Standardization is a very important step to streamline technologies. How standards can help in cybersecurity, why IoT should receive a security standard right now (but also why this is not as easy as it sounds), is something we talked about with Alex Leadbeater, chair of the technical Committee Cybersecurity within ETSI. Alex also shares his vision for a more secure future.
Cybersecurity Magazine: You are chairing the Technical Committee Cybersecurity (TC CYBER) within ETSI. What does the TC CYBER do?
Alex Leadbeater: Within Europe, there are three Standards Development Organizations (SDO), of which ETSI is the most commercial industry focused . ETSI is one of the partners of 3GPP, the body that produces 5G standards. Within ETSI we then have the TC CYBER which is specialized on cybersecurity across most standards that ETSI develops.
Everything from intelligent transport, 5G, industrial IT, health care, pretty much all of the sectors ETSI covers, TC CYBER has a slice across. TC CYBER is the center of excellence, meaning that while some of the groups have a subsection which deals with security, TC CYBER acts as a central cybersecurity focus for ETSI. Hence the committee has a global view on about everything that ETSI does. The other working groups and ISGs (the industry specification groups) will liaise with our committee and where necessary borrow its expertise for specific projects. That’s the high-level overview of what TC CYBER is and how it fits into the ecosystem.
Cybersecurity Magazine: A word on standardization in general. We perceive that in the industry it’s sometimes difficult to establish a standard, how does ETSI drive the industry towards a more standardized approach?
Alex Leadbeater: The members of ETSI include telecommunications companies, internet search and social media companies, infrastructure providers, universities, governments, NGOs and others having an interest in effectively sharing information on cyber threats and establishing new standards in general.
In ETSI, we coordinate with other standardization bodies to avoid duplication. This is all the more important as we don’t want 25 different ways of doing things and be in a situation where each country would pick a different standard and we would end up trying to comply with all of them globally. So, having yet another standard just because ETSI doesn’t have one in a particular area is not something that we strive to do. Indeed, within Europe, we actually work very well with the other European standard organizations to avoid that sort of overlap. For example, in TC CYBER, we have been doing quite a lot of work on IoT consumer security. Therefore, in that area, other standardization bodies, CEN CENELEC for example, have been working with us, rather than doing their own standard. That’s exactly the idea.
Cybersecurity Magazine: The security for the Internet of Things (IoT), and consumer security specifically is a very interesting topic. The IoT is currently a mess of a lot of very insecure devices. What are the challenges in bringing together the manufacturers of these devices and establishing a security standard for IOT consumer devices?
Alex Leadbeater: The first question you have to ask in this space is: “how did we allow these sort of devices on the market?” The answer actually is relatively simple: consumers will generally buy a smart device for different reasons other than its security. Even if one of the devices has a security symbol stamped on it and one of them doesn’t. That doesn’t tend to be a feature that people buy. Therefore, it’s not a feature that is necessarily designed into all products.
The other issue is the shortage of expertise. In Europe we have about 10% to 15% shortage of cybersecurity expertise if we think of the number of people with that sort of skill set, versus the number of roles that ideally companies should have. With regards to IoT devices, that means that the bulk of these products and services are being designed by routine software engineers and others who actually do not have a security background at all. That’s one of the reasons for the insecurity of these products. So even if there is a new market drive to have cybersecurity expertise, the individuals producing those services don’t necessarily have the competencies to think about cybersecurity by default or cybersecurity by design.
Hence, on the one hand, you’ve got the consumers who aren’t asking to make products more secure, and on the other hand, we’ve got the manufacturers who know that adding security will also add to the costs of their products – and that premium will usually not be paid by consumers, or at least a significant percentage of them won’t, especially those outside of EU and US.
To counter that, we therefore have the Cyber Security Act in Europe, and indeed also the Radio Equipment Directive (RED). Both of those provide mandatory requirements in Europe for security testing and certification. The Cybersecurity Act requires certification of IT products, whereas the RED effectively requires any product containing a radio element to comply with a number of stringent security requirements. To give an example, if you have a fridge that has a small WiFi capability, actually the radio equipment directive applies to the whole fridge, not just the WiFi module. Going forward, those pieces of legislation as they start to force manufacturers to improve security whether they want or not.
I think the other thing that starts enter the picture is the brand damage that people are starting to see when yet another baby monitor has got an open camera vulnerability. Those kinds of headlines don’t look terribly good for your brand if you encounter them, but I also think there is an increasing public awareness driven by regulations such as GDPR.
Now, having got a bit of movement in the ecosystem, the standards come into play. In many countries complying with an industry best practice standard will give you a degree of “Safe Harbour” protection. So, if your product complies with a security standard, you’re safe. If you don’t meet that standard, and you have a breach, you are going to end up with a nasty surprise. These are the drivers of change, but I think we have to accept that a lot of the products that are in the market today are still going to be in use by consumers in 10 or 15 years’ time.
Cybersecurity Magazine: Will both directives be comparable to the CE certification, meaning that nothing can be sold in Europe without the CE certification?
Alex Leadbeater: The directives we are talking about are looking at a number of things. One is potentially some form of traffic light type scheme, similar to what is already established for household appliances, in other words some form of color coding the products and by that indicate the quality of their security.
However, one of the debates that is ongoing, is a discussion whether the products will be certified, or do you certify manufacturers and processes? Now I am very much with the processes and manufacturers, on the basis that if you give me any product which passes, I will tell you that the test wasn’t good enough, and if it passes today, it will probably fail tomorrow, because there will be a threat that you didn’t know about yesterday.
Hence the main question is whether we can certify the manufacturers. In other words, we look at their processes. How do they do security by default? Is cybersecurity something that is embedded in their software design processes? If that is built into their processes, then even if they do produce a product that actually has a bit of a problem, we are reasonably sure that they will fix it quite quickly, because they have a security by design ethos within their overall company.
Actually, what we need to be looking at is not only the companies, it extends all the way down into universities, and potentially schools in terms of actually teaching cybersecurity fundamentals. So, when you write an app, when you design a system, you need to think about such things as: “do I really need to store this bit of data? If I do store it, it should be encrypted”.
Security is difficult to retrofit and if within Europe, if we can make people start to think about cybersecurity more, that hopefully will drag the standard up around the rest of the world. This is certainly the objective of ETSI. Though ETSI has European technically in the title, we are a global body. For example there is interest from Japan looking at whether they can adopt the ETSI consumer IT standard for their own national purposes, Australia is also looking at it.