On April 15, 2020, in line with its mandate to support and promote the European Union’s ("EU") policy on cybersecurity certifications, the EU Agency for Cybersecurity ("ENISA") released the study "Advancing Software Security in the EU – The Role of the EU Cybersecurity Certification Framework" (the "Study").1 In the Study, ENISA stresses that with the increasing dependency of everyday products, services and processes on software, more attention must be paid to security in both software development and maintenance. The Study also says that this security need is not being filled by existing standards and certification schemes and that EU cybersecurity certifications schemes could play a role in this regard.
Cybersecurity has been a top priority for the EU in recent years. First, the EU implemented a directive on the security of network and information systems ("NIS Directive"). The NIS Directive aims to increase the preparedness and resilience of networks used by critical sectors and some digital services providers against cyber threats. The EU went one step further by adopting a regulation on information and communication technology cybersecurity certification (the "EU Cybersecurity Act"). The Cybersecurity Act pursues the strengthening of cybersecurity features of products and services primarily through the development of EU-wide cybersecurity certification schemes of different assurance levels (ranging from basic, substantial to high). ENISA plays a central role in preparing candidate schemes for later adoption at the EU level as well as in raising awareness of the schemes’ benefits.2 Current ENISA work includes two candidates to succeed SOGIS3 and, more recently, cloud services.
THE MAIN TAKEAWAYS FROM THE STUDY
1. The Shortcomings in Software Security …
The Study identifies what ENISA considers the most significant shortcomings in software security. These include:
- Lack of Quality Assurance – The average consumer is not able to immediately identify the level of security embedded into software. Further, a non-expert cannot identify what a certificate (if granted) actually means regarding the level of security. This impacts the trust consumers place in software products.
- Rigid Certification May Hamper Security – The current certifications schemes may hamper security as vendors might refrain from updating their software in order to avoid another long and costly (re)certification process.
- Difficulty to Differentiate Process and Product – Assessing software processes in addition to software development would be ideal, but process assessment is hard to perform reliably. Indeed, some of the aspects taken into account when assessing processes (e.g., skills, knowledge of the people) may be hard to measure under existing standards or schemes.
- Lack of Harmonization in Existing Standards & Schemes – While many software security standards exist,4 their requirements largely overlap. This is due, according to ENISA, to the fact that the relevant organizations, such as standards developing organizations ("SDOs") and European standards organizations ("ESOs") work without proper coordination, contributing to a fragmented landscape. The situation is even more problematic in relation to software security certification, as only a few standards support it (and if they do, only with limited exposure and acceptance).
2. … and How Cybersecurity Certification Schemes May Help Address Them
ENISA suggests that further work on cybersecurity certification schemes can meaningfully address some of the shortcomings. Among other measures, the Study recommends the following:
- Certification to Tackle All Aspects of the Software Lifecycle – Upcoming EU cybersecurity certification schemes should not only target the security of the end product but also take into account the software development lifecycle. This can be achieved by including provisions on the verification of the software and the process used. Such inclusion could benefit the whole supply chain and would be facilitated by lightweight conformity assessment methods (such as self-certification) for "basic" assurance level. EU cybersecurity certification schemes for products, services and process should also include assurances for the security of the engineering process by setting process guidelines for software development, maintenance and operation. These measures could help coalesce the elements of the currently fragmented landscape of software development and maintenance.
- Coordinated Action – The Cybersecurity Act reinforces the need for referencing international, European or national standards within the EU cybersecurity certifications schemes. Hence, more than ever, ESOs and SDOs should coordinate on the priority areas they can support and put forward standardization activities to benefit future schemes. They should communicate periodically their planning to the EU Commission and to the relevant Cybersecurity Act stakeholders.
- Mitigation of Common Security Risks – Manufacturers or providers of certified products, services or processes should explore the deployment and maintenance of repositories not only for publicly disclosed vulnerabilities but also for shared security aspects (e.g., access control, encryption) of certified products and services. This goes beyond certification schemes. These repositories could also keep metadata such as mapping to existing standards, revision history, related threats, and implementation guides.
3. … and What Comes Next?
In addition to the current work on the candidate schemes for SOG-IS and cloud services, the release by the EU Commission of the EU rolling work program approaches. By June 28, 2020, the EU Commission will publish the list of products, services and processes capable of being included in the scope of the EU cybersecurity certification schemes. It remains to be seen how software security will be addressed under the program; the Study provides interesting input on the side effects that cybersecurity certification schemes could have across the entire supply chain, even when promoting only a basic assurance level.
1 Interestingly, the Study’s release date is April 15, 2020, but the Study itself is dated November 2019 (but was not released at the time).
2 For previous coverage of the Cybersecurity Act, see our Legal Update.
3 For more information on those two candidates schemes, see ENISA’s website.
4 The Study refers to, among others, the common criteria, OWASP ASVS, BSI PAS 754 and ISO/IEC 27034. It also singles out PCI SSC as security requirements (based on PA-DSS) that, even if not mandatory (with some exceptions), are typically contractually transmitted down the chain to vendors and service providers and have become the norm.