Laptops, smart phones and other connected devices in Europe should be subject to new cybersecurity standards throughout the “entire life cycle” of products, according to draft EU Council conclusions on the subject, obtained by EURACTIV.
The text from the German Presidency hones in on EU efforts to bolster the cybersecurity of connected devices and makes the case for introducing more robust measures to ensure that the rapid uptake of these products comes with appropriate security and privacy safeguards.
“The increased usage of consumer products and industrial devices connected to the internet will also raise new risks for privacy, information, and cybersecurity,” says the document, which has been circulated among EU nations.
“Cybersecurity and privacy should be acknowledged as essential requirements in product innovation, the production and development processes, including the design phase (security by design), and should be ensured throughout a product’s entire life cycle as well and across its supply chain.”
Connected devices are objects that can connect with each other and other systems via the Internet. They span everything from laptop or desktop computers, to smartphones or tablets, to an increasingly wide range of objects like connected watches and automation and control equipment in homes and factories.
The German EU presidency text on connected devices will be discussed as part of the Council Horizontal Working Party on cyber issues this Friday (6 November). It underlines the necessity of introducing “horizontal legislation in the long-term to address all aspects of ICT security of connected devices, such as availability, integrity, and confidentiality.”
Moreover, such a framework requires “relevant norms, standards or technical specifications for cybersecurity evaluations,” the document adds, citing the EU’s cybersecurity act adopted last year, which included a provision for the establishment of an EU cybersecurity certification framework.
Norms should be established for “different categories of connected devices” depending on their risk profile, the document says.
Amid the coronavirus pandemic, the importance of bolstering the bloc’s cybersecurity standards has risen rapidly up the EU policy agenda, as remote working has increased exponentially and more people have spent time using connected devices at home.
A report published recently by the EU’s cybersecurity agency ENISA stated that the EU’s cybersecurity resilience has been pushed to the limit of its capacities as a result of the ongoing public health crisis.
“While working from home, cybersecurity specialists had to adapt existing defenses to a new infrastructure paradigm, attempting to minimise the exposure to a variety of novel attacks where the entry points are employees’ Internet-connected home and other smart devices,” the agency’s Threat Assessment report 2020 states.
“At the same time and under high-pressure, they had to implement solutions based on previously less trusted components, such as remote access through the public Internet, cloud services, unsecured video streaming services, and mobile devices and apps.”
Meanwhile, earlier this year, concerns had emerged over the resilience of the bloc’s critical infrastructures, particularly health bodies, after reports that some hospitals had come under attacks from foreign agents.
At the beginning of June, NATO released a statement condemning “destabilising and malicious cyber activities directed against those whose work is critical to the response against the pandemic, including healthcare services, hospitals, and research institutes.”
European Commission President Ursula von der Leyer suggested that China may have been behind a spate of cyberattacks against hospitals in Europe during the coronavirus outbreak, stressing that the EU will not “tolerate” such malicious activity.
Authorities in the Czech Republic had registered attacks on critical national infrastructures in the country, including one particular hit on Brno hospital. The country’s National Cyber and Information Security Authority (NÚKIB) issued a cybersecurity warning at the time.
The attacks prompted the EU executive to deliver a new EU security strategy in July, which included plans to bolster standards for the cybersecurity of European critical infrastructure.
NIS Directive Review
On December 15, Commission Vice-Presidents Margrethe Vestager and Margaritis Schinas are set to present the executive’s review of the network and information systems (NIS) directive, which entered into force in August 2016, with nations having to transpose the measures into national law by May 2018.
The rules laid down new standards for cybersecurity capabilities and also introduced requirements for cross-border cooperation and oversight on operators of essential services. The Commission recently closed a public consultation on the efficacy of the measures, the feedback of which will feature in the review.
Jakub Boratyński, a senior official at Commission’s department for communications networks, content and technology (DG Connect), informed EURACTIV earlier this year that a widening of the scope of operators of essential services in the NIS Directive is very likely, considering how vital certain networked tools have become in our everyday lives during the pandemic.
(Edited by Frédéric Simon)