How the European Cybersecurity Act can Promote Security by Design

cybersecurity

Proposed legislation can strengthen focus on secure development practices.

The European Union is currently finalizing cybersecurity legislation that would strengthen the mandate of the European Agency for Network and Information Security (ENISA) and establish an EU-wide Information and Communications Technology certification framework. The goals of the legislation are to reduce certification fragmentation across member states, increase market confidence in the security and resilience of ICT products and services, and improve the state of security of ICT products and services in the marketplace.

Legislative efforts to strengthen cybersecurity can help build trust in the digital economy. And certification schemes, if developed effectively, can play a valuable role in driving market confidence and raising the bar for strong cybersecurity practices.

Aligning certification with modern software development practices

Historical software certification schemes would often take 12 to 18 months to test and certify a product or service. These schemes would provide assurance information on the security features of ICT products and services but would rely on lengthy release and update schedules.

Modern software development leverages agile methodology and practices, where there is a focus on iterative, continuous development and feedback loops. Through these agile processes, organizations can release and update software applications at a much higher velocity and with greater frequency. This is especially true for releases of and updates to cloud-based applications, which are often updated on a daily, or even intraday basis.

Therefore, a modern ICT certification scheme should seek to align with modern software development practices for it to enable continued innovation while realizing its goals of strengthening security.

Secure Development Process-based Certification and Security by Design

Certification schemes that focus on secure development processes and practices can provide security assurance and allow for continued ICT product innovation.

Secure development processes and practices focus on minimizing the introduction or inclusion of vulnerabilities into ICT products and services during the design and development phases.  Organizations that follow best practices cultivate a “Security by Design” approach, conducting security testing and performing other secure development practices throughout the entire software development lifecycle.  An ICT product that is developed using these processes and practices will be as secure as it can be at the time it is released. If new vulnerabilities are discovered in a released product, an organization should have processes and practices in place to patch these vulnerabilities. Secure development process-based certification schemes can assess the rigor of these lifecycle processes.

Opportunities under the EU Cybersecurity Act

The EU Cybersecurity Act provides an excellent opportunity to focus on secure development process-based certification schemes. The Commission, Council and Parliament legislative text all cite the importance of security by design in addressing the cybersecurity challenges that come with increasing numbers of connected devices.

Proposed EU Parliament amendments in Articles 45 and 47 of the legislation call for:

  • a process to identify and document all dependencies and known vulnerabilities in ICT products and services;
  • a process to deal with newly discovered vulnerabilities; and
  • certifications that can be built into or based on the producer’s systematic security processes followed during the development and lifecycle of the product or service in question.

Modern ICT certification schemes, which focus on secure development processes and practices, can help achieve the European Commission’s goals of enhancing security, reducing fragmentation and improving market confidence. They can also enable continued ICT software innovation.

What are your thoughts on ICT certification? What do you see as some of the potential opportunities and challenges?

Jamie Brown

As director of global government relations for CA Technologies, Jamie manages cyber security and Internet of Things policy. He also serves on the IT Sector Coordinating Council Executive Committee, the principal IT industry entity for coordinating with the federal government on critical infrastructure protection and cybersecurity. Jamie previously worked on the House Science Subcommittee on Research and Technology. Jamie has an MSc in social policy from LSE. He is also an avid Yankees fan.