If you have been around since the earliest days of the digital revolution, you won’t know it any other way: Electronic devices age fast, they go wrong, they die sudden deaths, they get hacked, or all at once they are incompatible with the state of the art. A couple of years go by, and what was once a cutting-edge device is now digitally obsolete.
We are used to being left alone with our products and their problems. When we buy a new mobile phone and the manufacturer discontinues their support the next day, we accept it with a sigh: We probably didn’t do enough research about what product to buy. For sure the discontinuation would have been announced—somewhere, in some forum, in some user group. It’s no different with security vulnerabilities: Usually, customers have to get informed and take countermeasures by themselves. We are often left alone to sweep up the pieces.
Time for a new understanding of consumer rights and security
Now is the time to leave this attitude behind us. We need a rethink, and not only from the point of view of consumer rights: The poor standards of ongoing digital-product support pose a massive threat to security. A device without support is insecure; without updates, security flaws go unrepaired. It could be weaponized by a botnet and used to magnify the impact of cyber-attacks for example.
When it comes to the design of digital systems, the capacity for updating is one of three crucial doctrines (the other two being end-to-end encryption, and the need of authentication and authorization each time a device is accessed). In the interests of a secure digital world, this needs to be legally enforceable, in the same way that manufacturers can be made liable for their mistakes. Any calls for “security by design” are a waste of time if you can’t hold manufacturers to account for their insecure devices.
The security of our digital infrastructure is simply too important, the state has to introduce the necessary regulation. Requiring manufacturers to produce reliable products with a guaranteed lifetime is a political responsibility. Hoping that the market will regulate itself and improve IT security without intervention by policy makers will get us nowhere.
Digital single markets do not work with “analog” laws
A key objective of the EU is to promote the digital single market. But unlike in other industries, where common standards were introduced with the “New Legislative Framework” back in 2008, regulation of the digital market remains patchy. It gets worse: In many cases, laws from the pre-digital era are still in use. One example of this is a judgment passed by a court in the Netherlands: In June of this year, it dismissed a lawsuit filed by a consumer protection association calling for reliable updates for smartphones. In keeping with conventional product liability, the court decided that the manufacturer is not responsible for future events like security vulnerabilities, so there is no legal claim to updates.
This legal situation completely fails to address the particular circumstances of the digital world: Conventional products may well have reached the end of their development by the time they are delivered, but any Internet-enabled device or software requires ongoing development until the end of its lifetime. No one but the manufacturer is able to update products and ensure their security. Without laws that recognize this particular situation, efforts to improve IT security will be a waste of time.
National initiatives, such as those currently under discussion in Germany, are praiseworthy but do not solve the problem conclusively. We need uniform, EU-wide regulation to introduce a mandatory security mark similar to the CE mark that we know so well. Also, the manufacturer obligation to provide updates for a certain period of time after a device was purchased must be uniformly anchored in the internal market.
Another advantage would result from an EU-wide, modern and security-focused introduction of obligatory updates and minimum standards: The overall effect would be preventive and would increase the resilience of IT infrastructures: It would put a stop to low-cost suppliers who save on security and updates, and at the same time it would strengthen the market position of manufacturers who focus on security throughout their products’ design.
EU Cybersecurity Act: First Steps
Fortunately, the EU is already active here. A first step towards improving security came with the EU Cybersecurity Act, which strengthens the ENISA, the European Union Agency for Network and Information Security, and introduces common certification schemes for Internet-enabled products. The aim is to provide reliable information in all member states about the security level of Internet-enabled products.
A draft was presented to the EU Commission last September, but final approval is pending. There is still time to make changes, which in my view are absolutely essential.
The voluntary security certifications anchored in the current draft will not solve the problems of cybersecurity. What we need are mandatory minimum standards of security for all products that communicate in any way with or through the Internet. We also need legal obligations for manufacturers to close any vulnerabilities as soon as possible after they become known.
As I see it, a decisive argument relates to the particular nature of the digital world: Unlike cars, toothpaste or groceries, an approved digital product is temporarily secure, but no more than that. The ever changing threat situation, new vulnerabilities and attack patterns make it essential for the heart of these products—i.e. the software and firmware—to be permanently reviewed and updated as required. One-off voluntary certifications are not designed to meet these cyclical demands. They fail to meet a central objective of IT security policy, although they would offer manufacturers a great opportunity to stand out from the mass of providers by offering additional, specialized security features.
Now or never
In order to promote cyberspace security in the long term, the EU must make a triple jump: Minimum security standards, obligatory updates, and security certifications are topics that are indivisible. They are core elements for digital security and digital sovereignty, not only for individual consumers but for Europe as a whole. These measures must become a part of the EU Cybersecurity Act.
There is no time to lose. An EU directive adopted tomorrow still takes time to transpose into national law. The industry needs time, too: In order to develop and manufacture products that meet mandatory security standards, manufacturers need official norms that act as guidelines. These have to be developed first, a process that will take years.
The longer the EU takes to lay down the legal foundations, the longer it will take to find the solution to our cybersecurity problems. And all the longer will consumers and the economy be left alone with new security vulnerabilities, entirely dependent on the goodwill of the manufacturers.
Let’s face it: A failure to incorporate minimum security standards and obligatory updates into the current draft means that stronger consumer rights in the digital world will be a long time coming. After all, it is highly unrealistic that a recently adopted directive will be tackled again any time soon.
Time we simply do not have.