Last December, 6th finished the feedback period that European Commission opened on September, 13th to its proposal for regulation about ENISA and ICT cybersecurity certification (reference COM(2017)477). Finally, 32 organizations have given their feedback, as can be consulted in the Cybersecurity Package website. The objective of this post is to share our feedback but, before that, we would like to highlight that, of the 32 opinions submitted, there are 11 submitted from Belgium (since is where many lobbies and european organizations are based), but after those, 5 opinions have been sent from France, 3 from UK, USA and Germany, and only 1 from the rest of countries (Poland, Portugal, The Netherlands, Denmark, Finland, Czech Republic and Spain)... So our first reflection would be, as the opportunity is given to provide feedback about upcoming regulation, why not being more proactive than just complain after it has been approved?
But, more to the point, our comments to the proposed texts have gone in the following way:
- Regarding to ENISA role, we miss an initiative or group of tasks related with supporting European Society in improving its level of cybersecurity and, specifically, in promoting the use of capability building methodologies.
- On the other hand, we think that certification is not the only solution to reach the goal of improving security levels (in fact, in Europe we have other ways to address similar issues, as for example, the REACH program or the conformity assessments for the single market) and to bet for this mechanism as the only way is going to increase market fragmentation because every use case is going to need its certifiable standard. Trying to make a simile, it is like instead of thinking in making a custom-made suit for every person, we tried to standardize one size fits all for everybody (well, in fact, sector by sector, as if all people in one sector were equal...), when we can use a sizing system so that each person choose the size that better ftis her needs - considering that making something to measure is not viable. These would be the proposal based on different levels that LEET Security is proposing.
- We think is also a problem the proposal of different levels of assurance because it would create confusion between final users. In our opinion, what is important is not to say if someting is secure at 90, 50 or 25%... because, in any way, it is false. What is relevant is saying to the user at 90% that someting has a level of security of 1, 3, or 5 over 5 (being 5, what is called 'state of the art').
- Finally, we miss the expected regulation about a new cybersecurity labeling system. In our opinion, more that create a label that says "made in Europe" as a security mark, it would be more useful use something closer to a sizing system label (again), so that users could know what is the level of cybersecurity of the product or service that is going to be used.
You can follow us on twitter.com/leet_security