Proposed EU Cybersecurity Product Certification Scheme Has Global Effects
19.7.18 securityweek Cyber
The European Union is active in passing cybersecurity legislation ostensibly for the European Union but with worldwide ramifications. The General Data Protection Regulation (GDPR), and the Payment Services Directive 2 (PSD2) are recent examples. This process is similar on a global scale to California on a U.S. federal scale -- the respective markets are so important that vendors tend to comply generally.
There is more coming from the EU: the proposed Cybersecurity Act (9350/18) (PDF). On July 10, the proposal passed one of the major hurdles for new legislation when it was approved by the European Parliament's Industry Committee by 55 votes to five with one abstention. The key features of the proposal are to give more authority, budget and responsibility to the European Union Agency for Network and Information Security (ENISA); and to develop "European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity of ICT processes, products and services in the Union."
The likelihood of the proposal proceeding to binding legislation can be gauged by the Industry Committee's reaction: it seeks to strengthen the proposal by making the certification mandatory for the critical infrastructure industries (the original proposal does not require certification, suggesting it should be voluntary). At this stage we do not know the details of the final outcome, but we can be fairly certain that there will be a new unified European certification scheme designed, developed and operated by ENISA.
The scope of the certification scheme is wide. Title III, paragraph 2 of the Act states, "The European cybersecurity certification framework defines a mechanism to establish European cybersecurity certification schemes and to attest that the ICT processes, products and services that have been evaluated in accordance with such schemes comply with specified security requirements with the aim to protect the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, and services throughout their life cycle." It covers both traditional computer devices and the connected devices that comprise the Internet of Things (IoT).
The intention seems to be for ENISA to develop three levels of product assurance: basic, substantial and high.
The Cybersecurity Act generates mixed feelings, especially among non-EU companies operating or trading with Europe. There have been, and still are, many different security product certification schemes worldwide; and some feel that this will be just another burden placed on device manufacturers. Ilia Kolochenko, CEO of High-Tech Bridge is unsure of the need for a new scheme.
"Based on the information currently available about the ENISA certification," he told SecurityWeek, "I cannot see any substantially new or significantly better approach to cybersecurity or privacy compared to numerous already existing certifications, regulations or international standards such as ISO 27001."
The danger in new, locally-based, requirements is that they can further balkanize any attempts at global harmonization -- and given current global political and economic tensions, the result could do more harm than good. "In light of the escalating tariff war between the US and Europe," Kolochenko continued, "further segmentation of cybersecurity certifications and accreditations will inevitably bring more confusion and add unnecessary complexity -- let alone Russia or China with their own rules of the game. Different communities of experts will compete to make their standard slightly better, instead of joining their efforts to bring a unified global set of simple but efficient rules."
In August 2017, the IOT Cybersecurity Coalition wrote to the European Commission offering advice and voicing concerns. For example, it urges the EU to 'leverage existing best practices and global industry-led standards'.
"This avoids burdening multinational enterprises with the requirements of conflicting jurisdictions while facilitating interoperability, compatibility, reliability, and security on a global scale." This is part of the 'regulations inhibit innovation' argument. The Coalition fears that existing voluntary efforts "would be stymied by the slow and unitary nature of the EU standards development process should the EU move forward with mandatory standards, testing, and labelling requirements. Meanwhile, threat actors will continue to innovate unhindered."
Kolochenko touches on this concern. "One should be careful not to overestimate the value of a certification. Certification is merely a beautiful facade, behind which there is a reality. We have seen quite a few breaches of PCI DSS certified merchants and similarly notorious cases." He is concerned that industry will spend more time on ensuring that products they use are correctly certified than on ensuring their digital premises are really secure. "Paper security may undermine practical security," he said.
The Coalition considers the potential for a false sense of security based on trust labels that could potentially have been issued several years earlier to be a concern. "Specifically," it says, "we remain concerned that pushing for generic or blanket cybersecurity labelling of IoT products could result in counterproductive technology mandates, new market access barriers, or roadblocks to innovation without necessarily bringing any real security or privacy benefits that could not otherwise be achieved on the basis of already existing instruments."
In February this year, AmCham EU (the American Chamber of Commerce to the European Union, claiming to be the voice of American business in Europe) published its own critique of the Cybersecurity Act. It welcomes the plan to convert ENISA into a permanent EU cybersecurity agency with greater power and resources, but urges the agency to strengthen its collaboration with industry "in an inclusive and transparent way."
AmCham has major reservations over the effect of certification on industry. "The framework should be voluntary and market-driven in nature as companies should be able to develop the security system features best for their unique risk situation... The proposal should also take into account the possibility of self-declaration."
Kolochenko doesn't think this is likely -- or if initially possible, it will necessarily remain so. "Of course, it’s a question of how the certification will be used and where it will be mandatory, but one may reasonably assume that European governmental entities and some companies will require it -- and prefer it to NIST or any foreign standards that have existed for more than a decade."
Transparency -- or its lack -- is as much a concern for AmCham as it is for the IOT Cybersecurity Coalition. "The proposed process lacks provisions for adequate transparency and openness, and is ultimately not reflecting the provisions and best practices under the WTO Agreement on Technical Barriers to Trade."
Some concerns seem to have been met. "The limitation of the applicability of certifications to a maximum of three years under Article 48.6 is particularly problematic," says AmCham. The current draft proposal has struck out "a maximum period of three years" and replaced it with "the period defined by the particular certification scheme". Nevertheless, this concern links back to the 'false sense of security' concern: a product may have been in compliance when it was tested, but how can you guarantee it is still in compliance, or not vulnerable to a newly discovered zero-day vulnerability today?
Indeed, this raises a further legal or at least moral complication. If a product fails to meet its description, there is potential for legal action against the manufacturer. But if a product has been 'guaranteed' by ENISA certification and still fails, who is liable: the manufacturer, ENISA or the European Commission?
It would be wrong, however, to suggest that the proposed certifications are completely without support. "I welcome any initiative to increase the security and assurance of ICT products," comments Ed Williams, director EMEA of SpiderLabs at Trustwave; "given the current climate this legislation is welcome... ICT products can be difficult and complex: ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do -- secure by design is a must in 18 and moving forward. I, for one," he added, "hope that this certification framework is successful in raising what is currently a low bar. Good luck!"