Improving IoT security in the EU
Why pre-market certification is not enough and how to fix it
Just looking at Internet routers it becomes clear that the Internet of Things (IoT) has a severe IT security problem: global botnets consisting of hacked commercial off-the-shelf (COTS) Internet routers are being used for industrial espionage, to mine cryptocurrencies, to steal online banking credentials, for denial-of-service attacks against websites or to attack critical Internet infrastructure. The increasing ubiquity of IoT devices combined with the fact that the market fails to produce reasonably trustworthy and secure IoT devices was reason enough for the European Union to start regulating this field. The EU Cybersecurity Act (CSA) – which is still being negotiated – heavily relies on the interplay between standardization, conformity assessment and market surveillance: consortia consisting of different stakeholders develop technical standards (cybersecurity certification schemes) and manufacturers can use these schemes to certify their devices and thus prove conformity. Product safety is regulated in a similar way since decades in the EU. The achilles heel of this approach is the market surveillance and currently the CSA fails to improve and strengthen this aspect: if regulators allow manufacturers to self-assess their conformity to defined IT security requirements (certification schemes), market surveillance needs the resources and knowledge to identify false claims and sanction bad actors.
Because of its reliance on certification and conformity assessment, the CSA also struggles with the fact that one-time, pre-market certification does not fit well in today’s continuous software development realities: The manufacturer of an IoT device with software-defined functionality, has a continuous obligation towards the user to keep this device safe and secure. In order to estimate if and to what extent the manufacturer meets this obligation, users, market surveillance and other stakeholders need up-to-date, accessible information about the current IT security of the device. To this end, the paper proposes a minimal set of supplementary information that should be easily accessible in order to estimate how much the manufacturer takes care of their devices after the point of sale. This type of information could be made available in several different ways: (1) a central database run by the European Commission to which manufacturers send their data or (2) a decentralized system in which it is the manufacturer’s responsibility to maintain a “living document” throughout the product lifetime. Both systems are currently deployed or under development for different areas of regulation. This type of up-to-date information about the security of certified products on the EU Single Market would benefit a variety of stakeholders and significantly strengthen the CSA’s proposed certification framework.