ETSI Security Conference 2023: EU Cybersecurity Certification with Philippe Magnabosco-Caillat

ETSI’s annual flagship event on Cyber Security, the ETSI Security Conference, took place face-to-face from 16 to 19 October 2023, in ETSI, Sophia Antipolis, France, and gathered more than 200 people. This year the event focused on Security Research and Global Security Standards in action The event also considered wider aspects such as Attracting the next generation of cybersecurity standardisation professionals and supporting SMEs.

At the ETSI Security Conference 2023, we spoke to Philippe Magnabosco-Caillat. Philippe is a cybersecurity officer at the European Union Agency for Cybersecurity (ENISA). ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

Can you explain the key provisions of the EU Cybersecurity Act?
Philippe: There are, in fact, many key provisions in the EU Cybersecurity Act one, series of which actually provide new legal ground for ENISA. But what really interests us today are the provisions on Cybersecurity certification by which the CSA, and that was one of the parts that was most debated why it was being drafted, creates a framework for Cybersecurity certification in Europe. Recognising that Cybersecurity takes a good supply of cybersecurity products or cybersecure products, we need to have the supply for the benefit of European customers, citizens, organisations, and businesses across the Union, as a union, and not just in a handful of countries that have a history of cybersecurity that have mutual agreement, but to make it more Union-like. So the Cybersecurity Act creates these certification schemes and provides information on how they should be developed, on the governance of them. CSA specifically, and that’s interesting for us today, mentions that those schemes should be based on the governments present in international European or international standards.

You mentioned that the aim is to have a single cybersecurity certificate which would benefit organisations, businesses, and consumers. What are the benefits for these different groups?
Philippe: The benefit is clarity on the market. The most immediate benefit, actually, is for vendors who propose products with cybersecurity features because they have just one certificate to pass in order to access the whole market. It’s different from what would happen before, where in some countries they would have to pass one certificate, in some other, another certificate – with limited mutual recognition. So, the certification framework paves the way towards that – we’re not there yet, we’re only beginning to put that in place – but that’s the aim. As for the users of products, it’s probably going to give us a better offer with more comparable offers as well. We are also thinking about labelling the products to make them more identifiable for customers. We’re not only talking about off-the-shelf products to end users, but even for a procurement in a small or medium size company, it’s hard to find your way through the jungle of cybersecurity features, and it’s better when those features are streamlined, presented in a way that is consistent across vendors, and if they’re vetted by an organisation that says “what’s in the tin, is what’s on the tin”. Those are the main benefits that I see. Going further than that, this is a framework that we’re talking about, and the Cybersecurity Act has proposed three levels of assurance: basic, substantial, and high. The purpose is to have those three levels deployed consistently across a very wide array of possible products with cybersecurity features. Cybersecurity should be everywhere, because IT is everywhere. We are now focusing on three schemes, but in the future, who knows, we might have sectoral schemes for specific branches of the industry, or specific lines of products that we don’t think of today. The CSA, the regulation is pretty open on this. Having a consistent approach to these three levels – they don’t look very detailed, it’s just three levels – but having them deployed consistently is both a challenge and an opportunity for the market and the users.

What is the role of ENISA in the development process of the certification schemes?
Philippe: One important thing is that the initiative for developing a scheme does not come from ENISA, but rather from the European Commission which is a more directly, politically responsible organisation, while ENISA is a technical agency. That said, ENISA is not a segment of the European Commission in the sense that we have our own governance, where member states are represented – the governance that has been organised by the regulation for certification, opens place for member states. The for the stakeholders, there is something called the Stakeholder Cybersecurity Certification Group (SCCG), alongside the member state who are represented in the European Cybersecurity Certification Group (ECCG). The SCCG, the stakeholders is where the three ESOs, the European standards developing organisations, are represented by having a very strong advisory role in developing this. So, the role of ENISA is to receive those requests, to maintain and operate the governance that has been proposed by the regulation, and to create the working groups, engaging the stakeholders, inviting applications to take part in working groups. The bulk of the work is actually putting these people to work, and working with them in order to develop the actual certification schemes. Beyond that, there’s the technical content, there’s the technical community to manage, and interfacing with the legal side of things because Cybersecurity certification schemes will be legal documents of the EU. They will be published as implementation acts witch are legal instruments in the EU legal order. So, we need to have this interface that goes all the way from legal to standards to stakeholders directly. There’s a lot of different vocabularies, a lot of different views that have to be brought together – it’s quite a piece of work, and ENISA does that. But at every step we’re talking with European Comission, we’re talking with standards organisations, we’re talking with stakeholders, vendors, and users. Basically, we’re in the middle of everything, we don’t do things alone ever – we couldn’t, but that’s what makes it interesting.

You have mentioned three focus areas – which are those?
Philippe: At the moment, there are three schemes that have been requested by the European Commission. The first is Common Criteria which is directed at products. It is, in fact, a European avatar of a set of certification schemes that exist and that have existed for decades now internationally, based on ISO standard, based on international standards. Previously those schemes were recognised only across a handful of European countries at a good level, and at a lesser level with outside of Europe countries, such as USA for instance. This changes the game a little bit in the sense that we’re going to have this scheme for the whole of Europe. But it was the “easy” part, between quotes, because it wasn’t that easy. It was easy in the sense that we already had the standards, we already knew what we were doing, we had some sort of governance going on, so we were not starting from scratch. So this was the first one. Common Criteria is a very versatile approach to certifying the cybersecurity of products. It is, however, something that is more targeted at high level or substantial level evaluations. It’s probably not a first approach in order to certify the cybersecurity of a connected bread toaster, for instance, the way it is made. But we have this and it’s a product-based approach. The next is the UCS, which is on cloud services. Cloud, very important in and of itself, and services, also important in and of itself because that’s the first scheme we have developed. Talking about services, different kind of stakeholders, different kind of market surveillance, different kind of thinking – so that’s very interesting as well. And the third one is EU 5G which is on mobile security where the focus was on using standards, very rapidly evolving ones – because the technology is evolving very rapidly – that are developed by international organisations, some of which have formal status recognised by the EU as the standards developing organisation, some of which don’t have it. It’s a whole different set of challenges. It’s also the first time that anybody has done anything like that so there’s a lot of eyes looking at us right now and trying to see how this is developing. Besides those three, I should say that ENISA also has an activity in a more forward-looking perspective way. We are ahead of the curve, looking at upcoming pieces of legislation, looking at upcoming technologies, and we are looking at whether there should be a certification scheme on them, and if so, how do we do it, with whom do we do it, what are the difficulties, and what are the standards that exist, or those that don’t exist. So, in a sense, some sort of prospective feasibility study approach to things. Very often we realise that things already exist, so we don’t mean to propose or to develop certification schemes for everything. In fact, with the three that already have – products, services, and telecommunications – we already have some breadth, but in the future we might have, as I have said earlier, sectoral needs for cybersecurity certification that might reuse part of CC, or part of the cloud services. If we’re going to develop a scheme for managed services, for instance, we’re going to reuse the knowledge that we’ve gained developing a scheme for cloud services, for the services part of it. We’re still creating the basics.

What would you say is the process, or the life-cycle, from commissioning phases to legal translation phases? How long does it take you to develop it?
Philippe: It is something that I can’t answer because we are not done with the first process yet. The most advanced of the three schemes is the EU CC because we were not starting from scratch. It is a challenge to do things like this, using standards – I am preempting later questions perhaps but – using standards is really part of the European Union’s DNA when it comes to harmonising the market, creating more freedom and more clarity, more legal certainty for stakeholders on the market, and for the benefit of the end users. Doing this through certification schemes is a bit of a novelty that is based on the experience of some member states including France, the Netherlands, and Germany, but it is not the usual way that the European Commission proposes to do things, and it’s not the usual way that the regulations drafted by and voted by the European Parliament and European Council are put together. So, it’s a bit of a new territory, and we are still exploring. It takes a bit more time than we have anticipated, the way that things must be translated into regulation. The good news is that we finally have a draft implementing act for consultations and we’ve had that for three weeks now, so we’re seeing the end of the first process. It was a long one. Perhaps in the future we can expect the processes to be less protracted because the path will have been set in a way.

You have mentioned three different levels of security, basic, substantial, and high – can you elaborate a bit on these levels?
Philippe: In a nutshell, basic cybersecurity is very much what it says. It is looking at having a product that is not naïvely open to very run-of-the-mill attacks. When we are talking cybersecurity, we are talking malevolent actors, we’re talking about attacks, and there’s a lot of common flaws that can be covered rather easily, and that’s what we are adressing with basic level. With substantial, we are addressing a little bit more sophisticated attacks, attacks that are made by malevolent actors that have some resources, they know new ways of attacking products, they are a little bit more persistent. That’s the middle thing. A high level is targeted as preventing attacks from malevolent actors with a lot of resources, very high grades attacks, people who are aware of very advanced ways of attacking products or systems, that have the resources to try and break difficult to break codes. The high level is really not for every product. The basic level is designed to be for any product that is susceptible to being attacked, and the middle solution is in between.

What would be the main takeaway today? How do you see these initiatives shaping the cybersecurity in the EU?
Philippe: The EU has been very active in the past years in terms of cybersecurity. Certification is just one part of it. I think that’s a very important message and that a part, actually, of the time it has taken to transfer the certification scheme into an implementing act is to really make sure that everybody understands that certification is just what it says – it is a technical evaluation, it is not a political statement about the vendor, it is not a guidance about how to use a product, it is just making sure that we have certain basic, or substantial, or high assurance levels about the product and that’s it. It’s very important, but it is only part of the picture. The rest of the picture is the Cyber Resilience Act which has a much larger way of covering things and which, incidentally, is closer to the traditional way the European Union is doing the single market because it is going to rely on conformity assessment modules, much in the same way that we do on other products, for product safety, for instance. There are other pieces of legislation that are targeted at the potential victims, how they should protect themselves, their duties in that regard, the duties of the of the state, the Union to protect them. One important thing is that, the CSA and the certification schemes is one of the ways in which cybersecurity which was very well handled by some at the member state level, becomes not just member state level but also Union level. Member states still have a very important role to play. They are the ones who are going to operate the schemes locally, and the CSA also creates national cybersecurity certification authorities who have very wide-ranging duties and prerogatives. They can do market surveillance, they can receive complaints, they can fine if there’s a problem, and they have to have a very high level of trust between themselves through peer reviewing. So, that’s a very important way of doing things as well – raising the level of shared trust across member states because they’re the ones that have the resources. ENISA is not that big of anorganisation. Things are going to be operated, in large part, at member state level, and I think that’s a very interesting way of creating precedents for the future. I have talked about possible sectoral pieces of legislation – there’s a draft AI act, for instance, which has also a security dimension. There’s so much being done, and yet so much to do. It’s going to be very interesting to see how this develops in the future. I would not like to forget the relationship with the rest of the world. At no point do we want to create a technology bubble in Europe that would not work. We do, however, have a European legislation providing protections for citizens, business, and organisations, we have to serve that, but we are really trying to do this in a way that is not only not contradictory with the rest of the world, but that is actually benefitting the rest of the world. We are, at the moment, very very concentrated on our objective: getting our schemes out, finishing them when they’re not finished, getting them out in the world, making them work. There’s a lot of communication being done towards the outside partners across the Atlantic, on the other side of Asia. We have those contacts and we’re going to have more of those contacts when these schemes are live in order to make sure that we have the right approach. We don’t want to be a bubble, we’re not an island, we’ll never going to be. So, we don’t see this as a limes, or a protection wall around Europe, but rather as a way to move cybersecurity forward globally.