On the heels of GDPR and what it meant to the rest of the world outside of the EU, another EU cybersecurity regulation is on the horizon. Most organizations remember the effort taken to meet GDPR compliance irrespective of where they were headquartered or operated their business. The new EU Regulation called the Cybersecurity Act is different overall, but it aims to achieve similar objectives as GDPR. According to the regulation, here is one of the primary influencers behind it:
“The use of network and information systems by citizens, organisations and businesses across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever-growing number of products and services, and with the advent of the internet of Things (IoT), an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade. While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity.”
Better protection, increased resilience, additional transparency, and more security and privacy-by-design improvements, are to name a few of the regulation’s principal goals. You can find these terms throughout the regulation. The EU realizes that security and resiliency are critical as more technologies find their way to internet. Although many people and organizations may have mixed feelings about government regulations, this new one does make sense.
The Cybersecurity Act has two central areas of focus:
- Strengthen the powers of the European Union Agency for Network and Information Security (ENISA) by making it a permanent EU agency.
- Launch a European cybersecurity certification framework for Information and Communications Technology (ICT) products, including IoT devices.
Why the Regulation is Important
Most people are beginning to realize that the world today is vastly influenced by one simple thing – software. Clearly, there are lots of computer-based products, devices, services, etc. that impact our everyday lives. But at the very root of all of these technologies, software is vital and it runs our modern world. Since that is the case, what does the new EU Cybersecurity Act have to do with software?
The Act’s second area of focus is all about a “cybersecurity certification framework” and this certification has more to do with software than anything else. All computer-based technologies are made up of chips, processors, memory, storage, input, output, plastic, metal, etc. However, without software (firmware, operating systems, applications, etc.) these computing technologies are often nothing more than expensive paper weights. Software is what makes these technologies operate and unfortunately, software is also their Achilles Heel. Simply put, software is vulnerable to cyberattack.
This is primarily due to coding errors and mistakes being made during the software development process. Since all of the “internet connected” technologies run software, attackers focus their efforts on exploiting the vulnerabilities they find in software code, allowing them to perform all sorts of malicious activities as a result. Not only can attackers find built-in vulnerabilities, these vulnerabilities are often similar in nature across many categories of technologies.
For example, researchers at Checkmarx have found vulnerabilities in many different consumer-based technologies making their way to the internet. The research they have performed on numerous devices acknowledges that IoT and smart-device vendors apparently lack security awareness, resulting in a failure to protect users’ privacy. All tested devices in Checkmarx research were vulnerable to various degrees. For example, a smart scale, a smart lock, a smart band, a smart light bulb, and even the ultimate smart device – Amazon’s Alexa had easily exploitable software vulnerabilities – straight from the factories. Once Checkmarx researchers were able to exploit the discovered vulnerabilities in the devices’ software, they could perform many different malicious simulations comparable to today’s cyberattacks.
One of the most significant takeaways from the new Cybersecurity Act is that the government of the EU is acknowledging that the IoT industry must do a better job with the security of their technologies (i.e. software). The EU is recognizing the fact that vulnerable devices are a tremendous threat to the modern way of life, and that is likely the primary reason for launching a cybersecurity certification framework. According to the Act, “Businesses and individual consumers should have accurate information regarding the assurance level with which the security of their ICT products, ICT services and ICT processes has been certified.”
Software vulnerabilities are ubiquitous and all software should be examined, tested, and verified to be vulnerability-free before it ever finds its way to the technologies and services used in our everyday lives. Simply put, it’s the reason why organizations like Checkmarx exist. Checkmarx’s suite of products and services are designed primarily for two things: find coding errors that lead to exploitable vulnerabilities in software, and help developers learn how to reduce and nearly eliminate these errors in the future software they produce.
If you would like to learn more about Checkmarx recent research findings, see this webinar recording: Is Privacy Even Possible with IoT?