|
European Union (EU) legislators, like most of the world, are troubled about the increasing number and severity of cybersecurity incidents. However, unlike most of the world, which is taking a flexible, adaptive Zero Trust Model approach of continuous controls for cyberdefense, the EU government is pursuing a vastly expanded version of the failed Common Criteria certification model coupled with regulatory extremism and exceptionalism strategies. The principal mechanism for the strategy is its Cyber Resilience Act (CRA) “in order for the Union to play an international leading role in the field of cybersecurity” and assert its technological sovereignty. The notion that any one government authority declares itself the security architect and arbiter of all the world’s digital products and providers is profoundly disturbing. The regulatory basics and a red team analysis are provided below.
The draft CRA begins by asserting regulatory jurisdiction over all the digital code, devices, and processes in the world finding their way into the European market together with all their manufacturers, distributors, importers, representatives, developers and facilitating individuals (denominated Economic Operators).
The Act conscripts a vast enforcement legion of surveillance, notification, and accreditation authorities across the entire EU, together with new EU oversight, regulatory committees, and harmonised regulatory standards activities. It imposes scores of continuous extensive registration, certification, notification, and product requirements on Economic Operators covering every aspect of their business, their suppliers for every digital product, version, and modifications produced, vulnerability discovered, or incident occurring - with the power to compel even confidential design information.
The entire regulatory regime is constructed and maintained using CRA-unique product categories, standards, terminology, definitions, processes, enforcement powers, and adjudications that EU government institutions create, approve, and continually control. There are presently 15 sets of “essential cybersecurity requirements for all products with digital elements” and an array of significantly expanded requirements for 41 vague categories of “critical products.”
It establishes an array of continuing CRA information sharing and enforcement activities, including regular coordinated “sweeps” to “check compliance with or to detect infringements ...including under a cover of identity.” Lastly, it imposes draconian sanctions and enormous fines for non-compliance, including the allocation of those fines as an enforcement bounty for EU Member State projects.
As part of the background, over the past several years, the European Union (EU) has attempted to deal with perceived citizen needs for the Information and Telecommunication Technology (ICT) sector by adopting ever more far-reaching regulatory requirements imposed on almost every information network device and service offered within its jurisdiction. There are now more than 400 individual EU legislative instruments containing regulatory-related provisions applied to 42 identified ICT sectors. The preponderance of those provisions is devoted to cybersecurity.
The pinnacle of this regulatory progression is a new CRA draft version with the formal title “Proposal for a Regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019/1020.” The new CRA draft made available last month consists of 101 explanatory preface paragraphs, 65 regulatory provisions, and eight annexes—totaling 40535 words, with ongoing mechanisms for significant existing and future expansions through secondary references many times the size of the published provisions. It is accompanied by a 2022 multi-part European Commission staff impact assessment report, executive summary, factsheet, numerous press releases, and recent ESO standardisation request. A European Commission (EC) CRA promotional website also exists with reference pointers.
All this material speaks glowingly of the proposal, asserting that “New EU cybersecurity rules ensure more secure hardware and software products.” The Commissioner for the Internal Market says, “the Cyber Resilience Act will help protect Europe’s economy and our collective security.”
What the CRA attempts to unilaterally achieve as a concept and extreme regulatory regime is unique, expansive, and without precedent. If the CRA were being applied to the chemical industry, the equivalent regulatory regime would entail identifying every molecule in existence together with the hypothetical vulnerabilities and expanded to every compound manufactured, imported, or distributed in the EU marketplace. That challenge would be easier. Chemicals are in a physical form, as opposed to “digital elements” that are ephemeral, easily manifested autonomously, and accessible or distributed globally in an instant.
The EU political processes tend to be relatively insular and encourage positive reinforcement to support the views of major politicians and discourages skepticism. There have been innumerable CRA “blue teams” of various kinds in the CRA’s development. For example, the Act’s European Commission staff impact assessment executive summary saw only a net reduction in cybersecurity costs and no “significant negative impacts.”
The assessment impacts were based on least cost assumptions for generic product compliance actions and “testing” rather than any detailed examination of the CRA provisions in the context of real-world ICT production and vulnerability discovery and regulatory compliance requirements. Even so, the impact assessment does estimate a total of EUR 17.5 billion for software compliance alone, and testing adding nearly another EUR 100 billion. Notwithstanding the hand-waiving economics, the compliance costs are enormous and principally imposed on all the Economic Operators adversely affected. It is not apparent that there was any global outreach or institutional engagement—especially in the principal intergovernmental organisation, the International Telecommunication Union (ITU).
It is also not apparent that any comprehensive “Red Team” analysis of the flaws contained in this undertaking was done beyond soliciting comments submitted in the public consultative process. Notwithstanding the CRA proposal being the most expansive and unprecedented cybersecurity regulatory regime in history, relatively few comments were filed in two formal consultative windows in 2022 Q2 and Q4. Those comments submitted were primarily from 63 business associations and 54 companies who supported the objective of improving cybersecurity in Europe but raised numerous concerns about the appropriateness of the regulatory measures being taken. The most recent CRA version included comments by 79 parties made directly to the rapporteur that are not publicly available. It is also not clear, however, to what extent the comments were reviewed in the legislative process with any care, considering one of the comments was obviously faked from the U.S. NSA and remains in the consultation docket.
The CRA is well-intentioned, with desirable generic objectives and good practices that almost everyone embraces today. However, the extreme regulatory measures to impose a Common Criteria compliance model poses numerous CRA implementation impediments and challenges. Many of them are fatal and were raised in formal comments, industry articles and academic literature that effectively constitute a Red Team analysis that is summarised below. It is generally rather simple for legislative and administrative bodies to prepare and promulgate extreme regulatory regimes and assert governmental exceptionalism. Actually, implementing the regimes in any effective fashion is the challenge.
The number of instances of computational devices, running code, and remote processing instantiations today are essentially unfathomable and unknowable. Remote processing instantiations are virtual and, therefore, ephemeral on demand. The EU share of the CRA-regulated global market is likely similar to consumer electronics or about 15%. Whatever the extremely large values are in the EU market, it is likely that the EU share of products used and remote processing is measured at least in peta-instances. The number of “Economic Operators” included by the CRA worldwide is likely in the tens of millions, with some significant percentage engaged in the EU market because mobile communication and Internet infrastructure enables open, autonomous provisioning. This enables dynamic marketplaces that evolve on a large scale continuously, autonomously, and porously across the EU geography. The overreach of the omnibus regulatory net cast by the CRA ensures its unimplementability by design.
The Act attempts to create several product subsets for “stricter conformity assessment processes.” These include 41 types of “critical products with digital elements” with two sub-types: 28 Class-I and 14 Class-II. The selection of these “critical products” is based on an asserted abstruse thesis that “the negative impact of the exploitation of potential cybersecurity vulnerabilities in the product can be severe due to, amongst others, the cybersecurity-related functionality or the intended use.” The list, however, is largely a random ICT word salad —including simple phrases like “physical and virtual network interfaces.”
The Class-II critical products that are subject to stricter conformity processes allegedly “might lead to greater negative impacts than an incident involving products in class I.” However, some of these enumerations, such as “secure elements,” are utterly vague without meaning. The legislators themselves, in the explanatory statements, admit there is a problem with definitions by calling for subsequent action “to ensure legal clarity and certainty.”
Three additional kinds of products are identified in the Act. Something called a “highly critical product with digital elements” is mentioned in Art. 6.5, but not specifically identified, and ascribed to a potential future “supplement” to the CRA. Additionally, Arts. 43, 44 and 45 refer to “products with digital elements presenting a significant cybersecurity risk.” These products are also not identified, but any EU Member State can designate them under the CRA, and impose an array of additional requirements or strictures. A variant called “compliant product with digital elements which present a significant cybersecurity risk” is treated in Art. 46 and subjected to an array of further obligations. This constant swirl of numerous follow-up administrative processes would require every digital product vendor in the world to be constantly engaged in them to be even nominally aware of the obligations.
Then there is the inability to understand who is subject to the obligations imposed. The identified Economic Operator parties include “manufacturers, importers, and distributors”. The CRA does contain definitions of those terms, but they are vague and essentially expanded to include everyone in the ICT sector. For example, a manufacturer includes “any natural or legal person who develops or manufactures products with digital elements or has products with digital elements designed, developed or manufactured, and markets them under his or her name or trademark, whether for payment or free of charge.” An importer includes anyone in the Union “placing a product with digital elements on the market bearing the name or trademark of any entity outside the Union.” A distributor means “any natural or legal person in the supply chain who makes a product available on the Union market.”
The challenge of understanding who is an Economic Operator is exacerbated by the term “makes available on the Union market means any supply of a product with digital elements for distribution or use on the Union market in the course of a commercial activity, whether in return for payment or free of charge.” The simple act of someone sending an executable file attachment to another person as part of a commercial activity would bring them under the CRA obligations. The CRA creates a vicarious cyber regulatory trawling net that encompasses a vast array of autonomous and constantly changing entities and people globally who would be difficult to identify and would be unaware of the imposed obligations.
The well-known cybersecurity challenge dealing with enormous arrays of constantly changing requirements and information is known as “the fog of more.” The CRA constitutes a very dense fog.
The CRA enumerates 15 essential cybersecurity requirements for all the world’s “products with digital elements” and demands that verifiable conformance standards and guides for accomplishing those requirements be developed by the European Commission either by looking to “existing or imminent standards” of the ISO, IEC, and ITU, or be written by ETSI, CEN or CENELEC or just adopted by the Commission itself.
However, those 15 requirements vary between vague admonitions and known impossibilities—to be applied to all the existing or future “products with digital elements” in the world. An outstanding example is the first requirement “delivering products with digital elements without known exploitable vulnerabilities.” It is a task declared to be impossible and with limited value, pursuing 56 years ago at the world’s first cybersecurity technical conference. It is not feasible to produce verifiable standards or guides to apply the enumerated 15 requirements “horizontally” and verifiably to every product with digital elements in existence.
The infeasibility impediment is expanded by also demanding that verifiable conformance standards for essential security requirements be generated for the 41 enumerated vague “critical products with digital elements.” One of those critical product categories in the CRA simply reads “secure elements.” The impediment is exacerbated by the reality that all the products in the marketplace generally use standards for “essential cybersecurity requirements” developed by the scores of international industry and developer standards bodies explicitly precluded from use by the CRA definition of international standard. See https://circleid.com/posts/20230820-the-standards-myth-that-does-not-stop
Chapter I of the CRA sets forth 18 product category exclusions and clarifications, plus 15 activities that can expand and modify the requirements and categories, and establishes an Expert Group enlisted in implementing the Act, including assisting surveillance authorities.
Chapter II of the CRA sets forth 36 obligations for “Economic Operators” - 20 for manufacturers, 14 for importers, 8 for distributors, 3 for all, plus several buried expansions such as automatically denominating any natural or legal person a manufacturer if they “substantially modify the product and make it available on the market.”
Chapter III sets forth 33 complex requirements for “conformity of the product with digital elements” that are significantly expanded in the Annexes.
Chapter V sets forth 54 additional obligations flowing from the “market surveillance and enforcement” provisions.
The CRA has several hundred regulatory requirements in the Act itself, and many more incorporated through secondary references—ultimately numbering in the thousands, with most the subject of further proceedings and processes continuously underway. Many involve processes that are not public and without notice or engagement by those affected.
“Products with digital elements” are ubiquitous in the EU marketplace—continuously and massively developed, modified, and instantiated autonomously everywhere as part of a global information mesh of networks. The compliance implementation of the CRA rests largely on Member States together with the Commission undertaking 71 requirements specified in Chapter IV of the CRA (notification of conformity assessment) and 74 requirements in Chapter V (market surveillance and enforcements) to create an array of bodies and activities spread out across the EU. Member States are required to ensure that the designated market surveillance authorities are provided with adequate financial and human resources to fulfill their tasks under the CRA.
However, given the enormous scale of compliance activity and surveillance required to even begin enforcing the CRA requirements, and potential adverse effects of the CRA, and the availability of more reasonable alternatives like the Zero Trust Model being pursued by almost all nations, it seems likely that at least a few EU Member States will resist implementation.
Perhaps most significantly, given that end users and enterprises in the EU can simply themselves choose to download or otherwise receive products with digital elements or use remote processes from Economic Operators of their choice at any time, the ability to actually control market availability across open mobile and Internet infrastructures does not exist. The entire CRA deck of cards rests on the presumption that a regulatory Armageddon approach of massive compliance mechanisms, surveillance, and fines will force Economic Operators throughout the world into compliance.
The total cost of even attempting implementation of the CRA approaches several hundred billion Euros. While most of the costs would be borne by compliant Economic Operators, some significant portion of those costs incurred by Member States directly or indirectly via EU institutions. In the new CRA revision, the Member State costs are being promoted as a means for each country to use the fines assessed against an Economic Operator to recoup costs or fund new national programmes.
The enormous monies being spent to attempt the impossible and failed Common Criteria model of the CRA, coupled with the significant collateral adverse effects, could more effectively be spent on implementing a Zero Trust Model and the NIS2 regulations. This point has been repeatedly raised in media commentary. Once this realisation becomes well known, it seems inevitable that EU Member States and citizens, together with further, resist its implementation.
The most prominent incompatibility of the CRA is the Common Criteria certification model versus the Zero Trust controls and monitoring model. However, on the technical and operational levels, it is the vulnerability discovery ecosystem where there is an equally significant incompatibility. The treatment of vulnerabilities is a significant component of the CRA—mentioned 54 times in the Explanatory Preface, 43 in the body of the Act, and 38 times in the Annexes. Annex I, Clause 2 is dedicated to vulnerability handling.
Given the enormous complexities and code bases typical of contemporary products with digital elements, it is not possible to know or test for all the potential vulnerabilities in all the diverse user implementations before the products are placed on the market. The vulnerability discovery ecosystem—which is itself complex and adaptive—varies significantly among product sectors, markets, and national jurisdictions. That ecosystem notably consists of diverse specialist vulnerability discovery entities, an associated economy, national security mandates such as Vulnerabilities Equities Processes (VEP), and carefully staged sharing of the vulnerability information among a diverse array of repositories, industry bodies, vulnerability aggregators & evaluators, and cybersecurity service providers. In the vulnerability ecosystem, mutual trust is essential, variable and negotiated.
Economic Operators must comply with the vulnerability disclosure requirements in effect in the jurisdiction of their headquarters, and several of the CRA requirements are significantly at odds with the existing mandates and practices, and themselves significant cybersecurity vulnerabilities. As a result, they cannot be followed.
The enormous amount and detail of product information, including that related to vulnerabilities, compelled for disclosure by the CRA to EU institutions, as well as the disclosure timings, are themselves significant adverse collateral cybersecurity effects. The CRA requirements are built on the false assumption that their own information handling systems and support personnel spread out across multiple EU institutions and those in 27 Member States are somehow perfect and not vulnerable. Such security and confidentially is essentially impossible. In addition, the aggregation of so much sensitive information compelled by the CRA is certain to attract significant numbers of Nation-State and freelance hackers.
The EU today has scores of regulatory instruments that thread through the CRA is complex ways that are not well understood. Several are identified in CRA provisions with initial clarifications. Others are identified with entwined obligations that are not clarified or left for future examination. Many entwined instruments are not identified at all. These impediments were identified in the staff assessment and set aside for further work.
The reality of the enormous number and complexity of the EU legislative instruments today, combined with the lack of a unifying codification, combined with the massive size and complexity of the CRA itself, ensures an inability to harmonise among all the diverse requirements.
The EU has a propensity in implementing most of its cybersecurity standards based entirely on those of behind ISO/IEC publication paywalls or transpositions behind CEN/CENELEC publication paywalls. The total costs of required standards typically reach tens of thousands of Euros for single-user viewing rights for compliance with even simple EU regulatory instruments. The practice was recently found to be a human rights violation by the EU Court of Justice Advocate General. It is, additionally, a rather fundamental impediment to CRA requirements implementation. See https://circleid.com/posts/20230623-eu-standards-must-be-freely-available
The cybersecurity authorities in essentially all countries, including several in Europe, have chosen to take essentially the opposite approach of the CRA. They realise that it is simply not possible to impose massive regulations on all the “products with digital elements” in existence - together with those who produce or make those products available.
Almost all industries and national jurisdictions except the EU have instead adopted a Zero Trust Model (ZTM), which deems every network element as inherently untrusted and places the emphasis instead on implementing critical security controls and appropriate levels of continuous monitoring to establish a needed risk level. The Model eschews certification systems which were dismissed by Ware and Peters in 1967, and proven to fail in repeated attempts since—especially the Common Criteria programme. The ZTM is now being pursued at scale in major industry standards bodies such as 3GPP and ITU-T SG17.
The fundamental differences between the EU CRA regulatory regime and those of other national jurisdictions globally, including likely multiple EU Members, will preclude support the CRA. Multiple nations will actively oppose it. The latter seems likely to occur because of the adverse effects of the CRA on global trade in ICT services and products. The CRA is arguably a significant violation of longstanding trade agreements. The EU would face litigation in multiple judicial and administrative venues challenging the CRA under public international and domestic law.
In the most recent revision of the CRA, the EU legislators added a provision recognizing the problem in their tasking the EC to effect Mutual Recognition Agreements (MRAs) “with third countries that are on a comparable level of technical development and have a compatible approach concerning conformity assessment.” However, in light of the EU’s technological sovereignty strategy and the notion of EU cybersecurity exceptionalism underpinning the CRA, getting acceptance from other nations seems a major challenge. Accepting the proposition that the EU has all the cybersecurity solutions, both technologically and legally, will not likely be accepted by most jurisdictions.
In most jurisdictions, the parties defined as Economic Operators enjoy an array of juridical rights that are enforceable against legislative and administrative agencies. In the case of the CRA, the requirements imposed on economic operators represent an extreme in regulatory overreach, vicariously applied to millions of entities worldwide with little actual justification other than a bald assertion that they will “ensure the cybersecurity of such products”—which is not possible. Indeed, it is widely accepted that much more effective and essential alternatives are available to bring about lowered risk, and which are less onerous and abusive of Economic Operator rights. In Europe, especially, legal persons also enjoy human rights.
Indeed, in the latest draft of Explanatory Statements—although not reflected in the actual text—the objective is now expressed in a less normative fashion - “this Regulation aims to set the boundary conditions for the development of secure products with digital elements by ensuring that hardware and software products are placed on the market with fewer vulnerabilities and that manufactures take security seriously throughout a product’s life cycle.”
Almost all the products—critical and otherwise—within the scope of the CRA are designed to meet cybersecurity requirements adopted collaboratively in an array of industry international standards organisations. Yet for reasons that are inexplicable and unsupportable, the CRA excludes all those organisations and constrains CRA regulatory implementation standards to three European Standards Organisations plus ISO, IEC, and ITU—overseen by the European Commission.
The actions being undertaken in the CRA are not only extremely burdensome and needlessly duplicative, but the cybersecurity expertise lies in those other organisations. Furthermore, it is in those other industry organisations where the most important new cybersecurity capabilities are developed. The constraints imposed to limit cybersecurity standards to what amounts to a small standards monopoly cartel is not only anticompetitive in a very competitive contemporary standards ecosystem, but also increases cybersecurity risks for everyone.
Most of the terminology used in the CRA for product requirements, for product categories and types, and for economic operators is extremely vague and, in some cases, not in common use. The associated complexities exacerbate this vagueness, and the processes for clarification are obscure and yet to be accomplished. Even the asserted criteria for placing products in different obligation categories is based on conjecture.
The provision in the new draft that encourages “bounty hunting” among surveillance entities to fund national projects, including the use of undercover agents, seems fundamentally inappropriate as a regulatory policy. When combined with the substantial vagueness and complexity of so many terms and provisions in the Act, seems likely to lead to inappropriate enforcement behavior.
All these characteristics inevitably lead to arbitrary and capricious enforcement of the different obligations imposed—mindful that the implementation and enforcement of the provisions is spread across arrays of institutions across 27 different Member State jurisdictions plus several EU agencies and committees. The CRA legislators were clearly aware of this challenge in view of the many different coordination provisions in the CRA. The word coordination appears 17 times and coordination 5 times in the Act.
It is not clear what problem the CRA intends to solve at a cost of several hundred billion Euros and assertion of jurisdiction over all the world’s digital products and processes. The Explanatory Statement expresses a concern about cyberattacks and suggests the need “to strengthen the Union’s approach to cybersecurity.” However, the proposed regulations—generally referred to as the Common Criteria approach - have been demonstrably costly and ineffective over many decades in actually bringing about improved cybersecurity, even on a small scale in closed national security networks. This is why the approach has been largely abandoned except by the European Union’s manifestation in the CRA.
To the extent that the CRA can even be enforced, what European citizens will be left with are digital products and services that have an EU certification of compliance, much like that on an ordinary consumer product, that met certain testing and maintenance requirements when placed on the market. At best, that only enhances cybersecurity when delivered. It ensures nothing but generic potential information and updates after delivery.
Given the requirements to make public the discovered vulnerabilities before they find their way into all products, the requirements will likely increase the availability of exploits and cyberattacks. Zero Trust Model implementations, on the other hand, which fully implement critical security controls commensurate with a situational context and risk, coupled with continuous monitoring, do demonstrably enhance cybersecurity. NIS2 approximates that approach and where the EU focus should be.
It is highly likely that most of the world’s Economic Operators will either ignore the CRA and invite enforcement attempts, or seek judicial and administrative remedies, or abandon the EU market if necessary. Those Economic Operators within the EU will be encumbered with costly and burdensome CRA compliance requirements and either be incented to move elsewhere or pass on the costs to customers and potentially become uncompetitive. The CRA will create significant market economic distortions for minimal demonstrable benefit.
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byDNIB.com