This article is part of our special report Europe’s cybersecurity agenda.
There needs to be more discussion about liability for cybersecurity attacks, Steve Purser, director of operators at the EU cybersecurity agency ENISA, told EURACTIV.com in an interview. He also said that Europe does not need to have the toughest security standards in the world, but it needs an “appropriate level of security”.
ENISA will be in charge of drafting the rules to apply the first cybersecurity certification to products that can be used all over the bloc. A new European Commission proposal made the Athens-based agency responsible for the security programme, which has sparked controversy among tech companies.
ENISA will be in charge of drafting criteria for the new certification scheme. The proposal is still controversial among tech companies. Why is there a need to change cybersecurity certification?
I think there are several things telling us we need to revamp certification in general. One is that we have some very high-performing national schemes but we don’t have a European scheme. So we run the risk that if someone has a very good certification in Germany or in France, it may not be recognised in Bulgaria or the Netherlands or one of the other member states. So we’re still in this national scheme of things. On the whole it works quite well, but it certainly doesn’t work perfectly. So this is one reason I think the European scheme would be a very good thing. Second, there’s scope to increase the role of industry, to make sure they have a bigger voice – certainly in European certification because it will help products and services flow more freely across national borders, this is the key idea. But I think the biggest reason is that the market is changing enormously.
And the kind of certification schemes we have at the moment that work well – to be brutal – are rather clunky, they’re expensive and they’re slow. This is not a criticism of the certification people, they do a very good job. But it’s more a reflection of the fact that we are moving to a market that is characterised by massively increased scalability and much shorter time-to-market constraints. It is clear that in the future we will not be able to rely on the kind of techniques that we relied on in the past under these new constraints. Of course I’m talking about things like the internet of things, robots, AI [artificial intelligence] and all these new things which are coming up.
There was some discussion before the proposals came out about whether companies should be held to legally binding standards guaranteeing how secure their products are. We know that is not what the Commission proposed. Do you think there should be any binding standards for cybersecurity certification?
I think in some areas it could be beneficial to have binding standards. In others, definitely not. It’s a balancing act. On the one hand, let’s take things that are highly safety dependent or critical infrastructure, there I can certainly see a need for it. This is not the kind of thing you would want to do in a market which has risk, where you may hamper innovation and introduce barriers to becoming more successful on the global economic playing field. I think it would have to be done on a case-by-case basis. Certainly it should not be done in a sweeping way.
Some MEPs called for there to be EU rules regarding when companies can be liable for cybersecurity attacks. Should there be more discussion about potential liability legislation?
Absolutely. It’s an example of one of the concepts that does not translate very well from the practical world into the internet world, for many reasons. One is that liabilities on the internet are potentially huge. A car these days is not really manufactured, it’s assembled out of lots and lots of complex components, each of which has a complex supply chain. So it’s incredibly difficult or impossible for a car manufacturer to check all the elements of the supply chain. I think the thing we have to do is adapt the notion of liability to what is happening in the market. Complex supply chains, short-term for market. And we need to understand where the liability really stands. If you have a car accident but the problem was in the chip, which was embedded in one of the many systems in the car, several layers down in the architecture, how do you distribute liability? And how do you prove it was indeed due to the chip because it’s a complex system in which there are many things happening? I can’t give an answer to this but I can say it’s really the right time to be discussing liability. And to try to come up with better models for how we might supply it. Maybe there is a supply chain model for liability, a bit like we have a supply chain model for VAT.