Aligning certification schemes for improved cybersecurity
Olivier Van Nieuwenhuyze, Chair of the GlobalPlatform Security Task Force
There is no denying that we rely heavily on smart connected devices. We use these devices to manage our professional, private and financial lives and to support operations across offices, factories, cities, cars and many other environments. Not only do these devices store huge amounts of code and data, but we also use them in new ways, counting on them to provide capabilities far beyond their original core functionality. This rapid evolution of technology and connectivity creates significant and numerous challenges for the cybersecurity industry.
To address these challenges, security industry stakeholders have collaborated over many years on a number of initiatives, including:
• Working to map and define the threat landscape that devices and services needed to be protected against.
• Aligning around a common approach to security levels which meet the needs of different implementations, vertical markets and business models.
• Standardizing security technologies and techniques which align with these security levels and market requirements.
• Establishing certification and labeling programs for vendors to demonstrate the security and robustness of their products.
• Fostering close collaboration and alignment between industry bodies on standardization initiatives and certification programs.
• Optimizing the certification process to drive time and cost efficiencies by ensuring mutual recognition of certificates across different countries, regions and industries.
While each scheme has its own scope and value, both to the greater ecosystem and to their respective stakeholders, it is imperative that each scheme’s security levels align with other schemes. For the most part, collaboration between organizations, within and across industries, has resulted in broad alignment around security standards and robustness levels.
Though terminology differs slightly from one organization to the next, generally speaking, each framework or standard characterizes security robustness levels as high, enhanced/substantial, and basic – and the robustness of each level translates from one body to the next.
This alignment is under threat, however, because of new certification standards proposed by the European Union.
The Cybersecurity Act and the problem of misalignment
In response to the growing threat landscape, the European Union has also sought to create cybersecurity certification standards. Members of the European Parliament adopted the Cybersecurity Act (CSA) in 2019 as “” The Cybersecurity Act also seeks to further strengthen the EU Agency for Cybersecurity (ENISA) and grants the agency a permanent mandate to develop and maintain the framework for cybersecurity certification themes.
On 1 July 2020, ENISA delivered the first certification scheme to the EU. Put very simply, the framework achieves the CSA’s aims by offering security assurance levels which inform users of the cybersecurity risk of a product. The CSA designates three levels: basic, substantial, and high. These three levels are intended to be commensurate with the level of risk associated with the intended use of the product, service or process, in terms of probability and impact of an accident. A high assurance level would mean that the certified product passed the highest security tests. The EUCC, however, only describes substantial and high, as there are minimal requirements to achieving a basic level security certification.
The EU should be commended for its proactive response to today’s threat landscape and the increasingly complex relationship between technology, security, commerce, and data. Not only do stringent certification standards benefit corporates and consumers, but they also increase confidence in the technology and its application. When applied globally and recognized across borders, standards help decrease disparities and fragmentation easily and efficiently, promoting trade and economic development.
Better alignment for more robust security
There are challenges with the approach laid out by ENISA, however, that may create confusion in the marketplace and ultimately undermine the aims of the CSA.
Though the CSA seeks to provide stakeholders and European citizens with a method for clearly identifying and evaluating the security of their products, implementation of the EUCC scheme, as proposed by ENISA, may in fact introduce additional confusion.
Let me explain.
Citizens need clarity and confidence to adopt technology. If a device is certified at the highest level of security, that achievement should clearly equate to the robustness of the device’s security and the functionality it can therefore support.
The EUCC has potentially introduced confusion in how it has established its security levels. According to the EUCC’s current framework, only public schemes operated by national bodies can certify that an applicant meets the highest level of cybersecurity. By extension, certifications from established security certification schemes, such as those advanced by GlobalPlatform, and other industry organizations, which represent today’s best practices for cybersecurity across many different industries, can only be recognized as substantial under the EUCC.
This approach, confuses robustness with assurance, highlighting to end users that the entity that certified the device is more important than the robustness of the device’s security
The CSA’s framework will therefore not necessarily reflect the security reality. ENISA’s framework disrupts the market already governed by a security mindset that relies more on robustness than assurance and adds unnecessary complexity to the ecosystem.
Furthermore, initiatives like this should also decrease fragmentation, rather than foster it. Defining differing regulatory approaches by country or region is not productive and does not effectively communicate to consumers the robustness of the security certification, particularly in cases where device makers want to develop and launch products to be deployed globally. The EU should align with the U.S. and both Europe and North America must align with other markets like China to provide device makers with a global view of cybersecurity standard requirements.
Better alignment for reduced fragmentation
The implementation of CSA by ENISA using the proposed EUCC scheme will result in misalignment and confusion. For a time, only security experts will be able to differentiate between the security robustness and assurance offered by the EUCC. We will need to live for a while with this reality and it may not be pleasant. End users expect and rely on the fact that devices meet the requirements for high or substantial security. If the robustness of the security does not meet the expectation of the consumer, brands may be exposed and damaged. End users will not have accurate information to make educated choices.
The EU CSA, ENISA and the EUCC has a fundamental role to play in the future of cybersecurity on both the European and global stages. Alignment with existing cybersecurity initiatives and security levels will help the ecosystem to demonstrate the capabilities of products, foster confidence and adoption, and provide greater end-to-end security, privacy, simplicity and convenience for everyone.
If the EU’s true aim is to enhance cybersecurity, the misalignment of the CSA created by ENISA’s adoption of the EUCC as it stands can be rectified through collaboration and alignment between private and public certification bodies and schemes and placing more emphasis on soliciting input from the industry through organizations like the Stakeholders Cybersecurity Certification Group (SCCG). The goal of this collaboration must be a cybersecurity certification scheme that is transparent, aligned with industry and—ultimately—accessible to the end user. Fragmentation increases time to market and costs that ultimately will be passed on to the end user.