‘Take a Chance on Me’? Multi-Stakeholder Regulation of National Security Risks from Critical Software Products Deployed on Critical National Infrastructure Assets

Abstract

Modern life depends on the security of critical software products deployed on critical national infrastructure (‘CNI’) assets. Nonetheless, the state has allowed critical software vendors, mostly for-profit companies, to prioritise their commercial interests over product security. The state has also allowed the for-profit companies that operate most CNI assets to pay insufficient attention to critical software risk management. These suboptimal regulatory settings persist despite deteriorating cyber risk landscapes for CNI assets, critical software products and software supply chains servicing them. To develop options for necessary reform, an interdisciplinary investigation is performed in this thesis. Combining doctrinal and reform-oriented legal research, this features review of expert literature, Australian, American and European supranational regulatory frameworks, and semistructured interviews of 25 domain experts working at the cutting edge of the subject matter of this thesis. On the basis of that investigation, stakeholders, foremost the state as the chief cyber risk manager for the polity, are recommended to deploy a pluralistic smart regulatory approach to manage national security risks from critical software products deployed on CNI assets. The deployment of the recommended smart regulatory approach will be especially enabled by the state’s use of corporate governance regulation as a pre-existing regulatory infrastructure, and its engagement of stakeholders at home and abroad.