Legally Mandated Security: U.S. Agencies Lead, Europe Introduces Cyber Resilience Act
In my recent article, "Legally Mandated Security: The Rise of Security by Design and Default," I explained the concepts of Security by Design and Security by Default and how they relate to one another, as well as why they provide protection for the users of technology. In this article, I will explain how the law gets involved.
Cybersecurity and Infrastructure Security Agency (CISA)
The CISA is a U.S. government agency that collaborates with other governments and nations to make information infrastructure resilient to misinformation and disinformation. It also happens to “own” the .gov Top Level Domain. It essentially has jurisdiction over all internet-connected critical infrastructure.
In its publication dated April 13, 2023, the CISA stated that “vulnerability-by-design” must be replaced by Secure-by-Design and Secure-by-Default in product design and development processes. In essence, it elevated security to a core business goal for technology companies, not merely a technical feature.
It’s a bit like the Department of Transportation saying, “OK – from now on, all cars have to be able to stop. No more adding brakes as a mere convenience or additional good-to-have technical feature.”
For reasons that are open to speculation, the technology industry has certainly not given security as much time, energy and money as the transportation industry has given to brakes. The CISA is busy changing that.
The CISA is currently engaged in encouraging change in security awareness by exhortation. However, the CISA has certain statutory powers to enforce good cybersecurity practices that include Security by Design and Security by Default. In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into U.S. law. It requires critical infrastructure companies (e.g., utilities, telecommunication companies) to report cybersecurity incidents, such as ransomware attacks, to the CISA within 72 hours of the event. If they fail to do so, the CISA can force the companies by subpoena to disclose the information. If the critical infrastructure company fails to respond, the matter can be referred to the Department of Justice for civil action.
National Institute of Standards and Technology (NIST)
The NIST is not a regulator, although it is an arm of the U.S. Department of Commerce whose mission is to promote innovation and advance the use of standards and technology. Its influence is massive because most of what the U.S. government purchases in digital products must be compliant with the NIST’s Federal Information Processing Standards (FIPS). As part of the FIPS, the NIST has developed its standard SP 800-218 (Secure Software Development Framework/SSDF – Recommendations for Mitigating the Risk of Software Vulnerabilities) that is certain to lead the way in secure software development.
SSDF is characterized by the following “recommendations” (which are really requirements for any company that wants to do business with the U.S. government):
- Use memory-safe programming languages.
- Enable fine-grained memory protection that blocks exploits.
- Use secure software components.
- Use web templates that avoid cross-site scripting.
- Use parameterized queries to avoid SQL injection attacks.
- Use static and dynamic application security testing to detect error-prone practices of coders.
- Code review (peer review).
- Create a Software Bill-of-Materials (for software visibility).
- Establish a vulnerability “whistleblower” program.
- Maintain a robust CVE (common vulnerability and exposure document).
- Enable defence-in-depth (avoid single point of failure of security) and use sandboxing to quarantine a vulnerability.
- Establish and monitor Cyber Performance Goals (CPGs).
What About Europe?
European Parliament takes itself very seriously and has shown worldwide leadership in the privacy space. The European Union recently (July 2023) passed the Cyber Resilience Act (the “Act”), which will come into effect in early 2024. It gives technology manufacturers three years to implement security measures for certain digital products. Importantly, Canada, Australia, New Zealand and the United Kingdom are all pledging co-operation with the new Act and collaboration with Europe.
The purpose of the Cyber Resilience Act is to protect both consumers and businesses that purchase or utilize anything with a digital component throughout the lifecycle of that thing – for example, an internet-connected appliance. The evil that the Act proposes to deal with is the woefully inadequate level of cybersecurity inherent in many such products, especially with few or no security updates available to deal with vulnerabilities. Additionally, the Act wants to reverse the current opaqueness concerning whether particular connected products are cybersecure and how to install and use them in a cybersecure manner.
In more specific terms, the Cyber Resilience Act will:
- Force manufacturers to greatly improve the security of digital products, beginning with the design and development phase, and throughout the whole lifecycle.
- Create a comprehensive cybersecurity framework to assist hardware and software manufacturers to comply.
- Increase the transparency of security digital products.
- Enhance confidence of businesses and consumers in the security of digital products.
When the Act enters into force, software and products that are connected to the internet and are compliant with the required standards will bear the CE marking of compliance. Good news for those who are worried that their refrigerators, laundry machines and televisions are spying on them – and even better news for those who don’t worry!
Unfortunately, the Cyber Resilience Act only addresses the cybersecurity of “embedded” software, and not of apps and programs that work with general-purpose computers. We can only hope that non-embedded software protection will eventually be regulated in subsequent European or U.S. legislation. We’ll see.
What’s Next?
In my next article, dedicated to the subject of mandated cybersecurity, I will explore the U.S. Cyber Trust Mark, the proposed EU Data Act and the proposed EU Artificial Intelligence Act, as well as NIST’s musings on artificial intelligence.
Once again, stay tuned!
The Technology Group at Aird & Berlis LLP is focused on supporting emerging and established technology companies, businesses that have technology opportunities and organizations that use technology to make money. Please contact the author or a member of the group if you have questions or require assistance with any matter related to computer and network security.