How can collaborative standards development support the European cybersecurity agenda?

21 Jun 2022 12:15h - 13:15h

Session webpage

Event report

This session shed light on cybersecurity standards development. Mr Vladimir Radunovic (Director, E-diplomacy and Cybersecurity Programmes, DiploFoundation) opened the session by explaining that standards underpin all of our technologies and products and, although they are not visible or important for many beyond standardisation communities and narrower cybersecurity communities, this is changing due to many factors, such as politisation of digital issues, including standard-setting processes. 

As Radunovic said, Europe is leading the front on cybersecurity regulatory and policy frameworks. Mr Sławomir Górniak (Senior Cybersecurity Expert, European Union Agency for Cybersecurity (ENISA)) pointed out that EU policymakers have a number of instruments at their disposal to improve cybersecurity in general and it is important that they choose the correct instrument for a concrete problem. 

However, the question of what a cybersecurity standard is, is still open. As Górniak noted, many standards cover or touch the cybersecurity field; nevertheless, until very recently, these standards have been mainly directed to safety, not security or cybersecurity. He mentioned that only recently have we seen regulatory acts related to cybersecurity appear, for example, the NIS directive and the GDPR, that touch upon cybersecurity to some extent; the EU Cybersecurity Act, the Chips Act, and others. These new pieces of legislation mention the requirement of certification of products and processes, but also they mention the importance of standards as the basis of certification. Therefore, all these acts somehow mention standards and the necessity of applying specific cybersecurity-related standards in order to fulfil some of the articles.

Mr Jari Arkko (Internet Ericsson Research and IETF Architecture Board (IAB)) continued on the question of cybersecurity standards. According to Arkko, we should first ask what we need and what technology we need to standardise and how it interplays with the government. 

Mr Thorsten Katzman (Cybersecurity Standardisation, IBM) asked: Do we mean to standardise only technology and organisational aspects, or, as well, procedures that provide guidelines? In his view, all is needed. He also raised the question: Who is the one to decide what standards are needed? Katzman stressed that it is not just only industry, manufacturers, or software developers; rather, it should be market-driven and include all players. According to Katzman, it should not be industry that decides what is really needed.

Mr David Tayouri (Chair, IEEE SA Cybersecurity for Agile Cloud Computing Industry Connections program, and ELTA Systems, Israel Aerospace Industries (IAI)), elaborated on the question of the main gaps in the implementation of standards. Tayouri presented an example of small and medium enterprises (SMEs). A few years ago, the perimeter of an organisation was physical, so it was secured by physical means such as a secure network with firewalls. Today, many employees work from home and some of an organisation’s assets are stored in the cloud. Hence, the attack surface is larger than before and the method of working and accessing data has changed. SMEs should understand the risks that these changes have brought to an organisation. They have found the following gaps: most of the technologies for securing the cloud are fulfilled, but some gaps remain, such as endpoint security (there is no specific standard). Tayouri emphasised that in regard to security, in particular to the cloud, regulation is a must. Most SMEs are not aware of cyber risks and those that are aware will have a hard time finding experts to mitigate those risks.  They trust cloud service providers. The question is how this trust can be enforced; the role of regulation or regulator should be to enforce the trust by relevant standards that are or should be defined, to fill these gaps.

By Kristina Hojstricova