It will be voluntary though, outside critical infrastructure…
A European parliamentary committee has voted overwhelmingly in favour of giving more power and a greater budget to EU cybersecurity agency ENISA.
The 84-strong agency is based in Athens and Crete and is one of the EU’s smallest, with an annual budget of approximately £9.7 million.
It provides expertise rather than direct operational support. Amendments to initial European Commission proposals would see it add “regular independent IT security audits of critical cross-border infrastructures” to its remit.
The European Parliament’s Industry Committee (ITRE) also passed proposals in the draft bill to establish an EU-wide cybersecurity labelling scheme, which ENISA would lead, highlighting a fragmented standards market.
“The Agency shall promote the use of certification with a view to avoiding fragmentation in the internal market and improving its functioning, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level,” the proposed bill reads.
“This Product Contains Elevated Numbers of 0days that may be Bad for your Blood Pressure”
That proposal was first floated by the European Commission in September 2017. It would introduce a traffic light system similar to that used in food labelling.
Ed Williams, of cybersecurity specialists SpiderLabs at Trustwave, told Computer Business Review in an emailed statement: “I welcome any initiative to increase the security and assurance of ICT products; given the current climate this legislation is welcome.”
He added that the proposal, which would be voluntary except for critical infrastructure technology, could be tightened up.
“Ensuring that security is baked in could, initially, be difficult but is clearly the correct thing to do – secure by design is a must in 2018 and moving forward.”
“I have some reservations around the certification framework… assurance will be broken down into different categories, basic, substantial and high; where basic “provides a limited degree of confidence in the claimed or asserted cybersecurity qualities of an ICT product or service”, I’d prefer all my ICT products to have high levels of assurance, I don’t think that’s too much to ask for?”
Fifty-six MEPs voted in favour of the legislation, five against, with one abstention.
The ITRE voted for measures that make the certification mandatory for critical infrastructure, including energy grids, water and energy supplies and banking systems; these were not originally included in the EC’s initial proposal.
It emphasised a lack of standardised security practices across the Internet of Things.
“There seems to be no coherent and holistic approach with regard to horizontal cybersecurity issues, for instance in the field of the Internet of Things. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual utilisation. A risk-based approach is required whilst acknowledging that a one-size-fits-all approach is not possible.”
Among ENISA’s recent exercises was a Europe-wide cybersecurity exercise that involved 900 specialists from 30 countries role-playing a response to a major hack on an airport.
The two-day exercise in early June was orchestrated by ENISA at its headquarters in Athens and controlled via its Cyber Exercise Platform (CEP), which provided a ‘virtual universe’ (integrated environment) for the simulated world.
ENISA said: “The scenario contained real life-inspired technical and non-technical incidents that required network and malware analysis, forensics, and steganography. The incidents in the scenario were designed to escalate into a crisis at all possible levels: organisational, local, national and European.”
The organisation wants the budget to operate around the clock and also have a team in Brussels. A compromise agreement on the bill will now need to be thrashed out by the EC, European Parliament and member states.