America, Caribbean

The Israeli government announced that it will join the Inter-American Development Bank (IDB) to establish a new cybersecurity initiative, committing $2 million USD to help strengthen cybersecurity capabilities in Latin America and the Caribbean (LAC). Israel’s funding would aid in building cyber capacity across the region by giving officials and policymakers access to forefront practices and world-leading knowledge and expertise, the government stated. “The cybersecurity initiative is paving the way for the safe and secure digitalization of Latin America and the Caribbean, one of the key elements for growth in the post-COVID era,” said Matan Lev-Ari, Israel’s representative on the IDB’s Board.

March

Singapore launches cybersecurity certification program to recognize good security practices

Singapore’s Cyber Security Agency (CSA) launched a new certification program to recognize enterprises that have adopted and implemented good cybersecurity practices. The certification comprises of two cybersecurity marks: Cyber Essentials, which recognizes small and medium enterprises that have put in place cyber hygiene measures, and Cyber Trust, a mark of distinction to recognize larger or more digitalized enterprises with comprehensive measures and practices.

To support enterprises in their journeys to attaining certification, the CSA also developed a toolkit for IT teams and curated an initial ecosystem of partners with product and service offerings that can help enterprises address requirements of the marks. “Supply chain cyberattacks will continue to proliferate in the digital space, and in time to come, companies could be required to demonstrate their cybersecurity posture when they conduct business as a way of providing greater assurance to their customers,” said David Koh, chief executive of CSA.

April

Singapore sets out licensing framework for cybersecurity service providers

Singapore’s CSA set out a licensing framework for cybersecurity service providers and established the Cybersecurity Services Regulation Office (CSRO) to administer it and facilitate liaisons with the industry and wider public on all licensing-related matters. The framework aims to better safeguard consumers’ interests and addresses the information asymmetry between consumers and cybersecurity service providers, along with improving service provider standards and standing over time, Singapore’s CSA stated.

It added that two types of cybersecurity service providers would be licensed – those providing penetration testing and managed security operations center monitoring services. “These two services are prioritized because service providers performing such services can have significant access into their clients’ computer systems and sensitive information,” the CSA wrote. “In the event that the access is abused, the client’s operations could be disrupted. In addition, these services are already widely available and adopted in the market, and hence have the potential to cause significant impact on the overall cybersecurity landscape.”

Australia launches REDSPICE to bolster national cybersecurity

The Australian federal government’s Australian Signals Directorate (ASD) announced the launch of the Resilience – Effects – Defence – SPace – Intelligence – Cyber – Enablers (REDSPICE) initiative to enhance the cyber resiliency and defense of national systems and critical infrastructure, with $9.9 billion (AUD) to be invested in bolstering Australia’s national cybersecurity capabilities over the next decade. Through REDSPICE, ASD said it will expand the range and sophistication of its intelligence, offensive, and defensive cyber capabilities. “REDSPICE is the necessary and timely change needed for ASD to continue its contribution to making Australia secure, in both peacetime and conflict,” wrote Rachel Noble, director general of ASD.

May

UK sets out new nuclear cybersecurity strategy

The UK government outlined plans for a new cybersecurity strategy to protect the nations’ nuclear sector. Its aim is to build a comprehensive understanding of current sector cybersecurity strengths and challenges with key objectives to be achieved by 2026, as part of its wider National Cyber Strategy 2022. In the 2022 Civil Nuclear Cyber Security Strategy, the UK government outlined the goal of creating a civil nuclear sector which effectively manages and mitigates cyber risk in a collaborative and mature manner, with resilience in responding to and recovering from incidents. The new plans seek to build on existing understanding surrounding nuclear cybersecurity and introduce four key objectives which the sector should achieve within the next four years:

1. Appropriately prioritizing cybersecurity as part of a holistic risk management approach, underpinned by a common risk understanding and outcome-focused regulation.
2. Taking proactive action to mitigate supply chain cyber risks in the face of evolving threats, legacy challenges, and adoption of new technologies.
3. Enhancing resilience by preparing for and responding collaboratively to cyber incidents to minimize impacts and recovery time.
4. Collaborating to increase cyber maturity, develop cyber skills and promote a positive security culture.

These objectives will be delivered via several priority and supporting activities and overseen by a programmatic approach to delivery. These include Cyber Adversary Simulation (CyAS) assessments and other threat-informed testing activities across the sector’s critical IT and OT systems, baseline cybersecurity standards for the civil nuclear supply chain, and collaboration across the sector on third-party and component assurance and management.

Victoria state government invests $100,000 to train women in cybersecurity

The Victoria state government in Australia announced that it was investing $100,000 AUD in an initiative to train women with one year of experience in the IT sector or three years in cyber to either begin a career or prepare for leadership roles in cybersecurity. The initiative was launched in partnership with the Australian Women in Security Network (AWSN). The state government labelled the scheme as a program designed to improve female representation in the workforce, as the Australian Bureau of Statistics found women make up just 31% of local digital technology workers. The program, which began in July, includes specialist training, coaching and mentoring services, as well as attendance to workshops and networking events.

UK opens applications for Cyber Security Advisory Board

The UK government opened applications for membership of the Government Cyber Security Advisory Board (GCSAB). The aim of the GCSAB is to build on the success of the External Challenge Panel that brought industry and academic perspectives to support the development of the government’s wider Cyber Security Strategy, which was launched in January 2022 to help build a cyber-resilient public sector. The government stated that the GCSAB will be comprised of independent, external experts to build better links between government, the private sector, and academia, providing perspectives and input on addressing the challenges of government cybersecurity, as per a posting on its website. It invited candidates with cybersecurity expertise or competence or knowledge in the areas of strategy, standards, and assurance; governance, risk, and management program delivery; cyber detection and response technology; and cyber skills and culture to submit Expressions of Interest (EoI) for membership of the GCSAB, which will meet virtually every two months.

US proposals spell out 5G security advancements

The US government introduced a proposed five-step 5G Security Evaluation Process Investigation to address gaps in existing security assessment guidance and standards that arise from new features and services in 5G technologies. “The intent of this joint security evaluation process is to provide a uniform and flexible approach that federal agencies can use to evaluate, understand, and address security and resilience assessment gaps with their technology assessment standards and policies,”  said Eric Goldstein, executive assistant director for the Cybersecurity and Infrastructure Security Agency (CISA). “Such a process will provide assurance that the government enterprise system is protected and cybercriminals cannot gain backdoor entry into agency networks through 5G technology.” Specifically, the agencies involved seek to get ahead of the curve before any federal office conducts a security assessment to obtain authorization to operate (ATO). The five steps put forward were:

1. Define the federal 5G use case.
2. Identify the assessment boundary.
3. Identify security requirements.
4. Map security requirements to federal guidance.
5. Assess security guidance gaps and alternatives.

UK proposes new code of practice to enhance app security and privacy

The UK government called for input from the technology sector on enhancing security and privacy requirements for app stores and app development. The consultation period came in the wake of a new report from the UK’s National Cyber Security Centre (NCSC) that revealed that apps containing malicious malware or those that have been poorly developed are putting users at significant risk. The UK government said it therefore aims to establish a new code of practice which will set out baseline security and privacy requirements for apps. Under new proposals, app stores for smartphones, game consoles, TVs, and other smart devices could be asked to commit to a new code of practice to boost app security and privacy standards, which would be the first such measure in the world, stated a press release on the UK government’s website. “The proposed code would require stores to have a vulnerability reporting process for each app so flaws can be found and fixed quicker. They would need to share more security and privacy information in an accessible way including why an app needs access to users’ contacts and location,” it added.

June

Israel announces The Cyber-Dome project to elevate national cybersecurity

The Israel National Cyber Directorate (INCD) outlined its new national cybersecurity project The Cyber-Dome – a big data and AI overall approach to proactive defense. Announced by Gaby Portnoy, director general of INCD, the project aims to diminish cyberattacks in the country by elevating national cybersecurity through new mechanisms in the national cyber perimeter. “The Cyber-Dome will also provide tools and services to elevate the protection of the national assets as a whole. It will synchronize nation-level real-time detection, analysis, and mitigation of threats,” Portnoy stated. “We need to protect our national assets in the best possible way and make cybersecurity protocols we use for critical infrastructure available for more sectorial organizations – government and private.”

Canada introduces new legislation to enhance cybersecurity

The Canadian government introduced proposed legislation to better protect Canadians and bolster cybersecurity across the financial, telecommunications, energy, and transportation sectors. Bill C-26, An Act Respecting Cyber Security (ARCS), sought to replace the Telecommunications Act to add security as a policy objective, bringing telecommunications in line with other critical sectors. “This will provide the government with the legal authority to mandate any necessary action to secure Canada’s telecommunications system. This includes prohibiting Canadian companies from using products and services from high-risk suppliers,” the government wrote. Furthermore, this legislation introduced the Critical Cyber Systems Protection Act (CCSPA) which lays a foundation for securing Canada’s critical infrastructure. “These legislative measures will help to further protect Canadians and defend our critical infrastructure in an evolving and increasingly complex digital environment,” commented Anita Anand, minister of national defense.

July

Germany bolsters cyber defenses in response to Russian cyberthreats

The German government announced plans to increase the nation’s cyber defenses in response to possible new threats from Russia amid its invasion of Ukraine. New measures put forward by Interior Minister Nancy Faeser involve promoting cyber resilience among small and medium enterprises and businesses that provide critical services such as transport, food, health, energy, and water supply, along with the introduction of a secure central video conferencing system for the federal government. A centralized platform for the exchange of information on cyberattacks between state and federal structures was also outlined, as were plans to modernize IT infrastructure of Germany’s domestic intelligence agency and police. Commenting, Faeser said, “The sea change we are facing in view of the Russian war of aggression against Ukraine requires a strategic repositioning and significant investment in our cybersecurity.”

August

France commits €20 million to strengthen cybersecurity of hospitals, healthcare establishments

France’s minister for digital transition and telecommunications, Jean-Noël Barrot, and François Braun, minister of health, announced an additional €20 million investment in the French national cyber agency ANSSI to strengthen the cybersecurity of the nation’s hospitals and healthcare establishments. This was in the wake of a significant ransomware attack against the Centre Hospitalier Sud Francilien (CHSF) on August 24. It is believed that Lockbit was the ransomware type involved in the attack, with a ransom demand of $10 million reportedly made by the attacker. Braun described the cyberattack as inadmissible, with Barrot stating that hospital cybersecurity is a government priority. The funds should make it possible to “strengthen its support for health establishments,” Barrot added.

Scotland offers cyber resilience training to hundreds of organizations

The Scottish government announced a £500,000 contract to extend cyber resilience training to more than 250 organizations across the country. Run by the Scottish Business Resilience Centre (SBRC), the training included online and in-person workshops for public services and third-sector health, housing, and social care bodies to ensure they are better prepared for and protected against cyberthreats. The move came in the wake of increasing numbers of disruptive, large-scale cyberattacks in Scotland. “The workshops provide practical guidance to mitigate or respond to hostile cyberattacks,” stated Justice Secretary Keith Brown. “I would urge eligible organizations to take up this opportunity to ensure they are protected. The Scottish government is committed to ensuring Scotland leads the way in cyber resilience and security.”

Belgium’s Council of Ministers implements legal framework for European cybersecurity certificates

Belgium’s Council of Ministers (the supreme executive organ of the Belgium federal government) designated the Centre for Cybersecurity Belgium (CCB) as the National Cyber Security Certification Authority (NCCA) for recognizing and publishing EU cybersecurity certificates in the country. Within a new legal framework, it was announced that the CCB would provide guidance and support to Belgian companies in the EU cybersecurity certification process. The move implemented European Regulation 2019/881 on the certification of information and communication technologies in the field of cybersecurity – the so-called Cybersecurity Act. “These certificates are based on cybersecurity certification schemes with one or more assurance levels [basic, substantial, or high],” the CCB wrote. “The aim is to improve the transparency of the cybersecurity security of information and communication technology products, services, and processes. This will increase trust in and the competitiveness of the digital single market.”

NSW state government pours $1 million AUD into cybersecurity accelerator

The New South Wales (NSW) state government in Australia selected the nation’s only dedicated cybersecurity accelerator, CyRise, to operate its $1-million Cyber Security Accelerator program, based within Sydney’s Tech Central district. The program includes three-day boot camps, a 14-week accelerator program for startups, and a new scale up program for later stage scaling businesses, all run by CyRise. “This program will help companies sharpen their products, fine-tune business models and boost their connections with international investors,” Minister for Enterprise, Investment and Trade Alister Henskens stated. “It will support businesses to ‘go global’ faster and attract cutting-edge talent to NSW, which will grow the economy and help secure a brighter future for our state.” CyRise CEO Scott Handsaker added that the innovative program aims to make NSW a beacon to the cybersecurity industry globally.

Finland plans cybersecurity funding scheme for companies amid rising security threats

Finland announced plans to help companies fund improvements to their cybersecurity through a new voucher scheme. The plan comes in response to the war in Ukraine and Finland’s bid to join NATO. The vouchers would provide up to €15,000 to small and medium-sized companies and non-profits. Larger companies could be eligible for vouchers worth as much as €100,000, according to the Wall Street Journal.

Teppo Halonen, VP, EMEA at Vectra AI, tells CSO the scale of the Finnish government’s proposed voucher scheme is beyond anything seen within the global security community to date. “Considering cybersecurity in the Nordics has been historically underfunded, this new program is a great step towards improving Finnish cyber resiliency,” he said. “With more freedom to advance their cybersecurity tools and training, these vouchers put Finnish companies in a significantly better position to defend against increased security threats and avoid collateral damage from nation-state campaigns, as well as attacks from cybercriminal groups.”

US releases cybersecurity guidance for software supply chain

The US government’s CISA and the US National Security Agency (NSA) published guidance advising developers how to better secure the software supply chain, with a significant focus on open-source software. The guidance outlined advice in line with industry best practices and principles which software developers are strongly encouraged to reference. These principles include security requirements planning, designing software architecture from a security perspective, adding security features, and maintaining the security of software and the underlying infrastructure (e.g., environments, source code review, testing).

Speaking to CSO, Dave Stapleton, CISO at CyberGRX, said that while the initiative is spearheaded by the US, it will have a positive impact across the globe as supply chains cross city, state, country, and continent lines. “I am encouraged by the federal government’s efforts to aid organizations in securing the software supply chain. One important point brought up by the federal government is that many remediation and mitigation approaches will depend heavily on upstream and downstream stakeholders, evoking the shared responsibility model.”

Singapore calls on cybersecurity industry for innovation

The Singapore’s CSA launched the Cybersecurity Industry Call for Innovation 2022 (CyberCall 2022), inviting cybersecurity companies to participate in developing innovative solutions to address specific cybersecurity challenges. Its aim is to strengthen organizations’ cyber resilience and provide opportunities for cybersecurity companies to catalyze cutting-edge solutions in Singapore for commercial adoption. Singapore’s CSA said that year’s CyberCall was looking for solutions in the following areas:

• Artificial intelligence for cybersecurity
• Cloud security
• Operational technology (OT)/Internet of Things (IoT) security
• Privacy-enhancing technologies

Cybersecurity companies’ proposals that are shortlisted will be invited to discuss their proposals in greater depth with the participating end-users for potential co-innovation, adoption, and test bedding, the CSA added.

Canada commits $675,000 to raise awareness of, preparedness for quantum threats

The Canadian government announced that it was investing $675,000 CAD in support of Quantum-Safe Canada’s project Laying the Foundations for a Quantum-Safe Canada, which raises awareness and preparedness of quantum security threats. This funding was made available under the Cyber Security Cooperation Program and aims to help strengthen Canada’s ability to prepare for and respond to quantum risks, coordinating research, technology, tools, and training, the government stated in a posting on is website. The project also seeks to ensure that those charged with protecting the systems that Canadians rely on have knowledge and skills they need in the era of quantum computers, it added. “This project will help better protect Canadians against cyberthreats, in particular the growing risk posed by quantum threats,” said Marco Mendicino, minister of public safety.

September

US launches incident, ransomware reporting rulemaking RFI

The US government’s CISA released a request for information (RFI) on upcoming reporting requirements that will mandate organizations report significant cybersecurity incidents within 72 hours and ransomware payments 24 hours after payments are made. The RFI follows the March passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires CISA to pursue a regulatory rulemaking path for collecting incident and ransomware payment data. CISA also announced it would be hosting 11 in-person listening sessions to inform further how it develops its rules, with one session in each of CISA’s ten regions and another in Washington, DC. “The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a game changer for the whole cybersecurity community and everyone invested in protecting our nation’s critical infrastructure. It will allow us to better understand the threats we are facing, to spot adversary campaigns earlier, and to take more coordinated action with our public and private sector partners in response,” said CISA Director Jen Easterly in a press release.

European Commission unveils draft rules for EU Cyber Resilience Act

The European Commission unveiled draft rules for the Cyber Resilience Act (CRA) to set common cybersecurity standards for connected devices and services across the EU. First announced by EU President Ursula von der Leyen 12 months earlier, the Act seeks to establish cybersecurity rules for digital products and associated services that are placed on the market. It will also hand the European Commission the power to hit companies that fail to comply with penalties up to €15 million, or 2.5% of the previous year’s global turnover, along with granting the EU the ability to recall and ban products that are not compliant. The draft rules will need to be agreed with EU countries and EU lawmakers before they can become law.

Bob Kolasky, senior VP for Exiger and former assistant director at CISA, tells CSO that, for the EU CRA to be effective, the new regulations must have a strong approach to attestation to ensure technology providers meet the requirement. “The requirements under the Act must be risk-based and harmonized as much as possible with approaches taken by other Western countries, particularly the United States. If the implementation of the Act becomes more of a compliance burden rather than a positive action to incentivizing more investment into security practices, measures and protocols, then it could do more harm than good. Industry must be involved in implementing the Act to ensure it’s a success in reality and not just on paper.”