Currently, it is the key question of cybersecurity and privacy strategic policy.
The European Union is going through an overhaul of its privacy and cybersecurity regulatory frameworks. New regulations appear with remarkable frequency. Let’s mention merely the three: NIS Directive (“common level of network and information security“), General Data Protection Regulation (GDPR; data privacy), ePrivacy Regulation (data privacy in electronic communication: 1, 2), and the Cybersecurity Act. Here we’ll only focus on certification and its potential impact on the health of systems, networks, internet and social interactions (sometimes called cyberspace).
Product certifications are nothing new.
Certifications can be understood as a seal stating that “something” or “someone” is meeting some specific “objectives” or requirements. It’s usually about some qualitative traits. In case of privacy and cybersecurity of systems and products, certification is usually mentioned in relation to the level of compliance or the standards that a product or system is achieving. But this should not be mixed with standardization, which defines the behavior of distinct systems conforming to a common (standard) set of rules. Although one can (and should, even) have security or privacy built-in to standards, which is the most efficient.
The gut feeling or the popular impression is that certified products have some standards set higher than the products that have no certification. This may not always be the case. But we won’t discuss this today. *Certificates shouldn’t be understood as guaranteeing 100% *security (or privacy). This notion is incorrect. Certificates bring value, but they are about meeting objectives at a given point in time. For example, a certified product can state that it is implementing something in line with the current best practices. Alternatively, that some functionality is included at all.
GDPR and Cybersecurity Act
In GDPR, data protection certificates, seals, and marks are established to demonstrate “compliance”. They are voluntary. In the Cybersecurity Act, certificates are designed for ICT products and services, and are meant to demonstrate that a certain “level of assurance is guaranteed” in relation to “availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, processes, services and systems”.
Cybersecurity Act in Europe is establishing a common cybersecurity certification scheme. This means that national schemes will cease to exist. The regulation introduces example levels of guaranteed security: basic, substantial and/or high. The general perception of consumers or managers should be that products certified to meet “high standards” are better than the ones certified along “basic standards”, which in turn are better than products certified for “no standards”. Right? This isn’t so simple in practice.
Example use for certificates
So, why would a business be interested in certification? Let’s show this on a fictional example. BrushBrosPro (BBP) has a revolutionary product: IoT toothbrush that is uploading users’ brushing patterns to the cloud, where one can share performance with friends. In the first release, blockchain technology is not used, but BBP still wants to include some icons on the product box. So the managers decide to certify the product and argue it has a “CyberSecure Turbo+” label, issued by the esteemed CyberSecurity & Friends trusted authority. BrushBrosPro would then expect to win more trust for its product than say, the competition at the mere level of “CyberSec Basic” certification. After all, BBP products went through more stringent certification scheme. They must be more secure. For example, they might even have a working authentication system, while the competition product with “CyberSec Basic” might not necessarily need to include one at their lower level.
Useful, but limited
As I said, certifications may be helpful tools in meeting some objectives on the one hand, but on the other - by making some trusted authority guarantee that a particular objective is met. This is helpful in the sense that it allows companies to argue that their products are secure. But as the example above states, it does not mean that the products are actually 100% secure. All is said is that some objectives are met. There are values in certification schemes, but one should not put total faith in that. Still, these are useful tools.
The ridiculous example above also highlights that writing three certification levels directly in a regulation might be a risky idea, especially if at the same time the Cybersecurity Act says different levels may be used. The best approach is to correct this during the works at the European Parliament.
Voluntary certification or strategic thinking
Cybersecurity certificates are also - as currently proposed - voluntary: “should remain voluntary, unless otherwise provided in Union or national legislation”. As in GDPR, there is no requirement of obtaining a certificate. Some observers may point out that the likely explanation is lack of desire to introduce additional and unnecessary burden for industry. After all, isn’t it about freedom of conducting business as one chooses?
This reasoning has its logic, but its main motivation isn’t making European cyberspace (understood as a whole, strategically) more secure. When speaking about a single-product scale, this may be fine. The situation changes when you expand the scale. As we’ve recently seen, certain products or concepts pose a serious threat to infrastructures, even on a scale of the Internet. A good example comes from the Internet of Things realm, admittedly too often created with NoSecurity by Design. Products conforming to this paradigm might then end up as part of a 600,000-thousand botnet with the power of 1Tbps DDoS, all thanks to Mirai worm. Another take being, of course, the recent massive ransomware campaigns, although the background between those two events was different.
NoSecurity and NoPrivacy as a business strategy
It might be challenging to argue that certification would change anything in the two examples above. It would make some simple abuses more difficult to pull out. But in general, there are no numbers available for making an informed comparison between the security quality of certified and non-certified products. On the other hand, the fact that the only option of improvement is at the hands of regulators is difficult to argue. But adopting this mindset suggests the need for some form of mandatory requirements (incentive) in relation to security of systems. There will be a lot of skepticism. Even United Kingdom’s Intelligence and Security Committee of Parliament Annual Report (2016–2017) acknowledges that some companies simply side-step security and privacy protection: “people are producing very cheap devices where they don’t want to spend time and money on security”.
Can this be understood as a deliberate business strategy in order get to the market as soon as possible?
This complex problem touches a number of spheres. But if the common denominator is the resilience of information society on a scale, we are having a different discussion in terms of cost/benefit, as opposed to speaking in terms of single products. How to tackle this problem at a scale? One way could indeed be introducing some forms of mandatory requirements for systems security. Or privacy, whatsoever. Some recent cases highlight risks of massive leaks of private data due to simple bugs (CloudPets). Would you say this has something to do with lack of incentive for designing products with privacy in mind? How about with the incentive to ship the product as soon as possible at the expense of future security and privacy of customers? This is where mandatory certification can be useful.
Meltdown & Spectre
On the other hand, let’s take Meltdown & Spectre), and the new CPU-level security risks that basically relate to all the processors out there. This is an example where certificates change next to nothing at the core. But that’s because of very specific reasons.
- a limited number of product types (CPUs)
- a small (few) number of vendors
- the common microarchitectural designs, and so on.
However, one place where certificates could potentially play a role would be in the driving the adoption of fixes. Either by requiring
mitigations to be put in place, like software updates or hardware updates (once available). Spectre & Meltdown is also a possible example of motivations that security certifications could create for the end-users of CPUs. This is especially the case if in order to keep being certified a product must have an appropriate update installed/included. Regardless of the possible performance slowdowns. In that practical-theoretical example (and in the ideal-certificate-world setting!), certificates could leave no choice between performance and security - by favoring security.
Way forward for certification
Let’s boil down the options around certificates to three simple points
- No mandatory certifications. Rely on industry self-regulation and voluntary certification schemes. This is mostly what we already have now.
- Some form of mandatory requirements.
- Evolving transition to a form of mandatory requirements (with a path of different incentives). From no mandatory to mandatory certification.
To date, no regulation in the world has introduced mandatory cybersecurity certifications. However, some forms of certifications are often required from products with specific applications. For example, for specific sectors like finance, government, critical infrastructure and so on. But isolated examples are not what scale is about.
In case of cybersecurity products, there are no universal requirements of the kind as of now (there sometimes may be in certain sectors). While I often dislike analogies, emission standards might be a good example. High standard requirements are a common scheme in the automotive industry. In this manner, software and systems could at some point reach similar basic requirements (but please don’t speak about basic stuff like “accounts cannot be used without a password”).
Certifications as a prerequisite to market entry?
One could then even reason, that at some point any cybersecurity or data privacy certification framework might become a market entry-point. This way, a voluntary certification scheme would then effectively transition into mandatory. But the current regulatory landscape in Europe places motivation elsewhere. In the high fines in GDPR and ePrivacy (much less in implementations of the NIS Directive), and in no forms of mandatory certification in the European Cybersecurity Act (though it may be used to voluntarily demonstrate compliance with NIS Directive). Indeed, it might look as if European data privacy regulations will be guiding the path to building cybersecurity in Europe. But this kind of guidance cannot address some of the more grave (existential) cybersecurity risks and cannot be understood as a strategic approach.
Regulatory process to incentivizing the increase of cybersecurity level is rather slow, and it is impossible to predict what events will happen in the meantime.
On the other hand, there are more and more voices that industry incentives aren’t adequate either.
Is taking this strategic risk comfortable to regulators? We should be having this discussion now. It's now when we speaks about GDPR, ePrivacy, and European Cybersecurity Act.