Yes to a European Cybersecurity Act — but Not to Just Any Requirement (SD MAGAZINE)

With European Cyber Security Month (ECSM) well under way, a couple of days before the ‘Les Assises’ cybersecurity event starts in Monaco, the Alliance for Digital Trust (ACN) and Hexatrust are sounding the alarm on the content of the European Cybersecurity Act. This act was deposited rather abruptly and very hurriedly on the desk of the European Parliament.

On the occasion of European Commission President Jean-Claude Juncker’s State of the Union Address on 13 September 2017, the European Commission presented a series of measures relating to cybersecurity, including a proposal for a regulation on the European Union Agency for Network and Information Security (ENISA).

This proposed regulation aspires to redefine the role and mandate of the ENISA and proposes the creation of a new European cybersecurity certification scheme.

Upon reading the proposed regulation, which is moving forward unusually quickly, the ACN and Hexatrust challenged Juncker on replacing the « certification frameworks currently existing in France and in Europe and conferring upon the ENISA and the European Commission complete control of developing and validating any new certification plan to come, for all fields of activity. » The national supervisory authorities — such as the French National Information Systems Security Agency (ANSSI) and the German Federal Office for Information Security (BSI) — would be stripped of any power and limited to an advisory role.

According to ACN President Jean-Pierre Quémard, « Certification is a highly strategic challenge for our companies, but also for our country and for Europe. With the full implementation of the European General Data Protection Regulation (GDPR), these certification frameworks enable personal data to be secured. In this sense, they are essential tools for ensuring that Articles 7 and 8 of the European Union Charter of Fundamental Rights and our continent’s humanist values are upheld. »

These frameworks, in attesting to a high level of security for products, solutions and services, represent essential tools to ensure national and European sovereignty in the field of ICTs and digital affairs.

Doing away with 20 years of advances

In effect, this proposed regulation provides for replacing certification frameworks currently existing in France and in Europe and conferring upon the ENISA and the European Commission complete control of developing and validating any new certification plan to come, for all fields of activity. The Member States, the national authorities (the ANSSI for France and the BSI for Germany) and the representatives of the economic world would be confined to an advisory role in this strategic process, even on topics relating to national security and sovereignty.

« Thus this proposed regulation runs the risk of doing away with some 20 years of advances by European digital security companies in favour of non-European companies, » said Hexatrust President and Wallix CEO Jean-Noël de Galzain. He went on to say, « This law would endanger the emergence of new players, and its complex administrative processes would put our SMEs in a difficult position. The supervisory authorities and our government must take action to influence the proposed regulation. This is a critical juncture for the future of cybersecurity and French small businesses. »

Taking care not to lump together

There is a risk of losing highly sensitive technologies such as encryption and highly secure embedded applications as well as the expertise of assessment laboratories. Indeed, distinctions must be made between the different degrees of security required. « For example, a distinction must be made between, on the one hand, the Internet of Things and, on the other hand, digital trust solutions and services for essential and vital services. Their levels of security must not and cannot be the same. Lumping them together puts us in a dangerous situation, » warned Galzain. He continued, « I am not against this proposed regulation, which has several virtues, but I do believe that it must not simply place everything in a single category. We must find a standardised security system, as the matter is indeed urgent. However, this does not mean that a connected toothbrush, a security system for a railway company like SNCF, a nuclear power plant and even a health data repository should all be handled in the same way. »

Moreover, this proposed regulation places the responsibility for the ultimate certification of cybersecurity products and solutions in the hands of entities whose approval and control depend solely on their national authority. Since certificates are valid throughout Europe, there is a great deal of uncertainty around the uniformity of security levels by issuing country. The ultimate risk is that products with different cybersecurity and quality levels will bear equivalent certification. This would weaken efforts by entities such as the ANSSI and the BSI to raise our society’s cybersecurity level. « This means that we will be lowering our cybersecurity level, and that is unacceptable, » Galzain said.

A coherence among European certification frameworks

Various cybersecurity players — both industrial stakeholders and national authorities — express a desire to bring cybersecurity certification frameworks into coherence on a European level. However, according to Quémard, the recommendations by the European Cybersecurity Act « run entirely counter to the recommendations by France and Germany. The complete absence of checks and balances by the Member States and the national authorities, as well as the lack of transparency in the new certification frameworks, appear to be major risk factors. »

In a letter to the Prime Minister and to Secretary of State in charge of digital affairs Mounir Mahjoubi — who during his trip to Tallinn emphasised vigilance in adopting works in progress — the ACN and Hexatrust make several recommendations. These are: a decision-making role for Member States through their national authorities, the incorporation of existing certification systems, greater transparency concerning the players involved in developing certification frameworks and, finally, the option for the national authorities to monitor both their peers from other European countries and certain categories of « strategic » products and services.

The matter is urgent

In effect, the proposed regulation is moving forward unusually quickly. Its content came as a big surprise to many: the elements announced on 13 September were discovered on that same day by certain key interested parties. Why then is it moving forward so quickly, and so abruptly? « While we understand that the matter is urgent, given the very aggressive major attacks in recent months, this does not mean that we must mistake haste for speed, » said a source close to the matter. What we are seeing is not a far cry from a powerful lobbying push by our Anglophone friends. Indeed, the debate around the certification of cybersecurity and cyber defence tools is not new. An update to the common criteria, started a year ago, was dragged down by a sweeping Anglophone effort. « We do not wish to render Europe an impenetrable stronghold. That would not make sense. However, whether we are referring to the common criteria or to a European and international cybersecurity framework, we must not lower the cybersecurity level, » Quémard clarified.

Thus there is an urgency around this proposed regulation, which goes against French and European interests. To analyse the regulation’s content, the European Parliament has already chosen the Industry Committee, and the anticipated rapporteurs are known for opposing the French and German vision.

This text was presented to the European Council on Friday, 6 October 2017. « We do not know the outcomes of the debates that raged, nor do we know whether our country’s representatives presented firm reminders of the minimum guarantees and responsibilities that this proposed regulation must include, » state the signatories to the letter to the French government. « We do know that they took our position into account. The Germans and the European Cyber Security Organisation (ECSO) are going to push similar positions. »

Thus the question is not whether it is already too late. According to Galzain, « France and Germany are strong enough to influence this proposed regulation. »

While discussions within the Commission will resume in around two weeks, Galzain is looking to « our government’s responsibility. France must remain at the vanguard of these topics. We must be up to the task of fulfilling our ambitions. We are all ready for action. We hope that the government will throw its support behind this drive. »