EU cybersecurity debate generates agreements but more questions

tdloffice General

On 22nd May, Trust in Digital Life and New Europe co-hosted a half-day roundtable event at the Press Club Brussels, which brought together representatives from the European Institutions, academia and industry to discuss issues surrounding the security assessment area. The EU Cybersecurity Act, currently under discussion at the European Parliament and the Council of the EU, is generating considerable debate on risk analysis, best practices, certification frameworks, self-assessment techniques, and other challenges the EU needs to address to create a safer computing ecosystem for its citizens.

Opened by TDL Chairman Amardeo Sarma and moderated by Riccardo Masucci (Intel), the event featured a keynote by Peter Kouroumbashev MEP and interventions by Dr. Ludmila Georgieva (Permanent Representation of Austria to the EU), Aristotelis Tzafalias (European Commission), Aidan Ryan (ENISA), Professor Bart Preneel (KU Leuven), Professor Tanja Lange (TU Eindhoven), Olaf Tettero (Brightsight), Corinna Schulze (SAP) and Dr. Claire Vishik (Intel). New Europe Editor, Alexandros Koronakis, closed the event.

Kourombashev outlined the main contents of his amendments tabled in the ITRE Committee: a much stronger and independent ENISA, that would report on a regular basis to the leadership of the European Institutions and would play a key coordinating function in developing cooperation among the Member States – which today is inadequate – and in the cross-border harmonisation of certification schemes.

In Kourombashev’s view, ENISA should become responsible for the blueprint of future cooperation and capacity-building in Member States, threat information analysis, and for the organisation of the response to large scale incidents. He also envisaged a new permanent stakeholder certification group comprising representatives from industry and academia replacing ad hoc groups on certification, but with the ability to invite ad hoc members for specific verticals such as industrial applications, or IoT.

Fragmentation of security assessments in the EU: There was a general recognition that the current fragmentation across Europe is an issue, exacerbated by the seeming incompatibility of having a legal framework that sees national security as a Member State responsibility while acknowledging that cross-border co-operation is vital. Everyone agreed that ENISA, with its proven expertise, needs to have a permanent mandate, with the caveat that there will continue to be a reliance on Member States in areas pertaining to national security.

Risk-Based Approach: There was interest in a risk-based approach to certification, with different efforts and costs going into different security levels, although capturing those requirements from a legislative perspective will be difficult. Once the underlying principles are defined, ENISA should bring together the appropriate stakeholders to reach a conclusion.

Evaluation: Much was made of the anomalies associated with certification without adequate verification processes. Emphasis on certification does not ensure security per se, but demonstrate that certain requirements were fulfilled. Efforts to enhance the use of verification mechanisms in design processes, including test automation and self-assessment practices, should be continued and extended.

Inclusion of process-based assessments: There are also challenges and liabilities ahead with emerging technologies, especially in complex, fast moving environments like cloud and IoT.  Certifications like Common Criteria do not have scalability, agility and economic viability and therefore are not universally applicable. It is vital to add process-based certification as an option and to ensure the use of best practices throughout the whole lifecycle.

Composition of security, privacy and safety risks: The importance of risk composition was stressed multiple times during the debate, recognizing the complexity of computing, communications, cyber physical systems as well as the importance of connecting (and protecting) those with other domains and systems, from light bulbs to cars to nuclear facilities.  It will be increasingly important to look at security dependencies in the context of safety, privacy and resilience.

Voluntary nature of certification schemes: Kourombashev highlighted that a mandatory EU framework may create imbalances in the market and a voluntary approach should be followed. On this point, however, political groups in the EP are split and some would mandate certification for high risk products and systems.

Questions about key issues, that will have a serious impact on the trustworthiness and safety of products, services and processes, remain open and we expect the debate to heat up in the coming weeks. However, there was an overall sentiment of optimism about the lawmaking process in the EU Institutions (the Parliament, Council and Commission could start trilogues right after summer) as well as about the direction Europe is taking that could be a valuable template for best practices globally.