How a proposed European Union cybersecurity law could affect things on this side of the Atlantic

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Last month, the European Commission drafted a law called the Cyber Resilience Act. It’s an extensive framework aimed at improving cybersecurity in the EU. For the implications on this side of the Atlantic, the Federal Drive with Tom Temin spoke to senior policy analyst at the ITIF Center for Data Innovation, Kir Nuthi.

Interview transcript: 
Kir Nuthi:...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Last month, the European Commission drafted a law called the Cyber Resilience Act. It’s an extensive framework aimed at improving cybersecurity in the EU. For the implications on this side of the Atlantic, the Federal Drive with Tom Temin spoke to senior policy analyst at the ITIF Center for Data Innovation, Kir Nuthi.

Interview transcript: 

Kir Nuthi: So in essence, the Cyber Resilience Act creates security by design, which is essentially a list of essential requirements for manufacturers, importers, distributors of connected devices. When I say connected devices, it’s almost entirely all digital products that connect to the internet, or internet connected software. So that’s a very broad amount of different devices that you and I use on a daily basis.

Tom Temin: Right. And so many of the purveyors of devices program their own software, operating systems, and so forth. So it’s really inseparable from the device in some ways.

Kir Nuthi: Exactly. It’s gonna cover the tangible digital products. So the device itself, and then non-tangible digital products, so the software embedded into these devices that can’t really be taken out of these devices.

Tom Temin: And when they say cyber resilience, what are they driving at here? What do they want these devices and the software to do now that doesn’t do?

Kir Nuthi: They want the software essentially to have are the manufacturers of these products to have improved cybersecurity, throughout the whole lifecycle of the product, so essentially creating a single framework for all connected devices in the European Union. Now, while it seems to be EU specific, all devices that are in the European Union tend to appear in other markets like the US and the UK. So it is going to be one of these regulations that when passed, is going to affect global cybersecurity and global connected devices everywhere.

Tom Temin: It’s almost like California in their bumpers, in their emissions, because it’s such a large market, everybody has to end up getting pulled along whether they want to or not, in other words.

Kir Nuthi: Yeah, it’s going to be a world leading beginning step for cybersecurity. The U.S. and the UK are already trying to get there as well. So it’s kind of a race to who does it first.

Tom Temin: Because in the United States, the software supply chain is the focus of cybersecurity right now. And that takes many forms. There’s an executive order on that, there is the CMMC program, the Cybersecurity Maturity Model Certification program, trying to get going in the Defense Department. But it’s all kind of has a theme there. Do these themes clash in some way?

Kir Nuthi: I think the US, the UK and the EU are all broadly tackling the same space, which is the digital products available in their markets, so the connected devices in their markets. The White House specifically has a plan for connected devices to create labeling standards, which is really similar to the EU Cyber Resilience Act, and the UK has, what they’re calling a product security and telecom infrastructure bill, which is a really clunky name that essentially also creates new security requirements for consumer connected products in the UK. So all three of them are tackling at the heart of new legislation, devices we use every day that connect to the internet.

Tom Temin: But what about devices that you wouldn’t normally classify as consumer devices as you move up the chain, there are home routers, but then there are industrial routers, data center type of gear, that route, switch, and so forth. And telephone systems, IP phone systems also connected to the internet. Does it just stop at consumer products? Or what about all of these industrial products that are often hacked, and at the center of all internet traffic?

Kir Nuthi: So the Cyber Resilience Act covers a broad swath of three categories. class one is going to be the lower cybersecurity risk levels, but does take into account industrial software. So it’s password managers, remote access software, firewalls, routers, microprocessors, modems, all of these slightly less fun on consumer devices, whereas class two focuses on high risk and then industrial devices. So products with critical cybersecurity vulnerabilities that include public key infrastructure, microprocessors, industrial switches, the things that aren’t necessarily on you or me like our smartphones or smartwatches. And then there’s an unclassified category, which tends to include things that when you think of connected devices, you naturally go to like game consoles and whatnot.

Tom Temin: Got it. So basically, if an electron flows through it, it’s going to be affected in some way here.

Kir Nuthi: I have been calling it, if it connects to the internet, it’s a pretty good chance it’s going to be affected, because it’s just interconnected, internet connected devices at the heart of it. And the lists are so expansive that it could just change. And it does actually have in the legislation that I could change and get added or subtracted, or all of these types of things. So it’s an ever changing large scope of things that connect to the internet.

Tom Temin: We’re speaking with Kir Nuthi. She’s senior policy analyst at the Center for Data Innovation, part of the Information Technology and Innovation Foundation. So what effect does this have on would you say, U.S. regulatory apparatus, and on maybe the buying plans or procurement plans of federal government agencies, if any?

Kir Nuthi: I don’t necessarily know what the offshoot for that’s going to be. What I do know is American manufacturers, distributors, and anyone who has a stake in the European market, in connected devices or internet connected software and devices, is going to have a stake in the game with regards to the Cyber Resilience Act. If you buy or sell in the European market, that means this act is going to affect you. And the way this act interacts with the White House’s plan for connected devices and the UK’s plan for connected devices is going to affect you. The interplay between the three is going to be at least, I find it personally, it’s going to be really interesting to see. But what it does mean is that in order to scale up into the European market, you’re going to have to take into account from the design phase of your products and services, these essential requirements, essential goals and essential processes that the Cyber Resilience Act adds.

Tom Temin: 
Sure. So the federal government, for example, buys lots of PCs, they buy routers and switches from big companies like Palo Alto Networks, or Juniper or Cisco and so on. These are also pretty much the same products that are sold into the European Union space, maybe a slight difference in the keyboard or something. But IP is IP. And so chances are then that the stuff that we buy here could be enhanced from a cybersecurity standpoint, by virtue of having to comply. If this law passes, and the EU does like to pass laws, if it becomes law, then we’d all benefit?

Kir Nuthi: We could all benefit or we could all see products that are inflexible to evolve with technological advancements. So with this list of essential security requirements, a lot of them feel kind of common sense. And a lot of them you do see companies producing these products already taken into account. The sheer amounts of them and specificity of these requirements makes it hard to really change with moving times. So it’s taking into account the cybersecurity landscape of today. Is it taking into account the cybersecurity landscape of tomorrow? No one really knows if that’s going to be true, because no one really knows where the vulnerabilities may evolve and like we can predict a little bit what that’s going to look like. So while it is a vital step in creating harmonized cybersecurity practices in the EU, what happens in the EU has extraterritorial consequences for the U.S. So U.S. connected devices are likely to see the exact same regulations and requirements happen to them. That’s almost why I believe an approach that acknowledges the differences in cybersecurity and regulates each sector most efficiently can make it more of an effective scheme to tackle cybersecurity risks. It’s a great first step, but it can  stretch companies then as they already struggled to comply with so many different regulations. And it’s a one size fits all approach that is really difficult to set into stone and keep moving as technology continues to advance quickly and more quickly than the year prior. It’s just going to be hard.

Tom Temin: And by the way, what apparatus does the EU have for testing compliance and making sure people are doing all of this? That’s a pretty big bureaucracy, the EU. That’s, you know, in addition to the governments of Europe, their own bureaucracies, can they check even on this?

Kir Nuthi: So the acts implementation is going to take place at the national level. So we’re looking at all of the member states get to choose their market surveillance authorities to ensure the implementation of the cyber resilience act. These can be the same people who worked on the NIST 2 directive or on some other cybersecurity directives and certification schemes, or they can be entirely new authorities. Essentially, they’re going to coordinate with each other, conduct sweeps to make sure that the products are cyber secure, and then report to the European Commission. All of that to say that they also have the power to start the ball rolling on administrative fines and non-compliance. And these administrative fines and non-compliance are large numbers of 15 million euros, 2.5% of global annual turnover and then decreasing downwards. So it’s the member state level, despite it being an EU regulation.

Eric White: Kir Nuthi is senior policy analyst at the Center for Data Innovation. Part of the Information Technology and Innovation Foundation.

Related Stories