Europe wants to arm itself against cybercrime with the Cyber ​​Resilience Act

Par Patricia Mouy, Alternative Energies and Atomic Energy Commission (CEA) et Sebastien Bardin, Alternative Energies and Atomic Energy Commission (CEA)

Enough of the cyber attacks ? The Cyber ​​Resilience Act, or Cyber Resilience Act was adopted by the Members of the European Parliament on March 12 and will come into force in the coming months, with the ambition of changing the game in terms of the security of digital systems in Europe.

While digital systems are literally at the heart of modern societies, their potential weaknesses in the face of cyber attacks are becoming sources of major risks – theft of private data, espionage between states or even economic warfare. For example, let us cite the case of Miraia large-scale attack in 2016 that used the hijacking of consumer devices such as smart cameras to overload corporate Internet domains, DDoS (Distributed Denial of Service) attack. Mirai has led, among other things, to the shutdown or major difficulties in accessing major sites such as GitHub, Netflix or Reddit. Consumer connected devices are the preferred target of this type of attack.

For critical IT systems (connected health devices, smart cards, autonomous transport) the need for security is therefore ever higher. A strict cybersecurity regulation has been made mandatory and concerns thousands of entities belonging to more than eighteen sectors deemed sensitive (banks and financial infrastructures, transport, health, infrastructures and digital service providers, etc.). However, the cyber threat does not stop at these sensitive and critical sectors. The attacks also target multiple sectors and individuals not covered by these previous cybersecurity directives.

Secure all sectors, not just the most critical ones

The Cyber Resilience Act now targets all sectors without distinction, with the ambition of changing the game in terms of the security of digital systems used in Europe. As announced by Nicola Danti, MEP, “The Cyber ​​Resilience Act will strengthen the cybersecurity of connected products, by tackling hardware and software vulnerabilities, making the EU a safer and more resilient continent”. By “connected products” we mean of course smartwatches, smartphones, all connected home automation, but also identity management software or password managers. Concretely, this will require having secure configurations with free updates but also total transparency towards the consumer on vulnerabilities.

It is in this context that we must understand the Cyber Resilience Act (CRA). Most hardware and software products are currently not covered by any European legislation dealing with their cybersecurity and, moreover, only provide a low level of security, often poorly or not at all documented. The aim of this legislation is therefore both to create the necessary conditions for the development of secure-by-design products and to ensure that manufacturers take security seriously throughout the lifecycle of a product.

The European law on cyber resilience therefore goes much further than previous directives, by attacking any digital system connected directly or indirectly. In the associated report, the European Commission indicates that this law comes from the observation of widespread vulnerabilities and a lack of information among users to choose products with a satisfactory level of security. Cyberattacks are therefore increasingly fruitful for criminals, with an estimated cost of 5,500 billion dollars worldwide in 2021.

Ensuring cybersecurity throughout production

By addressing all digital systems, the cybersecurity requirements pushed by the CRA concern all manufacturers and developers of products containing hardware or software digital elements. These requirements apply from the design of the products but also throughout their life cycle, including their update. The stakes are enormous but the challenges to be overcome are notable:

1. be able to evaluate any type of digital systems, in order to improve the general quality of digital ecosystems;

2. adapt to the growing complexity of digital systems and the evolution of their production methods;

3. adapt to the ever-increasing complexity of attacks.

The aim is to encourage and extend the implementation of best practices in cybersecurity and to encourage manufacturers to play the prevention card, for example by displaying security requirements on products. We might imagine that subsequently, other players (market, insurance, etc.) also provide incentives in this sense, ultimately allowing the general level of cybersecurity to be raised, and this at both ends of the spectrum, from very simple systems to secure systems.

Challenges still to be met

However, these desirable advances will put a lot of pressure on both developers and the need for evaluators of these systems, cybersecurity experts who represent a rare commodity. Part of the solution can be to equip experts and developers as much as possible, to make secure development and security evaluation procedures more efficient.

On the one hand, it is possible to consider almost automatic product security analyses to ensure a basic security audit. On the other hand, the design of advanced and interactive analysis tools would allow the expert to perform in-depth security analyses in a reasonable time. These tools will have to be equipped with fine modeling of attackers in order to allow for the consideration of increasingly sophisticated threats.

France has historically had leading experts in security assessment. But given the increase in the number of systems to be assessed and their diversity, as well as the drastic increase in the complexity of attacks and systems to be assessed, it is now essential to support them with new scientific and technical advances.

Developing new techniques to assess product safety

The SecurEval project aims precisely to advance knowledge and produce tools in the field of evaluating the security of digital systems. It focuses in particular on securing existing systems and components, on the contrary “security by design” type approaches, which will integrate secure development constraints from the design stage. The ultimate goal is to propose as a proof of concept a chain of tools from French research laboratories at the forefront of these subjects to propose a complete solution for the evaluation of different security properties, ranging from the search for vulnerabilities to the formal proof of compliance with security properties.

In order to meet this objective, research work is being carried out within the SecurEval project to overhaul code analysis techniques. The objective is to rely on** fine mathematical modeling and not on empirical and uncertain methods and to develop tools to automatically apply these techniques. These tools must then be adapted to the objectives of security assessment and to the scaling up of increasingly complex systems.

For example, the SecurEval consortium partners specializing in formal, security and program analysis evaluation work hand in hand to adapt their critical system certification tools to the broader cybersecurity framework imposed by the CRA. They offer automated analysis techniques that cover as much as possible the different stages of the certification process, from verifying compliance with the chosen security policy to analyzing vulnerabilities. It is also a question of taking into account the specificities of the domain and the cyber attacker in question: what are their objectives (for example, information leaks or taking control of the system) or what are their means (types of cyber attacks).

The Cyber Resilience Act was voted by Parliament in March 2024, with entry into force expected later this year. The stakeholders concerned (manufacturers, importers and distributors of hardware and software) will then have three years to adapt to these new requirements, which will lead to significant changes in their practices as well as increased cybersecurity in the European digital ecosystem.

PEPR Cybersecurity and its project SecurEval (ANR-22-PECY-0005) are supported by the National Research Agency (ANR), which funds project-based research in France. Its mission is to support and promote the development of fundamental and finalized research in all disciplines, and to strengthen the dialogue between science and society. For more information, visit the website of theANR.

Patricia MouyHead of the software safety and security laboratory and head of the CEA-List Cybersecurity cross-disciplinary axis, Alternative Energies and Atomic Energy Commission (CEA) et Sebastien BardinSenior Researcher at CEA List, Fellow, Head of the “Binary Code Analysis for Security” group, PhD, Alternative Energies and Atomic Energy Commission (CEA)

This article is republished from The Conversation sous licence Creative Commons. Lire l’article original.