By Kai Peters
Cyber security represents a challenge for companies and EU legislation alike. For example, the EU Commission faced the following dilemma when issuing the "Cybersecurity Act": On the one hand, European solutions are urgently needed to avoid a patchwork of national regulations with regards to cyber security. On the other hand, the EU faces the difficult task of finding a solution that covers all sectors and requires careful legislation. An initial analysis of the legislative proposal gives reason to believe that this difficult balancing act was only partly successful. Despite the urgency, many details must be improved during the parliamentary process.
Cyber attacks also endanger Industrie 4.0
The EU has recognized that the importance of cyber security is growing alongside increased networking and digitalization. More and more, important know-how and expertise is available in electronic form and is highly coveted by hackers and competitors. The fact that they are connected to a network makes an increasing number of products, machines and plants vulnerable to data theft and sabotage. As one of the key industries of Industrie 4.0, the mechanical engineering industry is among those affected and has become an increasingly popular target for hackers. Thus the reports of security experts are piling up in the VDMA Industrial Security working group. Apart from email servers and company websites, machines and controlling systems in the European industry are particularly affected due to the increasing connectivity between "traditional" office-IT and the production systems.
It is also apparent that national rules will be insufficient for protecting networks that span several countries. Data streams and cyber attacks are not impeded by national borders, which means the EU needs to step up to the plate. They took the first step towards protecting critical infrastructures in 2016, with Directive (EU) 2016/1148 (Directive concerning measures for a high common level of security of network and information systems across the Union). The "Cybersecurity Act" ((COM(2017) 477 final) of September 19, 2017 will be the next step towards improving the security of networked products and services in the consumer sector and in the industry.
The proposal includes the remodeling of the ENISA agency as a European security "super agency" and a certification scheme for cyber security. It is aimed at improving the coordination of measures implemented by the member states, which were only poorly coordinated in the past. National systems are to be transitioned to rules that are applicable throughout Europe, making the protection level of products and services comparable on an international scale.
EU under pressure to take action
The growing number of attacks, the public scrutiny and rapid technological development are not the only factors putting pressure on the EU. The member states, in particular Germany and France, are swiftly progressing with their own security legislation and certification systems. The resulting fragmentation thwarts the single European market in IT and the Internet of Things while still in its infancy and thus endangers the development of a competitive digitalized European industry. Companies already need to ensure that their products to comply with various different regulations and expensive certification systems. The EU needs to take control of these developments soon.
Cyber security must be part of the single market
But fast and superficial harmonization alone is not enough. Precise legislation and the inclusion of stakeholders across the board is required for consistency in the single market and the consideration of numerous application scenarios. This is a difficult task for an area marked by a highly dynamic development and little regulation, as well as a heterogeneous standardization landscape. Requirements need to be defined transparently throughout Europe. Questions regarding market surveillance and conformity assessment must have clear answers. At the same time however, innovation must not be impeded and entrepreneurial freedom needs to remain unrestricted.
Parliament must act to regain balance
After an initial analysis of the "Cybersecurity Act" it seems the EU was unable to fit a square peg into a round hole. Political pressure to act in combination with the interests of the member states has led to a vague draft that leaves many questions unanswered and sometimes takes the wrong approach to things. From VDMA's standpoint, there are many points that need improvement.
It is symptomatic of the deficits of the draft that it only aims at certification via third parties. Certification should not be the only objective of a cyber security initiative, but rather one of several potential instruments for conformity assessment at the end of a transparent process. This is all the more important since cyber security is a dynamic target, which calls into question the suitability of a static assessment. Product certification says nothing about the actual security, as it does not include the product life cycle, nor its implementation and operation. Protection against cyber threats may therefore already be outdated by the time the product is delivered. The question when and how certificates as momentary snapshots are even capable of doing justice to this situation is not raised. Another deficit is that mandatory third party assessments, labels and certifications always constitute an intervention in the private autonomy of companies, incur high costs and leave little room for innovation.
Defining requirements, integrating industry and mechanical engineering standards better
Certification does not work without a useful catalog of requirements. However, there is no such catalog included in the Commission's draft. The mechanical engineering industry sees it as indispensable to define the IT security requirements uniformly throughout Europe and use this as a basis for further steps. This process should always be transparent to those who need to fulfill these requirements in the industry and they should be closely involved in the process.
But the proposal does not foresee clear structures and process for the involvement of users and producers. Neither are internationally applicable harmonizing standards sufficiently taken into consideration.
Many open questions on governance - Who decides the necessity?
The Commission's proposal stipulates that cyber security schemes are suggested by a the "European Cybersecurity Certifcation Group" - a committee national certification supervisory authorities - or the Commission itself. The Commission gives then ENISA the task of developing a "cybersecurity scheme" that the Commission then adopts as an implementing act, which means parallel national systems no longer apply. This is how the Commission aims to control the fragmentation.
However, the problem with this approach remains that the evaluation whether a certification system is even necessary and suitable is made outside of parliamentary and political processes. The process as it is described on the proposal, does neither include a system of "checks and balances" which ensures transparency, legal certainty and that the scheme is appropriate and purposeful. For example, there are no impact assessments foreseen.
The proposal mentions a voluntary approach, but expressly foresees the option of mandatory use, for example as part of other legislative acts. There is thus the danger of mandatory third party certification systems being established which lack the necessary evaluation and coordination. In light of this, the drawbacks of the draft appear even more substantial.
VDMA therefore calls for all those involved to use the opportunity of the impending legislative process to turn this partially inappropriate draft into a sustainable solution that is suitable for the single market.
VDMA European Office | European Commission: Proposal "Cybersecurity Act" (PDF) | VDMA position paper: "Cybersecurity: integrated part of a Single European Market" (PDF) | VDMAimpulse 03-2017: "The invulnerable machine" | VDMAimpulse 01-2016: "Cyber security for the EU: One approach for all"