On the heels of GDPR and what it meant to the rest of the world outside of the EU, another EU
cybersecurity regulation is on the horizon. Most organizations remember the effort taken to meet GDPR compliance irrespective of where they were headquartered or operated their business. The new
EU Regulation called the
Cybersecurity Act is different overall, but it aims to achieve similar objectives as GDPR. According to the regulation, here is one of the primary influencers behind it: “The use of network and information systems by citizens, organisations and businesses across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever-growing number of products and services, and with the advent of the internet of Things (IoT), an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade. While an increasing number of devices is connected to the internet,
security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity.” Better protection, increased resilience, additional transparency, and more
security and privacy-by-design improvements, are to name a few of the regulation’s principal goals. You can find these terms throughout the regulation. The EU realizes that
security and resiliency are critical as more technologies find their way to internet. Although many people and organizations may have mixed feelings about government regulations, this new one does make sense. The
Cybersecurity Act has two central areas of focus:
- Strengthen the powers of the European Union Agency for Network and Information Security (ENISA) by making it a permanent EU agency.
- Launch a European cybersecurity certification framework for Information and Communications Technology (ICT) products, including IoT devices.
Why the Regulation is Important
Most people are beginning to realize that the world today is vastly influenced by one simple thing – software. Clearly, there are lots of computer-based products, devices, services, etc. that impact our everyday lives. But at the very root of all of these technologies, software is vital and it runs our modern world. Since that is the case, what does the new EU
Cybersecurity Act have to do with software? The Act’s second area of focus is all about a “
cybersecurity certification framework” and this certification has more to do with software than anything else. All computer-based technologies are made up of chips, processors, memory, storage, input, output, plastic, metal, etc. However, without software (firmware, operating systems,
applications, etc.) these computing technologies are often nothing more than expensive paper weights. Software is what makes these technologies operate and unfortunately, software is also their Achilles Heel. Simply put, software is
vulnerable to cyberattack. This is primarily due to coding errors and mistakes being made during the
software development process. Since all of the “internet connected” technologies run software, attackers focus their efforts on exploiting the vulnerabilities they find in software code, allowing them to perform all sorts of malicious activities as a result. Not only can attackers find built-in
vulnerabilities, these
vulnerabilities are often similar in nature across many categories of technologies. For example, researchers at Checkmarx have found
vulnerabilities in many different consumer-based technologies making their way to the internet. The research they have performed on numerous devices acknowledges that IoT and smart-device vendors apparently lack
security awareness, resulting in a failure to protect
users' privacy. All tested devices in Checkmarx research were vulnerable to various degrees. For example, a smart scale, a smart lock, a smart band, a smart light bulb, and even the ultimate smart device - Amazon’s Alexa had easily exploitable software
vulnerabilities – straight from the factories. Once Checkmarx researchers were able to exploit the discovered vulnerabilities in the devices’ software, they could perform many different malicious simulations comparable to today’s cyberattacks. One of the most significant takeaways from the new
Cybersecurity Act is that the government of the EU is acknowledging that the IoT industry must do a better job with the
security of their technologies (i.e. software). The EU is recognizing the fact that vulnerable devices are a tremendous threat to the modern way of life, and that is likely the primary reason for launching a
cybersecurity certification framework. According to the Act, “Businesses and individual consumers should have accurate information regarding the assurance level with which the
security of their ICT products, ICT services and ICT
processes has been certified.”
Software vulnerabilities are ubiquitous and all software should be examined, tested, and verified to be
vulnerability-free before it ever finds its way to the technologies and services used in our everyday lives. Simply put, it’s the reason why organizations like Checkmarx exist. Checkmarx’s suite of products and
services are designed primarily for two things: find coding errors that lead to exploitable
vulnerabilities in software, and help
developers learn how to reduce and nearly eliminate these errors in the future software they produce. If you would like to learn more about Checkmarx recent research findings, see this webinar recording:
Is Privacy Even Possible with IoT?