When Politicians Do Cybersecurity

Regulation (EU) 2019/881 of the European Parliament and of the Council on ENISA (the European Union's cybersecurity agency) and on the information and communications technology cybersecurity certification, or repealing Regulation (EU) No 526/2013, also known as the European Union's Cybersecurity Act.

I’m terribly sorry for making you read the subtitle above, but this is apparently how EU acts are named.  I use italics for quotes throughout this article, the full text to be discussed is available here: https://eur-lex.europa.eu/eli/reg/2019/881/oj

The EU has updated the Cybersecurity Act governing the European Union Agency for Cybersecurity (ENISA) and the information and communications technology (ICT) cybersecurity certification in the summer of 2019, and there has been surprisingly little discussion about it in cybersecurity circles, which is worrying.

A Regulation of the EU Cybersecurity Act is officially referred to and categorized as a legal act of the European Union that becomes immediately enforceable by law in all member states simultaneously. As it is declared a common market mechanism (text with EEA relevance), it is likely to be enforceable in all EU countries as well as Norway through the European free trade agreement.

The position of post-Brexit UK in relation to this Regulation is not clear yet. Other states, most importantly China[1], have passed cybersecurity regulation at a law level, these do not deal with assurance directly and rely on a pyramid-structured legislation.

This implies using decrees to specify the application of laws and giving their specialized authorities sufficient autonomy in phrasing their specific requirements in regulatory guidelines. This is the preferred EU regulatory approach to avoid direct contact between technology and high-level politicians like Members of Parliament.

When inherently political processes like parliamentary sessions and inherently technical ones like cybersecurity regulations meet, bad things (ranging from doing nothing at a high cost to acting on misunderstandings) happen and unfortunately the present EU Cybersecurity Act carries the risk of both.

Taking a simple glance at some of the definitions will clarify their intent to achieve a high level of cybersecurity:

(1) ‘Cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats; where

(8)  ‘Cyber threat’ means any potential circumstance, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;

Any potential circumstance, event or action include just plain everything. It does not differentiate between safety and security, but implicitly uses cybersecurity for both. It does not set forth any functions or qualities. In this case, China’s law manages to express more actionable content in less volume in its Article 76:

(2)     “Cybersecurity” [also “network security”] refers to taking the necessary measures to prevent cyber-attacks, intrusions, interference, destruction, and unlawful use, as well as unexpected accidents, to place networks in a state of stable and reliable operation, as well as ensuring the capacity for network data to be complete, confidential, and usable.

Allowing for a bit of the nuance to be lost in translation we can trace the qualities in this definition to the classic cybersecurity properties of integrity (complete), confidentiality (confidential) and availability (usable).

The intention of the lawmaker can perhaps be analyzed through analysis of the relative lexical frequencies. Among the 55 pages of the English PDF document:

·   ICT is mentioned 537 times, so it must be important. Part of the failure to use concise language can be traced to the separate definitions for:

o    ICT product

o    ICT service

o    ICT process.

§   The added (regulatory or otherwise) value of using these different categories is questionable due to technological reasons. Currently, the market forces are pointing towards

·  Software as a Service, blurring the boundary between a product and a service.

· Cloud services for running processes, blurring the boundary between a process and a service.

· Containerized and orchestrated solutions for high availability and reduced management overhead, blurring processes and products.

§   ICT as a noun could have been used in most if not all articles that now devote voluminous sentences to the above three ICT categories.

· Member is mentioned 237 times, most of all as Member State (166 times). While it could have been implied that the regulation is valid for the EEA Member States, the text is primarily occupied with shuffling around responsibilities and budgets without treating how certification will be done.

· Assurance is mentioned 50 times. While not a priority in the Act based on relative frequency, the perspective on how a European assurance framework could look like based on this Act as a starting point of a legislative process is the mission of this chapter.

(21) ‘assurance level’ means a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned;

The definition rests on four concepts, out of which:

(1) Confidence is regularly invoked as an explanation for assurance, e.g. in this paper and more generally by the Merriam-Webster[2]. It has mathematical expressions and a subjective meaning understandable to everyone and is correctly applied here.

(2) ICT is a catch-all phrase that could have well been used without unending repetitions of service, process and product

(3) The cybersecurity scheme in question has not yet been defined

(4) Evaluation (according to the cybersecurity scheme) is the only metric. The explicit waiver on security as a goal (does not measure the security…) is as unbelievable as it is counterproductive in this early stage of the legislative process. The developers of the cybersecurity schemes have a legal excuse to assure that evaluation happens for evaluation’s sake, without any expected effect on security.

This is problematic and potentially dangerous, as it derails the commonly understood term of confidence into meaninglessness.

The EU summoned up the courage to establish a framework that will compete with the Common Criteria (CC) previously established by the International Electrotechnical Committee, at least implicitly through the unavoidable business decision of technology suppliers.

Several authorities in the Member States who are also CC certification providers will need to build parallel systems. The resulting framework will possibly stay irrelevant to the business and technology decisions taken on the ground by engineers, because the legislation does not provide any advantages to the more established CC and could therefore remain a niche application for EU internal use.

France, Germany, the Netherlands, and the United Kingdom were instrumental in creating the CC. Why would the professional bodies in these countries revise their previously clarified stances on assurance?

Although resources have apparently not been shunned in the creation of the Act, and the Act itself assigns many more resources to cybersecurity, it is doubtful if such centralized but multi-stage legislative processes building upon technologically irrelevant definitions will provide the assurance transparency sought in the common market. It is doubtful that any more uncertainty was removed by the EU Cybersecurity Act than it introduced.

It is hard to imagine any court of law or company making objective decisions based on this legislation. For the time being, present system evaluation of the EU law on cybersecurity assurance does not find the coverage of assurance methods therein to be satisfactory beyond EAL 1.

A microkernel architecture (or it’s analogues in the field of law, e.g. pyramid-structured legislation) is put forward for consideration, where many processes, e.g. Inter-Process Communication, would run in the user space of national or supranational authorities specialized in cybersecurity. It is hard to understand why the Commission was mandated to roll out this program instead of the ENISA. The latter should be trusted as a professional authority, anything else would be wasteful of the budget that was just doubled for them with the Act.

The Chinese Cybersecurity Law consists of 6127 words, while the EU Cybersecurity Act goes on for 32.222 words or more than five times longer [3]. If we take the assumptions that:

·         the limited amount of cybersecurity resources in the EU are dominated by the wages of cybersecurity professionals

·         EU cybersecurity professionals upholding a rule of law in cyberspace actually read the law that governs their work

·         Educating themselves about requirements dominates the working lives of cybersecurity professionals as usual in a knowledge-based industry

A resource multiplier of 0,19 follows. While the EU still has a somewhat larger economy than China, applying this multiplier to its cybersecurity resources means that it disqualifies itself from any future global competition in this domain. Translating the resource multiplier to a force multiplier that might have to be used in a conflict situation would make it a moral imperative to avoid bureaucratic overreach.

[1] The Cyber-security Law of the People’s Republic of China available in English at https://www.dezshira.com/library/legal/cyber-security-law-china-8013.html

[2] https://www.merriam-webster.com/dictionary/assurance

[3] While the volume difference can be understood as a consequence of differences in scope and approach, the EU Cybersecurity Act also was published without any cross-linking within the document or a table of content.