POSITION | CYBERSECURITY | REGULATION
Consistent Cyber Regulation for Europe German industry’s 5 demands
October 2019 Executive Summary German and European companies strive to offer products, processes and 23. services that possess Oktober 2017 a degree of cyber-resilience adequate to the likely risk. At the same time, however, one hundred percent cyber security cannot be achieved, let alone guaranteed, because attack vectors are constantly changing, new vulnerabilities are identified and human error can never be completely avoided. This makes it all the more important for companies to ensure that their efforts to strengthen cyber resilience are not thwarted by inconsistent regulations, national unilateral approaches or one-sided requirements. Since often more than one regulation applies to products, processes and services, consistent and coherent requirements are essential for maintaining the international competitiveness of companies. German industry’s demands for consistent European cyber regulation Against the background of an increasing fragmentation of the legal requirements for cyber security for products and services and an increasing need to strengthen the cyber resilience of products, processes, services and systems, German industry advocates the following five principles. They should be taken into account by the EU and national governments in current and upcoming legislative proposals in the area of cyber security: 1. Ensure coherent legal requirements to strengthen Europe's cyber resilience while avoiding competitive disadvantages for European companies 2. Give precedence to European over national unilateral regulatory approaches, in order not to endanger the success of the European Single Market 3. Choose a risk-based approach to ensure adequate and effective protection 4. Actively integrate European standardisation work, according to the principles of the New Legislative Framework (NLF) 5. Actively involve all stakeholders – from hardware and software manufacturers to commercial operators and private users – to holistically strengthen the cyber resilience of products, processes, systems and services
Dr. Thomas Koenen and Steven Heckler | Digitalisation an Innovation Dr. Thomas Holtmann and Bernd Wittenbrink | Environment, Technology, Sustainability
Consistent Cyber Regulation for Europe
Table of Contents Cyber security is the precondition for a successful digital transformation ................................. 2 German industry’s demands for a future-oriented European cyber regulation ........................... 3 1. Ensure coherent legal requirements to strengthen Europe's cyber resilience while avoiding competitive disadvantages for European companies ........................................................................... 3 2. Give precedence to European over national unilateral regulatory approaches, in order not to endanger the success of the European Single Market ......................................................................... 3 3.
Choose a risk-based approach to ensure adequate and effective protection ............................... 4
4. Actively integrate European standardisation work, according to the principles of the New Legislative Framework (NLF) ................................................................................................................ 4 5. Actively involve all stakeholders – from hardware and software manufacturers to commercial operators and private users – to holistically strengthen the cyber resilience of products, processes, systems and services ............................................................................................................................ 4 Imprint .................................................................................................................................................. 6
1
Consistent Cyber Regulation for Europe
Cyber security is the precondition for a successful digital transformation Smart Home, Smart Mobility and Industry 4.0: from everyday life to mobility and production in factories, ever more areas of our daily life are becoming smarter, i.e. more digital and thus more networked. According to current estimates, the number of networked objects worldwide is expected to rise to 125 billion by 2030. This compares to 27 billion networked objects in 2017.1 By 2022, every German will have around 9.7 networked devices. 2 The advancing spread of digital technologies is creating a wide range of new opportunities, both for private as well as commercial user groups. However, digitalisation also poses numerous challenges with regard to safety and security, as well as privacy. These can result in additional risks for each individual’s health and safety, as well as for the environment, the economy and public safety at large. These risks can be countered by targeted technical, regulatory and behavioural measures (such as security-by-design). Through a targeted application of state of the art measures to strengthen resilience, the remaining residual risks are kept within acceptable limits. German industry is already investing in the cyber security of products, processes, people and services. Nevertheless, one hundred percent cyber security cannot be achieved, let alone guaranteed. This is the case as attack vectors are constantly changing, newly discovered vulnerabilities are identified and human misconduct can never be completely avoided. According to the German industry’s perspective, this makes it all the more important that the efforts of companies to achieve and maintain a high level of cyber resilience through efficient and risk-adequate measures are supported by coherent and riskbased European regulatory approaches. A high degree of cyber resilience is a basic prerequisite for the trouble-free functioning of highly digitised processes, networkable products and services. This is because the damage caused by cyber security incidents is tremendous, both in the private sector and in industry. Current estimates assume that in 2021, the annual global costs emanating from cyber crime and state-motivated cyber attacks will amount to six trillion US dollars. This would be a doubling of the damage estimated for 2015. 3 These figures show that there is a close correlation between the increasing degree of connectivity and the expected level of damage caused by cyber security incidents. In German industry alone, the damage caused by cyber attacks has been immense. In the past two years, sabotage, data theft and espionage have caused 43.4 billion euros of damage to German industry. 4 The damage to private households is much more difficult to quantify, as cybercrime is often unreported and the damage cannot always be directly linked to an incident. The reasons for successful cyber attacks are also extremely diverse and are by no means solely based on products (hardware and software): Rather, a careless handling of data, a lack of knowledge about potential attack vectors, as well as a lack of willingness to install updates, all significantly contribute to the success of the attacks. Against the backdrop of these dangers, cyber-resilient products, processes, services and systems are essential to maintain confidence in the digital transformation, ensure public safety and security, as well as to protect data and processes. At the same time, neither technical vulnerabilities nor user errors that cybercriminals can exploit for their own purposes can be completely avoided.
1
IHS Markit. 2017. The Internet of Things: A movement not a market. URL: https://cdn.ihs.com/www/pdf/IoT_ebook.pdf CISCO. 2019. Visual Networking Index: Forecast Highlights Tool. URL: https://www.cisco.com/c/m/en_us/solutions/serviceprovider/vni-forecast-highlights.html# (Accessed: 5. März 2019) 3 Cybersecurityventures. 2018. Cybercrime Damages $6 Trillion By 2021. URL: https://cybersecurityventures.com/cybercrimedamages-6-trillion-by-2021/ (Accessed: 3. Juli 2019) 4 Bitkom. 2018. URL: https://www.bitkom.org/Presse/Presseinformation/Attacken-auf-deutsche-Industrie-verursachten-43Milliarden-Euro-Schaden.html 2
2
Consistent Cyber Regulation for Europe
German industry’s demands for a future-oriented European cyber regulation The strengthening of cyber-resilience in Europe can only succeed if legislators agree on a regulatory framework that provides companies with clear and unambiguous, mutually complementary, and ideally overlap-free requirements. Only regulations that adhere to these characteristics will enable companies to utilise internal company process to offer cyber-resilient products and services on the market, but also to procure them. This includes processes such as applying security-by-design, the regular checking of products and services for potential security gaps, as well as the provision of security updates or operational support to maintain cyber resilience. Against this background, German industry recommends observing the following five principles when drafting regulatory specifications for cyber security requirements: 1. Ensure coherent legal requirements to strengthen Europe's cyber resilience while avoiding competitive disadvantages for European companies Coherent legal requirements are the key to maintaining the competitiveness of German and European industry internationally. It is important to avoid hasty additions and extensions to legal requirements on cyber resilience. Rather, an approach is required that takes into account that products, processes, services and systems often fall under more than one regulation. Only content-wise coherent legal requirements can ensure that economic players can apply and fulfil the requirements applicable to their products, processes, services and systems. Specifications for production processes in particular should be congruent with those for products and services. Therefore: ▪
New regulations should only address those areas, in which there are currently regulatory gaps.
▪
It is important to avoid legislative requirements for the same product, process, service or system respectively.
▪
Legislative requirements should demand the current state of the art of technology and not only a specific approach.
▪
Where regulatory areas overlap, consistency of content of all requirements and clarity of responsibilities (in particular of supervisors) should be ensured.
▪
Products and services are integrated into sometimes highly complex systems and, consequently, the interaction of seemingly clearly separate regulations must also be taken into account.
2. Give precedence to European over national unilateral regulatory approaches, in order not to endanger the success of the European Single Market Cybersecurity is a global challenge. Consequently, national solo attempts are not effective - even if there may be a close and well networked national community in which quick agreements can be reached and good results achieved. Nevertheless, it is always important to develop cyber-safetyrelated requirements internationally, or at least on a European level. Only then, can they achieve the necessary broad impact. The European single market is a successful model that must be continued - especially in the digital age. The Internal Market is a model for other markets and regularly sets benchmarks for product requirements and conformity assessment procedures that allow rapid market access and are
3
Consistent Cyber Regulation for Europe
innovation-friendly. Therefore, the BDI opposes regulatory fragmentation of the European internal market and special national approaches. Maintaining the cyber-resilience of products, processes, services and systems, requires European regulatory efforts that are globally connectable. 3. Choose a risk-based approach to ensure adequate and effective protection Protective measures and resilience against cyber attacks must be geared to the likely application, and hence, the associated threat situation. Therefore, cyber security requirements should be raised to the same level as environment, health and safety requirements. In addition, the different application scenarios must be taken into account in European regulatory efforts. In addition, also in future, every form of regulation must provide companies with a certain leeway to develop their own solutions. In order to ensure that innovative solutions are implemented, cyber security regulations must therefore always be technology-open and flexible. Innovative solutions also require conformity assessment procedures that allow fast and cost-effective market access. This also applies in connection with update obligations, which serve to maintain resilience against cyber attacks. Legal requirements that exclude or require the use of certain technologies are already inadequate to meet the challenges of the analogue world. This is all the more true for the digital world. Static, technology-driven regulations would lead to a deterioration in the cyber resilience of products, services and systems. 4. Actively integrate European standardisation work, according to the principles of the New Legislative Framework (NLF) Requirements for resilience to cyber attacks must be constantly adapted to changing threat scenarios and intensities. Rigid legal provisions alone cannot accomplish that. Rather, standards and regulations must work hand-in-hand. The successful regulatory model of the European Union – the New Legislative Framework – with its established processes and with its high temporal efficiency is suitable for addressing the challenges posed by maintaining cyber security, while at the same time ensuring system coherence. Based on the model of vertical division of work between legislators and normative rule makers, the legally defined, general protection goals for products are turned into Europe-wide harmonised standards based on the currently recognised state of the art technology. The resulting standards are practical and can therefore be effectively implemented by companies. 5. Actively involve all stakeholders – from hardware and software manufacturers to commercial operators and private users – to holistically strengthen the cyber resilience of products, processes, systems and services Everyone has to make their own contribution to cyber security: This includes manufacturers, as well as private and commercial users. Any attempt to enhance the cyber resilience of products, processes, services and systems can only be achieved if everyone cooperates and if the respective measures are coordinated. In addition, a coordinated approach must be made legally possible and put into practice. Through holistic cyber security strategies with efficient protective measures, the risk of cyber security incidents can be reduced and thus, the cyber resilience of products, processes, services and systems can be strengthened holistically. The goal must be to avoid dangerous gaps and vulnerabilities, through rapid and appropriate measures, so that they cannot be exploited by potential attackers. Such a holistic approach is more than the sum of the individual measures of each player. Therefore, we should all strive for everyone to impart their pre-defined contribution towards a coordinated overall result. In addition to industry, government agencies and private users are also called upon to contribute to strengthening and maintaining the cyber resilience of products and services: (THIS IS NOT WRONG
4
Consistent Cyber Regulation for Europe
– but it would read better, particularly as the phrase is repeated in the bullet point below – if you used the verb – to contribute to – rather than “to make their contribution to”. But it is your choice!) ▪
The public sector must also contribute to safeguarding the cyber-resilience of products and services. Therefore, it is essential that government agencies immediately inform companies of any security vulnerabilities they become aware of. The retention of such information can have far-reaching consequences in an increasingly networked society.
▪
Private users can support the cyber resilience of the products and services they use by installing updates and patches, as well as by adhering to the principles of cyber hygiene. Otherwise, industry's efforts, at least in the private user sector, will be futile.
5
Consistent Cyber Regulation for Europe
Imprint Federation of German Industries (BDI) Breite StraĂ&#x;e 29, 10178 Berlin www.bdi.eu T: +49 30 2028-0 Contact Dr Thomas Holtmann T: +49302028-1550 T.Holtmann@bdi.eu Dr Thomas Koenen T: +49302028-1415 T.Koenen@bdi.eu Steven Heckler T: +49302028-1523 S.Heckler@bdi.eu Bernd Wittenbrink T: +49 30 2028-1698 B.Wittenbrink@bdi.eu
BDI document number: D 1077
6