Focus on data protection laws too narrow?

Public sector security is not adequate just by relying on the government to legislate data protection--the private sector also needs to make the necessary investments to protect critical infrastructure.

To look at public sector security holistically, Asian economies need to consider both infrastructure security and data security, Ilias Chantzos, Symantec's government relations director for EMEA (Europe, the Middle East and Africa) and Asia-Pacific and Japan, told ZDNet Asia in a recent interview.

Data protection legislation, he noted, aims at protecting data, not infrastructure. "Some of the aspects of data protection--because data protection solely requires the great security around the data--will have an influence on infrastructure.

"But the primary responsibility of protecting the infrastructure is, I would say, to a degree, outside the data protection framework," he explained.

According to Chantzos, having a proper framework for data protection is also important. Among other reasons, it provides a proper set of requirements for governments to exercise proper governance of data, and allows citizens an understanding of how information about oneself is being used.

"The currency of the modern info age is the data, not the infrastructure, which is again highlighting the point why data protection is important because ultimately, we need data governance," said Chantzos, referring to the problem of growing cybercrime.

Public sector security is mostly adequate in the Asia-Pacific region, although the security profile in each country differs according the level of digitization, said Chantzos. Citing studies, he pointed out that in countries such as the United States, United Kingdom and Singapore, about 80 percent of infrastructure designated critical is owned by the private sector--banking and financial institutions, for instance. This calls for greater cooperation between the public and private sectors.

Data protection and privacy, noted Chantzos, are currently present in countries such Australia and Japan, while Singapore and the Philippines are among those considering such legislation.

However, it is unfair to expect fast-changing and specific laws to address malicious intent in cyberspace, he added.

"It's very difficult for the current system of laws and regulations that we have to follow the pace of technology and to follow the pace of cybercrime. So what we really need is not necessarily...prescriptive laws all the time to address every possible offense; rather, we need a set of framework conditions in which one needs to operate--which would withstand the test of time."

Flexibility also needs to be in place when it comes to rules and regulations governing the use of data, said Chantzos, as attack techniques change constantly. He said Asia has done "quite well", in this aspect, but "the reality is that you can't expect a threat landscape that changes every six months to compare with the speed of a piece of legislation that might need a year to pass".

"But that doesn't mean it's not important to put in place the laws, it just means you need to be sophisticated and intelligent in the way [you define them]," he added.