This article is part of our special report Europe’s cybersecurity agenda.
There needs to be more discussion about liability for cybersecurity attacks, Steve Purser, director of operators at the EU cybersecurity agency ENISA, told EURACTIV.com in an interview. He also said that Europe does not need to have the toughest security standards in the world, but it needs an “appropriate level of security”.
ENISA will be in charge of drafting the rules to apply the first cybersecurity certification to products that can be used all over the bloc. A new European Commission proposal made the Athens-based agency responsible for the security programme, which has sparked controversy among tech companies.
ENISA will be in charge of drafting criteria for the new certification scheme. The proposal is still controversial among tech companies. Why is there a need to change cybersecurity certification?
I think there are several things telling us we need to revamp certification in general. One is that we have some very high-performing national schemes but we don’t have a European scheme. So we run the risk that if someone has a very good certification in Germany or in France, it may not be recognised in Bulgaria or the Netherlands or one of the other member states. So we’re still in this national scheme of things. On the whole it works quite well, but it certainly doesn’t work perfectly. So this is one reason I think the European scheme would be a very good thing. Second, there’s scope to increase the role of industry, to make sure they have a bigger voice – certainly in European certification because it will help products and services flow more freely across national borders, this is the key idea. But I think the biggest reason is that the market is changing enormously.
And the kind of certification schemes we have at the moment that work well – to be brutal – are rather clunky, they’re expensive and they’re slow. This is not a criticism of the certification people, they do a very good job. But it’s more a reflection of the fact that we are moving to a market that is characterised by massively increased scalability and much shorter time-to-market constraints. It is clear that in the future we will not be able to rely on the kind of techniques that we relied on in the past under these new constraints. Of course I’m talking about things like the internet of things, robots, AI [artificial intelligence] and all these new things which are coming up.
There was some discussion before the proposals came out about whether companies should be held to legally binding standards guaranteeing how secure their products are. We know that is not what the Commission proposed. Do you think there should be any binding standards for cybersecurity certification?
I think in some areas it could be beneficial to have binding standards. In others, definitely not. It’s a balancing act. On the one hand, let’s take things that are highly safety dependent or critical infrastructure, there I can certainly see a need for it. This is not the kind of thing you would want to do in a market which has risk, where you may hamper innovation and introduce barriers to becoming more successful on the global economic playing field. I think it would have to be done on a case-by-case basis. Certainly it should not be done in a sweeping way.
Some MEPs called for there to be EU rules regarding when companies can be liable for cybersecurity attacks. Should there be more discussion about potential liability legislation?
Absolutely. It’s an example of one of the concepts that does not translate very well from the practical world into the internet world, for many reasons. One is that liabilities on the internet are potentially huge. A car these days is not really manufactured, it’s assembled out of lots and lots of complex components, each of which has a complex supply chain. So it’s incredibly difficult or impossible for a car manufacturer to check all the elements of the supply chain. I think the thing we have to do is adapt the notion of liability to what is happening in the market. Complex supply chains, short-term for market. And we need to understand where the liability really stands. If you have a car accident but the problem was in the chip, which was embedded in one of the many systems in the car, several layers down in the architecture, how do you distribute liability? And how do you prove it was indeed due to the chip because it’s a complex system in which there are many things happening? I can’t give an answer to this but I can say it’s really the right time to be discussing liability. And to try to come up with better models for how we might supply it. Maybe there is a supply chain model for liability, a bit like we have a supply chain model for VAT.
Some of the criticism of the Commission’s proposal for an EU-wide certification programme was that companies argued it would create a barrier with countries outside EU, especially if the security standards here are higher.
I don’t understand that in the sense that, first of all, this is just an idea at the moment, a concept. And you can’t predict at the moment what will come out of it. In some ways for us the biggest candidate for immediate attention is what we’d call lightweight certification. We are really making a big effort at the EU level to be very pragmatic in the way we move forward on this. I don’t think the intention is to go in with heavy boots and change these processes with common criteria which are working very well. But there’s a huge space where there’s nothing. That is the internet of things area. I can see two solutions that would be very useful for the market if they’re done correctly. One is lightweight certification. And labeling. Both have enormous advantages and some drawbacks. The problem with lightweight certification is we have to get certifiers to actually produce lightweight things and that involves reassessing opportunities and risks. We cannot have our cake and eat it too. In tomorrow’s world, we cannot expect that these small objects which cost €50 can be secured to the same extent as the servers we buy spending thousands and thousands of euros. It doesn’t make any sense. We have to do our homework, we have to reassess opportunities and risks, come out with genuine lightweight certification schemes that nevertheless concentrate on the important stuff. But recognise that maybe you don’t need to have the most draconian security to let the monster in your house. I think this is a huge development because it will enable markets. It should enable Europe to become more competitive if it’s done correctly. It could be a big selling point. And it’s not associated with a lot of barriers.
Labels could be a great idea. When you talk to consumers, think of the energy label on the side of fridges, this is easy to understand. People see it’s an A+ device, they want to buy an energy efficient machine. Of course IT is much more complex than that. I’m not saying we can achieve the same level of simplicity, but we can certainly use that as an idea and try to produce labels that will give the consumer strong indication that they’re getting something that is secure. We need to make sure the consumer understands what the label means and we need to give the consumer a way of verifying the label that is understandable.
We can do something very powerful here, where we can stimulate markets and increase security at the same time at a relatively low cost. But we need to change our thinking and we need to understand we can’t apply the same criteria we applied in the past for bigger, costlier systems. It won’t work like that.
Obviously the Commission only proposed this certification programme last month and ENISA is in the driving seat for how it will look at the end and affect companies…
I hope not. My vision is a bit different. I’m quite optimistic. There is some dissent on certification, different member states have different points of view. Industry is split on certification, some people want it, some don’t. Maybe a good way of looking at this is on a sectoral basis, where you have a lot more cohesion. If you look at things from a sectoral basis, people are fairly aligned in general. By breaking the problem down, you sacrifice something but you also get a lot of traction and move the ball quite a big step forward. Of course later on you want to get commonalities and you want to get things sorted out that apply to everybody. But ENISA will approach the problem of certification as it does everything else. It will talk to its stakeholders in a very structured way. It will use baby steps to get towards a long-term goal. We don’t aim to change the world overnight but we have a very ambitious strategy and we approach it in small steps.
Are there any criteria you’d say are important and should be included in the different certifications you create?
Technical criteria, I wouldn’t want to say that at the moment. I’d make a few basic statements. The general idea is that we will aim to set certification criteria that reflect the fact that the house is not an atomic power plant or a nuclear submarine so the risk is in general lower. However, we will offset that by awareness campaigns to users saying, “If you put an IoT lock on your door, be careful because these locks are hackable. Or could be, depending which one you buy.” I think we will work on all three components and we will come up with an approach that balances economic concerns. The fact is that the EU needs to conquer these new markets together with an appropriate level of security. We don’t need to be the most secure in the world because that will kill us, we will not get into these markets. But we need to have enough security to get the job done. When the automobile first came out, the risk model was that someone used to walk in front of the car with a red flag. Of course in the intervening time we now have a risk model that works very well. There are dreadful things that happen with automobiles but we all know it, we all accept it and we deal with it in different ways. A similar thing will happen with IoT and AI and robotics and all these new technologies.