A report released by trade association DigitalEurope on Wednesday (8 September) underlined the lack of baseline cybersecurity requirements, saying the existing rules were insufficient and calling for horizontal regulation as the EU is working on updating its cybersecurity legislation.
Vulnerability to cyberattacks is growing, as the number of devices connected through the Internet of Things (IoT) in people’s homes and everyday lives rapidly increases.
A recent test by ethical hackers at Euroconsumers found that an alarmingly high number of commonplace smart home devices such as WiFi routers, baby monitors and alarm systems suffer from serious weaknesses, leaving them susceptible to what could be very sensitive breaches.
According to DigitalEurope’s report, however, existing product legislation falls short when it comes to addressing cybersecurity.
“Because its scope and conformity assessment methods are generally designed to address physical product functions, existing product legislation cannot properly address administrative or organisational aspects, which are more prominent and common to more types of devices,” it said
In December last year, as part of its new EU Cybersecurity Strategy, the European Commission launched a proposal to revise the cybersecurity standards set in the Network and Information Security (NIS) Directive, the first EU-wide legislation on the topic.
The new legislation, so-called NIS2, is intended to strengthen and expand upon its predecessor in regulatory scope and volume, responding to a general rise of cyber threats but also to growing vulnerability caused by the pandemic-induced increase in dependence on network and information services.
The current state of cyber resilience is a “vicious circle” of dealing with consequences and mitigating threats that risks “undermining trust in the digital ecosystem and preventing us from taking full advantage of technology”, Klara Jordan, chief public policy officer, CyberPeace Institute, warned at a recent cybersecurity conference.
Harmonised and horizontal measures
The experts surveyed for DigitalEurope’s report overwhelmingly cautioned that cybersecurity should not direct its focus wholly, or primarily, towards product-related features such as passwords, emphasising instead that in order for protections to be sufficient, organisational requirements must be accounted for.
The report notes that current EU product rules are based on physically verifiable factors such as a product’s electrical properties or the materials it is built with, which cannot be adequately applied to something intangible like cybersecurity.
Another issue is the fact that verification currently occurs at the moment a product is placed on the market, without leaving room for continuous monitoring throughout its lifecycle, something which is necessary to stay ahead of evolving cybersecurity threats and vulnerabilities.
Given the high proportion of common product and organisational baseline cybersecurity requirements, those consulted by DigitalEurope agreed that defining these requirements for connected devices is crucial to ensuring their overall security.
Putting in place horizontal regulation in this area, the report said, is a key way to ensure a sufficient link between legislation and standards, and to harmonise requirements between different products and in different areas. Existing product legislation, it cautioned, is insufficient.
Bart Groothuis, the rapporteur for the NIS2 directive, told EURACTIV that the kind of horizontal legislation called for in the report was much needed, but did not fit within the current NIS2 proposal, an issue he said he had raised with the Commission on a number of occasions.
“The EU Cybersecurity Strategy would be incomplete without such horizontal legislation”, he said. “The Commission should launch proposals in the shortest possible time frame.”
If existing product legislation is used to address cybersecurity, DigitalEurope said, it should be limited to basic requirements and repealed once horizontal regulations entered into force.
The research by Euroconsumers demonstrates how these risks could impact consumers on a very personal level.
As part of their “Hackable Home” project, two ethical hackers tested 16 widely available smart home devices made by both well- and lesser-known producers and discovered 54 vulnerabilities overall. In 10 of the devices trialled, at least one of the weaknesses detected was classed as “high severity” or “critical”.
“The results are alarming,” Els Bruggeman, Euroconsumers’ Head of Policy and Enforcement said. “Manufacturers must do more. This is crucial to create consumer trust that will allow the whole Internet of Things ecosystem to flourish. If it isn’t safe and secure, it isn’t going to happen.”
The findings echo concerns raised by other groups and experts over the potential risks found in many smart devices currently on the market. In many cases, passwords prove the weak point, especially where devices arrive from the factory with default login details that users often do not go on to change.
A study by UK-based consumer group Which? earlier this year detected 2,435 malicious attempts to log into devices with weak default usernames and passwords in a fake “smart home” over the course of just one week.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]