|
The conventional wisdom in the world of legacy standards-making is that monolithic standards produce, if not accelerate, better products and services. Conformance, certification, and associated labelling schemes to implement those standards were believed essential to trust. Although competition law seems now evolving in the other direction, regulatory standards-making bodies themselves have been accorded considerable anticompetitive cartel liability protection. In recent years, the emergence of “digital sovereignty” politics has advanced the belief that “qui fait la norme, détient le marché.”
What is frequently ignored in the cybersecurity domain, however, is that the needed actions are not easily addressed with traditional product and certification standards which are generally quite counterproductive. Cybersecurity does not involve assessing a simple electrical device that can be tested and remains in the consistent state. Cybersecurity is a constantly evolving state-of-the-art maintained by a vast and complex array of different organisations worldwide for diverse products and services that are in perpetual evolution every moment. Those organisations represent different expert communities and individuals which both compete and collaborate—often quite independently. No single standards organisation can possibly manifest the breadth of required knowledge and participation. No cybersecurity certification scheme can ever be sufficient for a public consumer market.
Legendary cybersecurity “father” Bernard Peters, who recently died, articulated the first fundamentals in April 1967 publicly on behalf of the U.S. National Security Agency. These basics remain enduring: “1) security cannot be attained in the absolute sense, 2) every security system seeks to attain a probability of loss which is commensurate with the value returned by the operation being secured, 3) for each activity which exposes private, valuable, or classified information to possible loss, it is necessary that reasonable steps be taken to reduce the probability of loss, 4) any loss which might occur must be detected.” In other words, you can only manage the risk faced based on the immediate context and available resources.
With perhaps the exception of the FCC’s recent ludicrous IoT labelling scheme, the U.S. has not embarked on broad cybersecurity market certification schemes, and none are mandatory. NIST has occasionally indirectly constrained cybersecurity standards competition through its affinity with ISO/IEC, but in large measure, extensive competition exists in the U.S.
The European Union has been far more active in adopting far reaching cybersecurity regulations that rely in different ways on normative cybersecurity standards. For the most part, the regulations use risk management requirements that have the flexibility to enable cybersecurity standards competition that will be essential to EU regulatory effectiveness. This is occurring through a new EU movement toward open cybersecurity standards exemplified in multiple bodies and articulated in the recent EU Centre on Regulation in Europe (CERRE) report on The European Standardisation System at a Crossroads.
Cybersecurity standards competition is especially important and challenging in the complex European standards, legal and marketplace ecosystems. European Member States have long maintained strong electrical standards and certification industries that have a common affinity with the Geneva-based private standards bodies, ISO and IEC, through intermediate European-wide organisations, CEN and CENELEC. They are closed, highly insular organisations whose standards monolithically incorporate significant numbers of their own additional standards in every standard. Whenever the EU produced a need for regulatory standards, CEN and CENELEC responded through torturous processes consuming years that involved off-loading the work to specially dedicated ISO/IEC groups, then reselling the resulting standards as European regulatory standards at huge prices to fund the activity. The standards were then potentially further modified and used within each Member State, enabling national certifications. It is an archaic regime once referred to as “de jure” standards making.
The scheme was further cemented in place through a pair of legal agreements between the CEN and ISO known as the Vienna Agreement (1991), and CENELEC and IEC through a series of agreements now known as the Frankfurt Agreement. One of the aims that was popular in 1991 was to avoid competition - enabled by an exception to EU treaty Art. 101 cartel prohibitions. The scheme was feasible for electrical plugs. It is not especially useful—indeed counterproductive - for cybersecurity.
The complexity of the EU cybersecurity standards ecosystem is further exacerbated by the existence of ETSI as the principal ICT global standards body and cybersecurity standards competitor for an array of important sectors—especially indirectly for mobile communications via 3GPP—as well as a designated European Standards Organisation (ESO). ETSI is a very open and highly transparent body driven by nearly 1000 industry participants including extensive cooperative agreements with other standards bodies that makes its well-versioned standards freely available at permanent URIs. CEN/CENLEC standards, by contrast, are largely re-published ISO/IEC standards only available for enormous prices from approved distributors. As discussed below, however, Europe’s highest court, the ECJ, handed down a broad judgment declaring the paywall practices unlawful and demand change.
The ESO concept emerges from a pair of EU Regulatory instruments—one dealing with cybersecurity and the other with European standardization that was slated to be potentially changed to enhance the role of Member State “national standardization bodies” prior to the ECJ Judgment. Under these provisions, the ESO’s act as contractors to the European Commission—but which also has the authority to be more “open” in designating other standards meeting the determined requirements.
Further complicating the EU cybersecurity standards competition challenge is the European standardization instrument’s bizarre regression to a construct long gone and according exclusive “international standardisation body” status to only three legacy organisations that play only niche cybersecurity roles today: ISO, IEC and ITU. In practice, the engagement in those three organisations by EU bodies is highly asymmetric with almost no participation in ITU-T cybersecurity standards activities or use of them.
The European Court of Justice Judgment has a fundamental, far-reaching effect on cybersecurity standards competition in the European Union. The Court did not directly address anticompetitive issues, but rather based the judgment on “an overriding public interest…arising from the principles of the rule of law, transparency, openness and good governance….” The resulting effect, however, is to make cybersecurity standards competition more desirable because consumers can observe the standards-making processes and compare what is being provided (or not) in the standards.
Because the ISO/IEC organisations themselves over several decades have remained steadfast as the only remaining major ICT standards bodies to maintain paywalls as well as glacially slow and cumbersome standards making and evolution processes, their ability to actually compete with other cybersecurity standards bodies in the face of the ECJ judgement is fundamentally impeded. Their business model has been largely predicated on mandatory regulatory regimes that exclusively designate their standards. This constraint has a derivative effect on CEN/CENELEC and its capabilities. The success of the EU cybersecurity regulatory regime thus now hinges on enabling more open and competitive standards making.
Additionally, most EU Member States for something as essential to their national security as cybersecurity, will want to adopt the most effective, state-of-the-art standards rather than those resulting from flawed legacy body standards-making.
There are other meta-developments in play that effectively require a more open and competitive approach to cybersecurity standards mandated by regulations. One of the most far-reaching developments has revolved around the EU Cyber Resilience Act (CRA) and AI Act and their treatment of the Open Source Software world.
Increasingly over the past several decades, the ICT product and service worlds led by the Internet Engineering Task Force (IETF), and then by major vendors and governments, have embraced and facilitated the widespread use of such software. GitHub hosts more than 100 million software developers contributing to more than 4 million repositories—more than one million public. It is its own ecosystem sometimes called the Octoverse, that fuels some of the most rapidly growing global platforms and has its own unique cybersecurity measures. The R&D parts of the EU have themselves embraced the open source shift and it is now part of the Digital Strategy of the Commission. The Open Source community now has its own dedicated global cybersecurity standards body in the form of the Linux Foundation’s Open Source Security Foundation (OSSF) that has a binding with the CRA itself and actively engaged in regulatory related standards making. Some of the cybersecurity standards activities extend into important critical infrastructure.
The establishment of OpenForum Europe (OFE) as a Brussels-based organisation facilitating collaboration among the open source community has also facilitated the open standards dynamic. OFE operates an active Task Force on Standardisation that contributed to EC consultations and programs and produced a cybersecurity standards position paper. The UK Cabinet Office policy paper on Open Standards was facilitated by OFE.
Other related cybersecurity state-of-the-art meta developments of considerable importance include the emergence of DevSecOps that integrates diverse measures into the entire IT lifecycle. This includes Software/Hardware Bill of Materials (SBOM/HBOM) expressions that provide the consumer with product transparency and shifts part of the cybersecurity burden to manufacturers. Artificial Intelligence cybersecurity measures where information is code also inherently invoke a broad global standards ecosystem. Effective implementation of these measures through regulatory mandates can only be accomplished by competitive, open standards processes that allows for the recognition of the required standards emerging from their diverse communities. The global Forum of Incident Response and Security Teams (FIRST) is exemplary.
Going forward into 2025 and beyond, the European Union bodies, Member States, and Commonwealth nations have the opportunity to exercise significant global leadership in bringing about effective, flexible, and reasonable state-of-the-art cybersecurity measures. Doing so, however, will require the facilitation of competitive cybersecurity standards making that encompasses multiple, diverse standards communities, transparent and dynamic standards processes and availability, and open-source solutions. It is an exquisite demonstration of European Values.
Taking these actions also reflects the feasibility findings announced almost 60 years ago by the late Bernard Peters at the first public cybersecurity conference and also bolsters EU treaty requirements for proportionality.
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign