Reform of cybersecurity in Europe has been high on the agenda of EU institutions and the member states since September 2017. On March 12, members of the European Parliament adopted the EU Cybersecurity Act. The Act completes a series of regulations and directives under the current reform framework enhancing cybersecurity and data protection in the EU – the Network and Information Security Directive (NIS Directive) focused on reinforcing national capabilities and cross border collaboration on cyber issues, and the General Data Protection Regulation (GDPR) revamped and strengthened the data protection and privacy regime for EU citizens.
The Act has two main goals. First, it includes a proposal to strengthen and expand the mandate of the European Union Agency for Network and Information Security (ENISA), giving the organization an operational role of assisting member states in response to cyberattacks, in addition to its current role of providing expert advice. The second main policy goal of the Act is to create a common framework for certification of Information and Communications Technology (ICT) products and services by harmonizing the current cybersecurity certification activities and policies across the member states.
The effort to work on the implementation of the certification framework by ENISA – building on international standards and engaging a wide range of stakeholders – can draw inspiration from the governance processes and philosophy behind the US National Institute of Standards and Technologies’ (NIST) Framework for Improving Critical Infrastructure Cybersecurity.
NIST published the Framework pursuant to Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2014. The Executive Order called for a standardised security framework and for NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines and practices – for reducing cyber risks to critical infrastructure.
NIST was tasked with the development of the Framework as a non-regulatory agency with long-standing track record of subject-matter expertise and a history of multi-stakeholder engagement, similarly to ENISA.
In the four years since the adoption of the Framework, there is a significant degree of acceptance and adoption of the Framework despite its voluntary nature, and it has established itself as a flexible and adaptive resource to improve the cybersecurity of critical infrastructure and the whole ecosystem in the United States.
For the implementation of the Act, ENISA will play the leading role in defining and establishing specific certification schemes for ICT products, services, and application areas. According to the report, ENISA published on its vision for the execution of its mandate in setting up the certification scheme, ENISA will have a pivotal role as the interlocutor with both public services as well as the industry and standardisation organisations in drawing up candidate certification schemes.
Even if the tactical objectives of the two documents and organisations are different, their ultimate goals – to increase resilience and build strong cybersecurity – are the same. Hence, here are three lessons learned from NIST’s Framework governance and approach to inspire ENISA’s work on the EU certification scheme.
1. Broad Stakeholder Engagement
Input from and cooperation with the private sector as well as other relevant stakeholders is foreseen throughout the Act, in particular in Article 47 and Article 49 (clause 3). The Framework process can serve as an example of successful implementation of such provisions. The Framework was developed and socialized through engagement with, and input from, stakeholders in government, industry, and academia. To develop the Framework, NIST used a Request for Information (RFI) and Request for Comment (RFC), as well as extensive outreach, seminars, webinars and workshops around the country. Comments were received, adjudicated, and publicized and from a wide array of organisations and individuals, including the non-profit sector and independent subject matter experts. The inclusiveness and governance of the creation and evolution of the Framework are widely considered the main reason for its adoption and acceptance. NIST recognised from the outset that industry has long-standing experience in improving cybersecurity and the most relevant set of expertise in terms of innovation and adaptability. Involvement and support of stakeholders in the development and implementation of the EU certification scheme – in the broadest sense of the word – will provide buy-in, long-term support, and substantively the best possible outcome for the certification scheme.
2. Outcome-based and Flexible Framework
The EO directed NIST to work with industry leaders to develop the Framework and foresaw a prioritized, flexible, repeatable, performance-based and cost-effective approach for the Framework. The document allows organisations to focus on cybersecurity outcomes to be achieved, and they select security controls to implement based on their own risk assessment. The EU certification scheme should strongly focus on outcomes and risk-based approach vs mandatory compliance with a checklist to ensure that organisations are able to select those risk management best practices and the implementation that fits best their needs.
Currently, the Act envisages in its Article 49 (8) that the accreditation of ICT products and services will be re-evaluated at least every five years taking into account the feedback received from interested parties.
A flexible certification framework will allow for updates and revisions to ensure that state of the art controls, standards, and risk management best practices (which are constantly evolving) can be implemented as part of the certification scheme.
In 2018, NIST published an updated version which refined, clarified, and enhanced the Framework released in February 2014. While it took four years to publish the update, the industry was continuously engaged in providing comments and participated in meetings with NIST as the revisions were considered, recognizing the rapidly evolving threat and technological context. The measures implementing the Act should include a similar continuous engagement strategy.
3. Metrics and Measurement
The most recent updates to the NIST Framework in 2017 focused on updating and refining the development of metrics. The new section in the Framework highlighted the benefits of self-assessing cybersecurity risk based on meaningful measurement criteria and emphasized “the correlation of business results to cybersecurity risk management.” According to the Framework, “metrics [can] facilitate decision making and improve performance and accountability.”
Measurements help assess the effectiveness of the proposed solutions, determine sustainability, promote learning, and where appropriate provide the policy field with data to support decision-making. The EU should think about establishing metrics to measure the impact of the EU certification scheme. Even if a product, service, or process passes a formal evaluation process, how will ENISA measure the impact of the certification scheme? The range of candidate metrics is huge – it could include a decrease in the number of Internet of Things (IoT) devices utilized to perform distributed denial of service attacks or growth in IoT devices purchased or their integration into the larger ecosystem.
But don’t stop at certification. The stated goal for the Act is to build consumer trust in IoT products while continuing the construction of a single EU digital market. Certification is an important element to inform consumers about the security properties of ICT products and services they intend to use or buy. Ensuring that an individual device or a service complies with specified cybersecurity requirements and protects data is an important step but does not mitigate the risk that is inherent in the application of IoT devices in an ecosystem (e.g. data flow between devices, testing off-line conditions, compatibility, performance, etc.). Mitigating risk around individual or collective deployments of IoT devices in a connected system (think smart city) requires innovative approaches to testing and risk mitigation. For example, creation and deployment of IoT ranges or large-scale and complex environments that go beyond simulating network operations, and services and attacks on them, and includes capabilities and processes that can develop and maintain IoT best practices and certify and validate devices and manufacturers against them. The EU, its member states and industry should double down on similar innovative efforts to secure the IoT ecosystem.