EVENT HIGHLIGHTS | Is certification the answer to cyber risk mitigation in Europe?

On the 19th of November, PubAffairs Bruxelles organised an evening discussion on the question of EU cybersecurity certification as a primary tool to mitigate cyber risks in Europe with Mr Jean-François Junger, Deputy Head of Unit, Cybersecurity Technology and Capacity Building, European Commission, Ms Tamara Tafra, Counsellor, Cyber Issues, Permanent Representation of Croatia, Mr Jon France, Head of Industry Security, Technology, GSMA, Professor Chris Mitchell, Department of Information Security, Royal Holloway, University of London and Dr Boutheina Chetali, Security and Certification Senior Expert, Huawei. The event was moderated by Paolo Grassia, Director of Public Policy, ETNO.

Paolo Grassia began by introducing the speakers and contextualising the debate, while highlighting the importance of 5G, IoT and AI for the industry and the wider European and global society. He then elaborated on the significance of the new European cybersecurity legal framework, which aims at preventing cybersecurity risks emerging from a swiftly evolving landscape.

The moderator subsequently gave the floor to Dr Chetali who opened the discussions with an introductory speech.

Dr Boutheina Chetali began her speech by acknowledging the different institutions and perspectives represented in the panel, before progressing to stress that in the current context of cyber-related questions and 5G, security should not be about gaining a competitive edge, but everyone’s duty to ensure a safe cyberspace. As a result, the risks and the efforts for risk mitigation and methodologies must be shared in a collaborative and open manner. Subsequently, Dr Chetali noted that Huawei has been working transparently with all stakeholders in order to address the various challenges associated with the cyber space and stressed the fact that cybersecurity and users’ privacy are top priorities for her company. Dr Chetali continued by stating that, as an independent body, Huawei strives to maintain integrity, trustworthiness, accountability and openness. She furthered her opening statement by highlighting that, whilst Huawei is a private company, security is not a private challenge. Indeed, her organisation considers itself a technological leader and acknowledges the responsibility of displaying leading efforts to identify and mitigate risks that could be enshrined in technological evolutions. The speaker also reminded the audience that despite Huawei operating in 170 countries and serving more than 3 billion users, it has never experienced a large-scale system breakdown or a major cybersecurity incident. Although, the speaker explained, absolute security does not exist, Dr Chetali stated that this very fact should highlight the importance of improving constantly by collaborative projects with laboratories, universities, institutions, providers and costumers, as well. Dr Chetali continued by considering that the trust of customers, both business and consumers, must be built on verifiable features, which, in turn, also depend on security guidelines. Dr Chetali suggested that the EU cybersecurity certification offers the opportunity to standardise the security verification process and remarked that Huawei is one of the most controlled companies in the world, fact which does not constitute a problem as it should enable to build more trust with all the stakeholders concerned. The speaker continued by highlighting how cybersecurity nowadays constitutes a common responsibility towards a complex challenge, while adding that trust should also be built on new and innovative methodologies for security checks. These facts, the speaker remarked, further emphasise the need for a close and open collaboration when it comes to security. Progressing from this suggestion, she continued by stating that the establishment of ENISA as the EU Cybersecurity Agency, accordingly to the Cybersecurity Act, provides an opportunity to build a safe cyberspace in Europe that could, in turn, set an example for the rest of the world. Dr Chetali reiterated the well-known benefits and drawbacks of Common Criteria by paying particular attention to how time-consuming the development of certification schemes could be for 5G, if Common Criteria will be the only point of reference of a process, before acknowledging the benefits of NESAS (Network Equipment Security Assurance Scheme). In this regard, she credited both GSMA and 3GPP for its development and praised the inclusion of the perspectives from both the industry and regulators. Drawing her speech to a close, Dr Chetali listed several other technical matters that arose from the question of certification, before highlighting that a highly critical issue will consists of how certification will keep pace with constantly evolving technologies.        

After presenting the speakers, the moderator asked the audience to reply by a show of hands who believed that certification could be the primary tool by which to mitigate cyber security risks. In response to the question, few attendees replied positively.

Paolo Grassia initiated the debate by asking Mr Jean-François Junger what he believed had been achieved so far and how European institutions intended to proceed with regard to risk mitigation in new technologies.

Mr Jean-François Junger began by underlining the fact that, with the exception of regulations, only a small part of the efforts have been displayed so far. He continued by commenting that certification schemes will not be able to address every issue associated with cyber risks, but they constitute an important step. Mr Junger picked the example of household appliances now carrying labels on their energy efficiency level and described how this process has facilitated a change of mentality in terms of raising awareness of the importance of energy efficiency amongst both buyers and sellers. The speaker stated that certification schemes would have the same impact on buyers and users of all products connected to the cyberspace, including 5G, and that this process could begin to change the way that users look at technological advancements. Progressing from this focal point, Mr Junger remarked that in terms of cybersecurity, as is the case with all other aspects of security policy, it is the responsibility of EU member states to protect their citizens, industry and society. Indeed, European institutions work along with EU countries to help them achieve security and not to distort the internal market, and, for this reason, the Cybersecurity Act pointed at an EU-wide certification in this area. The speaker continued by stating that in the coming months the Commission is going to continue to work with EU member states and stakeholders in order to develop the first certification schemes, a process which will also include several meetings with all the stakeholders concerned. Mr Junger also noted that the reaction to this initiative showed there is great interest from the industry and drew his point to a close by stating that the EU should be able to offer its citizens an infrastructure which guarantees the security and privacy expected by them with regard to IoT, AI and 5G technologies.

Paolo Grassia questioned Ms Tafra on the challenges of developing a certification scheme, particularly in terms of implementation.

Ms Tamara Tafra answered this question by highlighting that the discussions on cybersecurity are critical for both Europe and the rest of the world, which is currently looking at the old continent as an example of setting a certification standard. The speaker continued by stating that the Cybersecurity Act is one of the first pieces of legislation of this kind, as it addresses several crucial issues not only for the industry, but also for European citizens, as the question of trust in new technologies in a swiftly evolving landscape has also become a societal challenge. Ms Tafra agreed with Mr Junger on the fact that Europe is only at the beginning of the process of adopting new cybersecurity measures and that progress is going to continue over time. The speaker subsequently proceeded by stating that the wider discussions on certifications and cybersecurity should not be limited to 5G and questioned the usefulness of having certified 5G networks, if the end products remain unsecure. Indeed, by remarking that the cyber ecosystem has a larger scope, she advocated for certification at every stage of the lifecycle of the given product. Ms Tafra remarked that this process will be a demanding task, before reminding those present that Europe has been dealing successfully with several other important challenges. Ms Tafra then emphasised the need to educate and inform European citizens of the importance of cybersecurity and of what such a term involves by remarking the fact that certification will not be of help if the public is unaware, or uninterested in knowing the risks and acting accordingly. For this reason, Ms Tafra revealed that the upcoming Croatian Presidency will put a special emphasis on the question of cyber skills, not only in terns of job skills, but also in the light of security concerns. Ms Tafra concluded her opening statement by saying that the Croatian Presidency of the EU will not only place a strong emphasis on digital skills development, but also on the finalisation of the “Tool Box” for 5G, as well as on the swift implementation of 5G networks.

The moderator asked Professor Mitchell if certification is the right response to foster users’ trust in new technologies.

Professor Chris Mitchell started his speech by stressing the need to understand what certification is and what it should be for. He continued by stating that certification has many different aspects and highlighted that certain products and services are critical for wider society and, as a result, the need for certification is very high; whereas, the failure of other products might be unfortunate, but in essence less serious, hence the need for certification is lower. Professor Mitchell therefore asserted that the degree to which society should depend on technology should be established before the degree of its need for product certification. The second aspect that must be considered, Professor Mitchell continued, is to whom certification is aimed at, whether consumers or operators, stating that it is also important to consider why certification has only recently arisen as a crucial issue. Professor Mitchel noted that one answer to this question could stem from the belief that 5G is transformative and citizens in Europe and around the world will be increasingly reliant on this technology; as a result, the need for trust and certification is becoming progressively higher. Professor Mitchell also noted that such a discussion is not necessarily negative, however, he also stressed the fact that it queries whether or not the question of certification should have been raised several years ago. Indeed, the speaker remarked, 4G is also widely relied on, and yet there is no unified European certification scheme for it. Professor Mitchell continued by elaborating on how the different aforementioned pieces fit together, acknowledging that the Cybersecurity Act provides a framework for the European Union, and probably also for those outside who wish to follow a similar path, to harmonise the way certification is conducted. Similarly, for 5G specifically, there is NESAS, the work made by 3GPP and particularly what has been created with the SCAS’s (Security Assurance Specifications for specific products). Professor Mitchell stated that, in addition to this, the EU also has well-established Common Criteria, as well as the experience of the “Orange Book”, but, he added, that there must be more debate on how the different aspects can fit together, what the levels of criticalities are and the degree to which certification is needed, be it substantial or otherwise. Professor Mitchell concluded his intercession by advocating for a harmonised base-line of certification, based on the Cybersecurity Act for both 5G infrastructure and consumer products, across the EU.  Professor Mitchell continued that this can then be built on at the national level, while stating that there is still a long way to go to reach this aim, however the speaker expressed his hope that a base-line level of certification will be in place sooner than one might think.

Paolo Grassia asked Mr France whether the industry is equipped enough to build trust amongst the public, particularly in the context of moving from a 4G to 5G–based infrastructures, and whether the aforementioned European schemes could build on what the industry has already achieved.

Mr Jon France began his intervention by commenting on how broad the discussion had been up to that point, before progressing to state that, whilst security has always been a facet requiring cooperation among stakeholders, it has not always been given the attention it should have had. However, Mr France stated, this setting has changed with 5G and the increasing reliance on software-based technology, such as within 5G, has brought up many topics such as societal reliance and economic welfare. Continuing on the same question, Mr France underlined that security is the appropriate context in which to discuss new technologies, nevertheless he was quick to highlight the need to hold discussions on trust and resilience. The speaker asserted that the process of certification should start as soon as possible and continued by stating that 5G networks are possibly the first to have security as an inherent critical design characteristic. Mr France went on to list some of the technologies / concepts that 5G networks will incorporate, such as service based architectures, segmentation of security workloads and stronger encryption and the number and scale of technologies continuing to be ever more complex, whilst acknowledging that such components needed to address the security concerns and most of ways for doing this within these new technologies are already known and accessible. In regards to different operators, the speaker made clear that security should not be seen as a differentiating feature or a commodity that should be exploited for capital gains. Subsequently, he expressed his support to NESAS and the idea of a base-line level of assurance , previously suggested by Professor Mitchell. Yet, Mr France argued that this base-line should not be related to national security concerns which, he stressed, is the sovereign responsibility of the nation state. In regards to the base-line, however, he highlighted that security in this context does not just refer to what equipment is used and how, but also how such systems are operated and how the owners deploy, configure and maintain said equipment as an operational system. Mr France concluded his intervention by stating that Europe is only at the very beginning of the process and that these questions will continue to evolve over time. He finally returned to the original question posed at the beginning of the debate by stating that the EU certification is only part of the solution, noting that there should also be other schemes and guidance in place to address cybersecurity including, but not exclusively, the “5G Tool Box” of the European Commission which is about to be released.

The moderator asked Ms Tafra to give her perspective on the EU-wide risk assessment on 5G and what risks she sees in 5G that are different to previous generations, as well as how the “5G Tool Box” is intended to respond to said risks.

Regarding this matter, Ms Tafra remarked that the intention of the current EU Presidency is to have the planned “5G Tool Box” finalised and made public by the end of this year, while stating that she could not provide further details before that time on this very question. She continued by saying that the running of the national risk assessments was a good exercise for EU member states as it revealed several issues in their respective national security systems that they had previously been unaware of. In addition to this, national risk assessments highlighted the extent to which the member states differ in levels of preparedness. Similarly, the final assessment, notably conducted at EU aggregated level, collected all of the information gathered by member states and provided a more precise picture of the risks that the EU is facing with the implementation of 5G networks. Ms Tafra noted that the most important risk with 5G is the so-called “multiple entry points”, referring to the possibility of gaining access to private data and critical infrastructure from an increased number of potential spaces. Regarding this question, the speaker stressed the fact that this is an issue that the “5G Tool Box” will need to be able to address. The speaker continued by remarking that another identified risk is the impact that 5G will have on all other IT infrastructures; hence, how to mitigate the risks attached to the interrelation between these new features of technology, will be also one of key priorities of the “Tool Box”. When drawing her intercession to a close, Ms Tafra noted that whilst the “Tool Box” is focused on identifying and mitigating the risks of 5G, it will be up to the member states to properly implement the recommendations. Elaborating on this consideration, Ms Tafra concluded her intervention by stating that the process of ensuring security and trust on new technologies will start to take a more concrete shape after the release of the “5G Tool Box” and the implementation process by member states, however she also stressed that the debate on security and trust will continue to be a part of both EU institutional and national political agendas for a long time. 

Mr Grassia asked Mr Junger to further clarify what is meant by 5G certification, as 5G will be a complex ecosystem which some define as “open”.

Mr Junger replied by stating that the Cybersecurity Act foresees the capacity to certify everything that is connected to the internet, from software to hardware, however he also pointed out that, whilst any domain can become subject to certification. The speaker pointed out that it could be possible to certify services, however this can only happen once the certification scheme is developed and the extent to which this would be feasible, is still to be seen. In addition to this, Mr Junger reiterated that certification is only one element of the relationship between cybersecurity and 5G technologies. Furthermore, while stressing the importance of looking at the security issues at every level, the speaker took both France and Germany as examples of countries which have introduced valuable laws for the preservation of the security of their telecom operations beyond electronic equipment. In both cases, Mr Junger noted that the laws adopted go far beyond equipment certification as they also include the protection of the subcontractors and the physical infrastructure. He further stated that the EU risk assessment identified a series of risks, both technical and non-technical, entering in a more sensitive policy area. In concluding his response, Mr Junger underlined that the implementation of security measures remains the responsibility and obligation of the member states, before stating that Europe must be able to guarantee security, whilst ensuring the successful implementation of the 5G networks, which in turn, would guarantee that European industry remains competitive.

The moderator drew the debate to a close by asking if any panellist wished to comment on how trust could be maintained in a complex ecosystem. 

Mr France began by emphasising the need to have expiration dates set on the certificates, requiring them to be updated at regular intervals stating that the timeframes should be decided based on how often developments and changes tend to occur in the networks for which certificates are offered. He also highlighted that this feature implies that the schemes should be able to anticipate the changing landscape. The security question, the speaker concluded, behoves companies not only to follow regulations, but also to adopt practices which can further ensure security. For these reasons, Mr France reiterated that certification will not be the only answer to the question of security both in Europe and around the world. 

Professor Mitchell expressed his agreement with Mr France’s comments, adding that when discussing the update and maintenance of a certification scheme, it would be useful to look back at the EU’s experiences with Common Criteria. However, Professor Mitchell continued by saying that, in the context of 5G, the hardware is often discussed, but it is actually the software that is the real key component of the network. This fact, the speaker explained, also constitutes a problem when attempting to establish common criteria, as software changes regularly. Professor Mitchell subsequently asserted that this issue also leads to an additional problem, namely the subtle differences between different software that could make certification difficult, as automatic updates and patches are common amongst software programmes. In concluding his intercession, Professor Mitchell stated that certification will not be the silver bullet that will address the question of cybersecurity once and for all, but could be of help, providing it is conducted appropriately.

The Q&A session covered the following issues: the role of cybersecurity and certification of the Digital Single Market, the risks of European reliance on single non-European providers, strategic priorities for specific IT products, the diversity of the different stakeholders and the importance of their role in the discourse, the impact that certification can have on interoperability and the Internet of Things (IoT), digital sovereignty and the global supply chain, how the EU’s approach to cybersecurity will impact the European neighbourhood, other approaches to awareness and trust raising, the architecture of security systems and the complexity in certifying 5G. 

Want to know more about the issues discussed in this debate? Then, take a look at the selected sources provided below!

The EU Cybersecurity Act, Digital single Market, European Commission

Cybersecurity of 5G networks, Digital single Market, European Commission

Member States publish a report on EU coordinated risk assessment of 5G networks security, European Commission

EU cybersecurity certification framework, ENISA

Cybersecurity certification: lifting the EU into the cloud, ENISA

Finnish EU Presidency Programme “Sustainable Europe, Sustainable Future”

Croatia unveils look and feel of next year’s EU presidency, Euractiv

EU2020HR: Croatian Presidency Website

Common Criteria Portal

Network Equipment Security Assurance Scheme (NESAS), Global System for Mobile Communications – GSMA

3GPP, The Mobile Broadband Standard

5G Security Assurance Specification (SCAS) for the Security Edge Protection Proxy (SEPP) network product class

Trusted Computer System Evaluation Criteria [“Orange Book”], US Department of Defence

The EU’s search for tough cybersecurity standards, Euractiv

Trustworthiness and Security – The Foundations of EU 5G, Huawei

Huawei CEO: EU doing a ‘great job’ in cybersecurity, Euractiv

Europe can trust Huawei more than ever, said Huawei Chairman in Brussels

Cybersecurity: What are the risks?, The Parliament Magazine

A rules-based approach to 5G cybersecurity, The Parliament Magazine

FT-ETNO Summit 2019, Pioneering and Protecting: Looking Ahead to a New Decade, Financial Times