The EU Commission has recently put forward a proposal for cyber-security certifications, celebrating itself for working towards an EU-wide seal of approval for information society services and products, and boosting the EU digital market as well as consumer trust. But while cyber-certifications are a popular political idea, they will almost certainly work poorly, even counterproductively, in practice.
It follows simple logic. The time it takes to discover new products and threats against software-dependent systems is shorter than the time it takes to certify those products. The product and threat cycles are shorter than a certification cycle. By the time a company has successfully maneuvered their product through certification, the guarantee awarded by the certificate is outdated and the product is insecure – but with a seal of approval claiming the opposite, as well as frequently a hefty bill to pay for the party seeking certified status.
As many things that are, at face value, obvious, this issue has been studied to see if intuition fails. But research and evaluations, on Common Criteria, FIPS and privacy seals, indicate that intuition is a good guide, and that formal certification requirements are in fact costly and do little to improve long-term security goals.
Mandatory cyber-certifications are already present on certain EU markets – in France, Germany and the UK – but are more reminiscent of protectionism than market boosting efforts. Certification efforts in the big member states reduce consumer choice and inhibit EU companies, while adding none of the security intended. These conclusions are laid bare in a PWC report procured by the EU Commission in the preparations for the cyber-certification proposal, but conspicuously absent from the EC proposal’s accompanying Communication and Staff Working Document.
With economic theory and reality being as they are, we can’t find recipes for perfect a priori cybersecurity. But we can seek strategies that ensure timely action against uncovered flaws. This means putting an emphasis on incident handling, patching and providing consumers and citizens with enough information to reject cyber-vendors who are not diligent with fixing problems. Mandatory risk disclosures, like ingredient labels on foodstuff, and a breach notification system more akin to that which is already in place in 48 US federal states, could be a start. Companies would be betting their goodwill by hiding failures, but would avoid putting a lot of money down the certification industry drain.
France is well-positioned to advance an enlightened view of cybersecurity in the EU. With President Macron being the new beacon for upheaval in the French political landscape, altering ancient French structures thought to have been unimpeachable, why shouldn’t he also take on the certification industry?
We need leaders who work towards a better future, rather than leaders seeking to slap an expensive, but useless, sticker on something.
Cyberspace, or Neuland if you will, will not bend to the ancient traditions of seals and pre-approval. Thoughtless rules may decrease the space for innovation and entrepreneurship, but it will not increase security. Cyberspace requires dynamic, rational leadership that speaks to the willingness of all Europeans to contribute to the resilience of our common spaces for commerce and discourse. France can play a central role by reinventing itself and showing EU leadership not just for itself, but for every EU nation. But will it ?