Strategic Insight 033/2023
David Hickton
07 December 2023
Alexa, Activate Cyber Resiliency
Regulatory efforts are underway on both sides of the Atlantic to bolster cybersecurity in the growing market of smart devices. In the EU, the Cyber Resilience Act aims to establish mandatory cybersecurity standards for all digitally enabled products and software. In the U.S., a softer touch voluntary labeling program would equip consumers with accessible information to make informed purchasing decisions with personal cybersecurity in mind. Acknowledging industry concerns and variations in regulatory approach, this moment represents an opportunity for the transatlantic partners to synchronise their efforts around protecting consumer cybersecurity.
Residents of developed economies often take for granted the extent to which digital connectivity has pervaded our households – yielding convenience at the expense of personal cybersecurity. We have installed smart doorbells, light bulbs and switches, refrigerators, toasters, fitness trackers, thermostats, and speakers. Unsecured, any of these devices can serve as an access point for breaking into a personal wireless network to steal data. It is a real and growing threat: in the first half of 2021, 1.5 billion attacks were attempted against Internet of Things (IoT) devices, more than twice as many as in the previous six months. The opportunities for exploitation are only increasing: research forecasts that by 2025, there will be a remarkable 75 billion IoT devices in use worldwide, up three-fold from 2019.
Washington’s Approach
From both sides of the Atlantic, governments have initiated overdue action to set standards that defend against these cyber risks, establishing a baseline for cybersecurity protections consumers can expect. In Washington, the Biden administration has proposed a cybersecurity certification and labeling program entitled “U.S. Cyber Trust Mark,” informed by a recommendation from the U.S. Cyber Solarium Commission to “establish and fund a national cybersecurity certification and labeling authority.” Consistent with the United States’ preferred light touch, pro-innovation regulatory stance, the program would be voluntary, an approach that is ill-suited to the pace of technological change and the resulting risks. IoT devices that meet yet-to-be-released National Institute of Standards and Technology (NIST) cybersecurity standards would receive a label – a sort of government issued stamp of approval. The voluntary approach, modeled on the U.S. Energy Star program that rates a product’s energy efficiency, is intended to empower consumers by equipping them with information to make informed purchasing decisions.
Brussel’s Approach
In Brussels, the EU Cyber Resilience Act (CRA) would establish cybersecurity requirements for all “products or software with a digital component,” a broader scope of products than the U.S. labeling program. Also distinct from the U.S. approach is that compliance with the CRA would be mandatory – and, as such, has prompted a stronger response from industry. Recently, industry leaders expressed concerns that the new regulation could create bottlenecks in getting products to market. Their objection is that there are an insufficient number of independent assessors included in the current draft legislation. It states that “a conformity assessment body shall be a third-party body independent of the organisation or the product it assesses” and so merits further review; indeed, self-assessment seems a viable alternative, presuming that assessments are reported with high degree of transparency.
Cybersecurity experts have also pushed back against the law’s one-day vulnerability disclosure requirement; they argue that it would effectively create a ready-made list of software vulnerabilities, a tempting target for malicious cyber actors. While such a concern is understandable, the current text does make an allowance: initial reporting would go to the European Union Agency for Cybersecurity (ENISA), but the legislation states that ENISA shall forward the notification to the relevant Computer Security Incident Response Teams – “unless justified cybersecurity risk-related grounds” apply. Timely cross-sector warning and information sharing about cyber attacks and threats – through appropriately secure channels – is critical. Indeed, it can accelerate identification of threats and bolster the response.
The CRA has also prompted concern from open-source software developers, who point to the unique challenge of distributing patches for cyber vulnerabilities, given that open source code is available for public use, without the original developer knowing all its uses. GitHub and others have offered several potential fixes, based on placing responsibility with the entities that incorporate the code, that would balance users’ need for enhanced cybersecurity protections with the benefits of open-source software. Notwithstanding these unresolved details, setting standards to bolster consumer cybersecurity is a welcome and overdue step in the right direction.
Rebalancing Responsibility
Acknowledging the more limited and voluntary scope of the U.S. programme, both approaches are guided by a philosophy that places the onus for cybersecurity on device producers/developers, thereby reducing the responsibility on individual citizens. The White House’s National Cybersecurity Strategy characterises this approach as “rebalancing the responsibility to defend cyberspace” – “[o]ur collective cyber resilience,” it reasons, “cannot rely on the constant vigilance of our smallest organizations and individual citizens.”
On both sides of the Atlantic, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and ENISA have deployed education campaigns on cyber hygiene. The emerging standards setting approach, however, recognises that most citizens are not IT professionals or cybersecurity experts. Just as people trust that the pharmaceuticals in their medicine cabinets are safe to use, there is an element of trust underlying the purchase of a digital baby monitor or home hub device. It is well past time that our governments took steps to bolster the basis for that trust.
Opportunity for Alignment?
The timing of these regulations on both sides of the Atlantic offers an opportunity for the U.S. and EU to synchronise smart device cybersecurity standards, such that IoT products which comply with the CRA earn, by default, a U.S. Cyber Trust label. Doing so would ease the regulatory burden on companies and increase their uptake of the voluntary U.S. program, while promoting consumers’ digital safety. There is also an opportunity for U.S. and EU entities to establish mechanisms by which to securely share information about vulnerability disclosures, reducing the regulatory burden on technology companies in the process.
Together, EU and U.S. households comprise a remarkable 49% of global household expenditures. Coordination on adopting robust cybersecurity standards would benefit all involved. Cyber attacks can wreak havoc on individuals, companies, and governments alike. A regulatory approach that incentivises device producers to adopt strong defences benefits us all, helping to deliver the promise of the digital age.
David Hickton is the founding director of the University of Pittsburgh’s Institute for Cyber Law, Policy, and Security. He was the U.S. attorney for the Western District of Pennsylvania from 2010-2016. He is a non-resident senior advisor at the Center for Strategic & International Studies and a distinguished fellow of the Azure Forum for Contemporary Security Strategy.
The Azure Forum is a nonpartisan, independent research organisation. In all instances, the Azure Forum retains independence over its research and editorial discretion with respect to outputs, reports, and recommendations. The Azure Forum does not take specific policy positions. Accordingly, all author views should be understood to be solely those of the author(s).
The Azure Forum for Contemporary Security Strategy is Ireland’s first and only independent think tank dedicated to providing recommendations on peace, security and defence. As Ireland’s first national security research institute, the Forum aims to contribute to national and international security analysis and strategic studies for a more peaceful, secure, resilient and prosperous future nationally and globally at a time of emerging global risk.