A New ENISA to Develop New Harmonized European Security Certifications
The EU Cybersecurity Act came into force on June 27, 2019. The temporary European Union Agency for Network and Information Security (ENISA) has been replaced by the permanently mandated European Union Agency for Cybersecurity -- same people, same place, but with a new name, a budget increased from €11 million to €23 million over a period of five years, and staffing levels allowed to rise by 50%.
With additional resources comes additional requirements. Key among these is involvement in a new EU Cybersecurity Certification Framework. "ENISA will have market related tasks," commented the agency's executive director, Udo Helmbrecht, "notably by preparing 'European cybersecurity certification schemes' that will serve as the basis for certification of ICT products, processes and services."
Product certification is a hard nut to crack. It has been attempted many times before at both national and international levels. If requirements are set high, product development costs increase. Prices rise and innovation, especially by new start-ups, is deterred. If requirements are set low, the value of the certification can be questioned. Again, if certification is mandatory, product prices will increase; if it is voluntary, then it is often ignored.
The European intention is for certification to include 'type' (e.g. self-assessment or third-party evaluation), and 'level' (e.g. basic, substantial and/or high). It is also intended to be voluntary -- so 'voluntary basic self-assessment' is currently a very low hurdle. However, the European Commission adds that it "will assess whether a specific European cybersecurity certification scheme should become mandatory through relevant EU legislation to ensure an adequate level of cybersecurity of ICT products, services and processes and improve the functioning of the internal market."
The functioning of the European internal market -- usually referred to in Europe aspirationally as the 'digital single market' -- is the primary driver for the certification scheme. Just as GDPR was meant to harmonize data protection laws across all EU nations, so the European certification is meant to harmonize certification -- and the EU believes this will benefit both users and producers.
"The resulting certificate will be recognised in all Member States," declares the European Commission, "making it easier for businesses to trade across borders and for users to understand the security features of the product or service. This allows for beneficial competition between providers across the whole EU market, resulting in better products and higher value for money."
However, the actual need for and value of this harmonized certification could be questioned. A survey (PDF) by ENISA in August 2017 asked participants (28 agencies from member states, 24 vendors and manufacturers from the private sector, and 4 consumer associations) about problems encountered when dealing with security certification procedures. The top concern was 'cost' (24 participants). Second was the duration of the process (19). The lack of mutual recognition of certificates across member states ranked only third highest concern (17 participants). At this time, the problems involved in certification ranked higher than the potential benefits.
How the EU Cybersecurity Certification Framework could be applied to products imported from outside of the European Union -- from North America or the Far East -- remains to be seen. The certification cannot be mandated at foreign manufacture, but could be mandated at European purchase. This would give non-EU manufacturers a simple choice: get certified or ignore the European market.
However, the voluntary nature of the scheme could be bolstered by the growing concern over the security of supply chains. A larger company buying and integrating components from third-party manufacturers could insist, as part of its own risk management processes, that the components are certified to a certain level. This could operate in a manner similar to the UK's proposal for regulating IoT devices. Here, a labeling scheme is being considered, confirming conformance to up to 13 published manufacturing guidelines. A similar labeling scheme could demonstrate foreign manufacture compliance with EU certifications.
Application software certification is not explicitly described, but software cannot be excluded because of its integral nature to security product. The Cybersecurity Act states (para 96 of the preamble), "European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates."
The two key elements of software certification are likely to be proof of 'security by design', and confirmation of the duration for which the supplier will support the product with updates and patches.
Outside of certification, the new Agency's existing European advisory role on network security will continue and is expanded. For example, it states that it "will assist Member States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis."
But perhaps of particular interest is the statement that, "At the EU level, ENISA will continue to support the coordination of responses to large-scale cyber-attacks and crises, in cases where two or more EU Member States are affected. This includes the possibility for the Agency to carry out post-incident analysis, when requested by the Member States."
This relates to an announcement from the European Council in May 2019. It announced a new framework "which allows the EU to impose targeted restrictive measures to deter and respond to cyber-attacks which constitute an external threat to the EU or its member states, including cyber-attacks against third States or international organisations where restricted measures are considered necessary to achieve the objectives of the Common Foreign and Security Policy (CFSP)."
Responses will be purely political (travel ban) and/or economic (asset freeze) sanctions "on persons or entities that are responsible for cyber-attacks or attempted cyber-attacks, who provide financial, technical or material support for such attacks or who are involved in other ways. Sanctions may also be imposed on persons or entities associated with them." The Agency's role will likely be forensic and recovery, plus attribution.
There is no indication in this of any suggestion for a form of hacking back mandate at the European level -- although individual nations may reserve the right to do so. The UK, for example, believes that in severe incidents, it has the right to strike back both in cyber and on land. In May 2018, Jeremy Wright (then Attorney General and now Secretary of State for Digital, Culture, Media and Sport -- DCMS) said "The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter."
ENISA's role will remain primarily advisory. It was formed in 2004 to provide EU member states with guidance on the technicalities of network and information security. The Cybersecurity Act has maintained and expanded this basic role.
Related: Proposed EU Cybersecurity Product Certification Scheme Has Global Effects
Related: EU Invests €450 Million in Cybersecurity Partnership
Related: ENISA Report Provides ICS-SCADA Protection Recommendations
Related: EU Telecommunications Standards Institute Publishes New IoT Security Standard