EU Cybersecurity Act: The Tough Part Is Yet To Come! (M13c)
The regulation on the EU Cybersecurity Act is going to close soon and this is an important starting point to bring structure into markets in terms of security regulations. However, the tough part is yet to come. Conformity assessment traditionally relies on static criteria as physical laws do not change over time: one kilogram is still one kilogram after a certificate has been released. In the security world this is different: a certificate only says that “to the best of the current knowledge about attacks at the point in time when the certificate is released, the item under assessment is secure”, i.e. a new attack on the next day can render the certificate ad absurdum. A traditional checklist approach will not help.
This talk discusses the multiple challenges that the industry, conformity assessment bodies, national agencies, society, regulators, and consumers are facing. For many sectors and domains, the security requirements are unclear as experts and standards are missing, and therefore certification alone – even if enforced – will not immediately help if the criteria are not clear. Many certification schemes exist, addressing different flavors of the problem. Some focus on products, others on services, others on processes, companies or professionals or a combination of those. None of the schemes can handle everything so that we finally need to live with several different schemes or even accept new ones on top of those existing. Composition of certificates (e.g. from one HW component up to the entire Car) makes the situation even more complicated. The question is: how can we adapt, use and combine existing schemes in a smart practical way, thereby properly addressing the characteristics of the digital hyperconnected world? As everything is connected, everything is floating, agile and with short to long life-cycles. Products are getting updated regularly and need to cope with a large variety of floating attacks. If certification schemes and the way we agree on security standards are not becoming very agile and adaptive, we are failing in what we try to achieve: making the digital world more secure. In this context, market surveillance is getting more and more crucial, as the integrity of the supply chain is key to ensure that what has been certified is also delivered. If this fails already at the start of the supply chain (e.g. a semiconductor chip), then, products with the integration of the malicious chip contain potential backdoors for hackers as was claimed in a recent publication*. Sample checks in the supply chain are common practice for medicine and delivery of food. But checking whether a semiconductor chip randomly picked from a supply delivery is equal to the one that has been checked by a conformity assessment body can be very challenging, especially, if the differences are in the configuration settings or the embedded firmware.