As governments and businesses in all sectors continue their digital transformation, they increasingly rely on the ability to access data to effectively serve their customers and citizens. But proposed data transfer restrictions and data localization requirements will impede digital transformation and increase cybersecurity risks for organizations and the digital ecosystem more broadly.
Data Localization and Transfer Restrictions: Concerning Trends
Some countries are incorrectly justifying data transfer restrictions and localization requirements by reasoning that these rules improve cybersecurity. But the opposite is the case: data transfer restrictions and localization requirements increase cybersecurity risk to both public and private sector organizations, and threaten to put politics and protectionism over cybersecurity. (More details here.)
How do these policies increase cyber risk?
Data transfer restrictions and localization requirements increase cybersecurity risk to both public and private sector organizations, including by:
1. Putting Prescriptive Compliance-Oriented Checklists Before Risk-Based Approaches
- In general, the security of data depends on the technical security controls applied to them and decisions about those controls should be risk-based and outcome-based rather than prescriptive.
- A compliance-oriented checklist leads to a false sense of security without addressing the ever-changing cybersecurity threats landscape
2. Introducing Complexities That Increase Cyber Risk
- Experts agree that, in an already-challenging cybersecurity ecosystem, variables that increase complexity also increase cyber risk. Data transfer restrictions and localization requirements increase complexity by necessitating an organization segregate data inside a country and manage it separately from the rest of its data.
- How data is protected is more important than where it is stored: for instance, storing data at geographically diverse locations helps obscure the location of data for bad actors and reduce risk of physical attacks. Technical measures such as advanced cybersecurity technology, encryption, access authorization, security procedures and user education etc. are better tools to ensure security of data and control.
3. Limiting Access to Best-of-Breed Cybersecurity Services
- Transfer restrictions make it difficult or impossible for third-party cybersecurity services to integrate certain data into their services, thereby degrading cybersecurity, and make it more difficult for local companies to access and use these services. This only increases overall cyber risk.
4. Disadvantaging Network Defenders
- Localization requirements and data transfer restrictions impede visibility into cyberthreats. Threat detection and response is impeded if network defenders cannot share cyber threat indicators collected in one country internationally. In contrast, the ability to transfer data across transnational digital networks helps improve detection and response because it allows for cybersecurity tools to monitor traffic patterns, identify anomalies, and respond to threats in ways that depend on real-time, cross-border access to data.
What’s the path forward?
BSA recommends policymakers promote the transfer of data, with risk-based protections, that simultaneously create environments conducive to the development of innovative and competitive companies as well as improve cybersecurity by allowing organizations to select the technology providers that best meet their operational needs and provide state-of-the-art cybersecurity protections.
When governments use cybersecurity to justify protectionism, they undermine laws and policies that are truly designed to improve cybersecurity, as BSA noted in our 2023 Global Cyber Agenda.
