Europe has proposed a key network security agency lead the EU’s future “Trusted IoT” labelling scheme for Internet of Things (IoT) devices that have been certified as secure.
The European Commission (EC) has selected the the European Union Agency for Network and Information Security (ENISA) to lead this effort as part of Europe’s new Cybersecurity Act.
In his state of the union address on Wednesday, EC president Jean-Claude Junker announced a new European Cybersecurity Agency to help boost the Union’s cyber defenses. He noted ransomware attacks numbered 4,000 per day last year.
Europe was “not well equipped” to deal with cyberattacks, he said, adding that they “can be more dangerous to the stability of democracies and economies than guns and tanks”.
European organizations faced the brunt of both the WannaCry and Petya ransomware attacks, which were the first global cyber attacks in several years.
One of the key initiatives of the new law that ENISA will lead is Europe’s proposed cybersecurity certification scheme, which will introduce “Trusted IoT” labels on products that have passed certification.
Last year’s Mirai botnet DDoS attacks were a reminder of the potential for attackers to abuse connected things, such as routers, CCTV cameras, and DVRs with poorly designed security. Early attacks affected a French ISP, and blocked US users from accessing major sites like Amazon, Spotify and Twitter.
Europe was also hit by Mirai. Daniel Kaye, a 29-year old Brit, was last month extradited from Germany to the UK to face charges for using a Mirai botnet to attack Lloyds and Barclays banks, disrupting 20 million accounts. Kaye was given suspended sentence in Germany for an attack in November 2016 that briefly knocked 900,000 Deutsche Telekom customers offline.
The EU also wants the certification scheme to be in place to in preparation for a rise in connected and automated cars, electronic health and industrial automation control systems (IACS).
For ENISA itself, the new role is good news. The Athens-based agency has operated since 2004 on a thin budget and not many staff. Previously, it only had a mandate to operate until 2020. In the meantime, it’s become a key source of knowledge to assist member nations meet the EU’s Network and Information Systems (NIS) Directive, which came into force last year and required each member have a computer security incident response team (CSIRT) and an NIS authority. Critical sectors, such as banking and transport, need to notify these authorities of serious cyber incidents.
In part because it currently plays a critical role in supporting national CSIRTs, which don’t have have a fixed term, the EC now wants to make ENISA’s mandate permanent. The aim is to make ENISA the go-to cybersecurity agency in the EU.
The rationale for the certification scheme itself is fairly straight-forward. The EU expects to see billions of IoT devices come online in the next decade and so far, manufacturers have proven to be careless, if not reckless, when it comes to cybersecurity.
“While an increasing number of devices are connected to the Internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In this context, the limited use of certification leads to insufficient information for organisational and individual users about the cybersecurity features of ICT products and services, undermining trust in digital solutions,” the proposal notes.