EU Cybersecurity Certification: a Missed Opportunity

It’s no secret that IoT security is woefully inadequate and that self-regulation isn’t working. Last year, a Ponemon Institute study found that 80% of IoT apps had security vulnerabilities, while a separate study by Gemalto found 90% of consumers and 96% of businesses lacked confidence in IoT security and wanted to see stronger regulation. 

Recognizing this and that the combination of digitization and connectivity have “led to increased cybersecurity risks” the EU proposed the EU Cybersecurity Act on 29 May in a bid to protect the “digital products, services and devices used by citizens, governments and devices”.

The legislation will see the European Union Agency for Network and Information Security (ENISA) become the permanent EU agency for cybersecurity and the creation of a certification framework for certifying connected cars and smart products across all EU member states.

Three tier system
As a single certification body, ENISA will oversee the application of a uniform method of classification comprising three levels: ‘basic’, ‘substantial’ and ‘high’. Each incremental level will refer to technical specifications, standards and procedures currently used to mitigate cybersecurity incidents.

The aim is to instill greater confidence in the IoT and to reduce the fragmentation which is making it hard for manufacturers to compete across geographic boundaries which then restricts consumer choice.

This all sounds great up until the point where we find the framework is “voluntary unless otherwise specified in EU law or the member states’ law”. In other words, it’s only legally enforceable in respect to the contravention of other laws i.e. GDPR or where IoT devices are used in essential services such as Critical National Infrastructure. 

When it comes to commercial or consumer applications of the IoT, take-up may well remain piecemeal. The hope is that the accolade of accreditation will spur adoption, but manufacturers are of course unlikely to pay for this level of independent verification, particularly given the price sensitive nature of consumer kit. In a bid to entice them to enter into the certification program, those going for the ‘basic’ level can “carry out conformity tests themselves” for products and services which “present a low risk for the public interest”.

Just how you establish that risk is perplexing. Even a basic smart home product can pose a substantial risk to user data such as through the leakage of data or access to the PSK.  

The worry is that the EU Cybersecurity Act could become yet another example of a piece of toothless regulation. Granted, the documentation states it will have the power to “issue warnings targeting providers and manufacturers to improve the security, including cybersecurity of their products”, but there is no mention of how this will be enforced. Presumably those warnings will sometimes fall on deaf ears. 

Too accommodating?
Clearly, the legislation wishes to preserve commercial interests but this may well be at the expense of the user. Much like other attempts to regulate the IoT, this piece of proposed legislation seems more concerned with protecting commercial interests and the IoT market which continues to be regarded as a nascent industry.

Reference is made to manufacturers being able “to certify their products and services in several Member States” and the need to help “reduce costs for undertakings [associated with] operating in the digital single market” to boost the sector. But does the sector really need this level of coddling?

If we look at the Secure by Design framework drafted by the UK’s Department for Digital, Cultural, Media and Sport earlier this year, the foundations are there for some effective legislation. Such voluntary codes of practice should be using existing legislation to enforce them. For example, GDPR is very relevant to many aspects of IoT security although this would require a data privacy regulator to take action.

What is interesting is that the EU Cybersecurity Law makes provision for National Cybersecurity Certification Authorities to handle complaints. This ensures that investigations must be made appropriate to the seriousness of the complaint and the person lodging it must be kept informed of the progress and outcome within a reasonable period.

They must also cooperate across borders with other authorities concerning “possible non-compliance of ICT products and services” which bodes well for both lobbyist groups and security researchers keen to ensure disclosure is acknowledged and acted upon.

In this respect, and its attempt to introduce a three tier security framework that is understandable by the consumer, the EU Cybersecurity certification proposal is to be applauded.

But the concern is that it doesn’t go far enough: by charging ENISA with implementing a voluntary scheme, the organization is cast in the role of a facilitator rather than an enforcer, making it almost impossible to create any real change for the better. Until user privacy and security come first, the IoT will continue to be insecure and is likely to become a prime target.

What’s Hot on Infosecurity Magazine?