The arrival of the CyberSecurity Act (CSA) comes as a wind of change: a European Cybersecurity Certification Framework could be of help for SMEs and bigger companies alike. CSA’s vision is that any market player could opt to certify their product or service in a way that can be accepted in the same way across the EU.
In Cybersecurity Breakfast #48, Alex Leadbeater, Head Global Obligations Futures and Standards at BT & Chair of TC Cyber at ETSI (UK) gave a keynote speech on ‘Raising the bar through CSA and wider EU certification’.
Information security practices vary widely depending on budgets and perceptions. With relatively small budgets, SMEs are particularly impacted as there are no baseline practices to adjust against, there are few or no guidelines and as they are seldom aware of the spectrum of their cybersecurity risks.
Various countries and organisations in the EU and abroad have been making efforts for years in the direction of standardisation of information security practices, but most results stay either sector or country specific, or are very generic and hard to apply. The arrival of the CyberSecurity Act (CSA) comes as a wind of change: a European Cybersecurity Certification Framework could be of help for SMEs and bigger companies alike. CSA’s vision is that any market player could opt to certify their product or service in a way that can be accepted in the same way across the EU.
Making CSA work depends on not only building an EU ecosystem to recognise it, but also having standard “good practices”, or information security baselines, that can be easily understood, applied and verified. In this presentation, Alex Leadbeater discuss not only the challenges of making CSA work, but also the opportunities that lie ahead for SMEs. In the end, boosting trust in terms of how cybersecurity risks are managed depends on providers, authorities, and consumers alike.
What are we trying to achieve through cybersecurity certification?
Alex Leadbeater says “we must consider to measure it in terms of the benefits for the end-users and society. The aim is to raise the bar”. And adds, “the landscape in Europe is fairly complicated. We must avoid introducing barriers into market entry. We must allow security and innovation”.
In his presentation, Alex Leadbeater uses a concrete specific example about the work of ETSI regarding IoT security to help set a manageable baseline standard.
A survey conducted by the IoT Security Foundation on 17 March 2020 asked the following question: ‘how many manufacturers globally have a vulnerability report system?’. Only 13% of them answered positively. For the 77% remaining, there is no way of letting somebody know something is wrong with the product.
ETSI introduced EN 303 645 “Cyber Security for Consumer Internet of Things: Baseline Requirements”, which brings together technical and organisational measures that are widely considered good practice.
The objective is to better protect consumers and other users of connected “smart” products.
The keynote session was followed by a round table discussion with the following participants:
Gabriela Gheorghe, PhD - Cybersecurity Specialist at SECURITYMADEIN.LU/CASES
Carlo Harpes, Managing Director, itrust consulting s.àr.l.
Stefan Schiffner, Research Associate, SECAN-Lab, UNI.LU
Yves Gheeraert, Director Benelux, France & Southern Europe, Blancco (F)
Alex Leadbeater, Head Global Obligations Futures and Standards at BT; Chair of TC Cyber at ETSI (UK)
In this discussion, they debated how certification (specifically CSA) will improve the current information security baseline: what are the advantages, key points to take into account and limitations.
When asked about the status of CSA, Gabriela Gheorghe, explains that there is a lot of work to do. CSA came into force in 2019, some further articles have been released this summer. “We haven’t seen a lot of countries in Europe that would implement directly any of the schemes that were proposed by ENISA. Different countries are trying to set up the ecosystem around the CSA basic actors in the sense that national cybersecurity authorities are in the process of being designated”, she explains.
“There is a lot of work to be done on the consumer side as well. Security requires awareness. Whenever consumers buy something, they should take a look at what is inside”, she continues.
It is however rather complex for users to understand what a good certification is.
Carlo Harpes gives the following definition of certification: “certification is a process where some competent people that are independent and have no direct interest verify that these criteria are met. This gives trust in the overall product because it is not done by the manufacturer itself but by some independent and competent people. And these people need to act under a national control. In each country, there is a body in charge of making sure that the labs do a correct job - (ILNAS, in Luxembourg)”.
Yves Gheeraert uses the example of how its company, Blancco, specialised in data erasure, works with certification. “Data erasure is a niche within data security. When we started our business 20 years ago, we had a plan to get our solutions certified in every country in which we were active”, he says. He explains that it was first of all a kind of marketing tool, a way to communicate and to create awareness around data erasure.
Blancco has been certifying its products on different levels:
“Blancco is now looking forward to how the CSA will be implemented in order to make sure that at pan-European level, everybody is at the same level. And what we should achieve is that this European level is high, so we make sure to uprise the level of everybody”, he says.
Carlo Harpes asks the following key question: how should these criteria be? What is the level that is achievable? To answer this question, “we need a collaboration between the manufacturer’s, consumer’s and certification body’s criteria”.
Stefan Schiffner explains that NIS Directive and GDPR legislation mentions the use of state-of-the-art protection. But there is no definition of what a state-of-the-art protection is. What you will find is technology readiness, and there is a big abuse between the two. We try now to add quality level to technology readiness in order to see whether the product fulfills the requirements over time. How to handle products which are considered “senile” (outdated).
Carlo Harpes also adds that nobody is interested in having a certified product that was secure yesterday. We want it to be secure during its entire lifecycle. That is something that was forgotten in the old certification scheme, which focused too much on deeply analysing today’s technologies but not being flexible enough to adapt to future evolutions of the product.
Another key question he adds is about the coordination of the different actors to come to a consensus and work in transparency.
Alex Leadbeater supports Carlo Harpes’ words by explaining that any product that is declared secure today by any test labs is likely to be less secure tomorrow and even less secure the day after if we do not foresee the future developments.
“The interesting thing for standardisation bodies in terms of how we collaborate, how we write the schemes is how we do with the future proofing, the recertification”, he says.
CSA is intended to have a large impact across the IT landscape and to raise the bar across a large number of sectors. “In principle, it is the vehicle through which cybersecurity regulation will be improved considerably. We will see a large number of products being certified. Therefore, products made in Europe will be more secure”, he comments.
How the consumer understands it is another interesting question. However, Stefan Schiffner insists on the fact that we must not overload the end-consumer with the enforcement of such certification. Consumers do not understand certificates. Certificates are mainly used by companies fighting off other companies which are providing law or standard or by consumer protection agencies.
CSA is a slow rolling out piece of legislation. The challenge lies in how to take what is already certified – such as smartphones, which are heavily certified and very well tested. We don’t want to test those. CSA certifies new things that has not been certified and raise the bar.
Gabriela Gheorghe explains that CSA mentions 3 levels of insurance (basic, substantial and high). Carlo Harpes goes on to say that all 3 levels foreseen by CSA act has a reason to be and will be used. “However, the music might only play on the ‘high’ level because no one will decide to enter a market with an only ‘basic’ level of security certification”, he says. “If it is too expensive to reach it, then we might have a problem since it may kill innovation. Finding the good balance, collaboration and transparency levels will be key to encourage people to produce better secure products.”
“The complexity is very high. In the end, there is this choice between certifying processes, products… The question is: are we really looking at just that or are we looking at the maturity of the organization that is behind?”
“If you prepare a product that can be attacked, you need to prepare for certification. If you don’t achieve it, it means you may not succeed with your product. In one hand, it is a showstopper for potential innovation. On the other hand, it is a chance to prove that your product is really good.”
“We need to be quicker in defining criteria and make sure we do not overload the end-consumer with the enforcement.
National enforcement bodies are a good idea since they are closer to the market and the consumers, if they work on the same criteria.”
“Everybody has a role to play: the national agencies, bodies at European level, editors like Blancco. Certification is key for products and processes in order to make sure that people use the certified solutions and respond to the norms of the industry.
Communication is also very important to create awareness about the vulnerabilities, the different certifications and the criteria a product has to respond to.
It is a complex thing to do but the positive message is that we are working on a pan-European solution. That is very encouraging for the future.”
“We have to remember that our ability as an individual country to demand on the manufacturer to do things is very small.
What we need is to make sure that there is a common baseline withing Europe and spreading it outside of Europe.
The key point is proportionality. Security needs to be proportional to the threats and risks and the baseline we set needs to be relatively high. We should all agree that all products need to meet baseline and some products need to meet higher levels. We shouldn’t end up with a model where it is good enough that everything meets baseline.”
Alex also underlines the need to work better with universities with people learning software skills underneath.
And Alex to conclude, “yes, we can improve security on products but what we need is to raise the bar of security awareness in all individuals throughout the supply chain and in the development processes so security is an embedded capability. Consumers and manufacturer have to work together towards fundamentally more secure products and then certification is the icing on the cake and not the final step where we find out whether or not the product was designed securely”.