Cyber regulation: more activity from the EU

In the now distant 2018, the EU regulators thought they would improve the state of cyber security by addressing one outcome: violations of personal data. By imposing strong penalties and making data privacy an obsession, the General Data Protection Regulation (GDPR) was thought would bring organizations in line and take cybersecurity more seriously. However, it appears reality overtook the regulators, as cyber attacks are now increasing in frequency and destructiveness, together with personal data violations.

Now the EU Commission is getting ready to adopt a new regulation called the Cyber Resilience Act by the end of 2022. It will introduce mandatory cybersecurity requirements for products that have “digital elements” sold across the bloc, with requirements applying throughout their lifecycle - meaning vendors will need to provide ongoing security support and updates to patch emerging vulnerabilities.

The new regulation will apply to a wide range of products: from home appliances and connected toys to computers and software. Among the products included are identity management systems, operating systems for servers, desktops, and mobile devices, firewalls, routers, mobile device management software, VPN products, and many, many more. In short, almost any vendor providing IT technology used in modern organizations will have to comply.

Besides adding another regulatory burden, is the regulation already misguided and lagging behind reality in terms of real value for all stakeholders?

First, take the reasons for the new regulation: the proposal cites bugs such as the one in MS Windows that allowed the Wannacry worm to spread back in 2017, or the Kaseya software bug that exposed many of its customers to hacking in 2021. Although vulnerabilities such as these can cause disruptions, today's hackers are more about compromising legitimate code repositories, as seen in the Solarwinds Sunburst attack or the compromise of Kiev-based ME Doc accounting software vendor that led to high profile attacks such as the one against Maersk.

These attacks are essentially not about vulnerabilities but rather about subverting authentication via social engineering tactics and injecting code into otherwise legitimate code repositories. Simply speaking, the regulation is ignoring the elephant in the room: most today's attacks are based on phishing techniques i.e. tricking employees or developers into allowing access to private systems.

Second, wormable exploits that allow uncontrolled spread without user interaction are actually less destructive in terms of data stolen or destroyed. The last notable one was precisely the one that enabled the Wannacry spread in 2017, and even that one was less successful in terms of spread than earlier worms such as Conficker in 2008. Nowadays, autospreading worms are targeting mostly devices shipped in a default insecure state (default passwords), and are less "powered" by vulnerabilities. Witness the popular bots such as the Mirai worm infecting various network attached devices - from Linux servers to routers, firewalls and IoT devices.

Third, further mandating patching can have unintended consequences: the pressure to issue patches will decrease the quality. The Zero Day Initiative (ZDI), a vulnerability wholesaler, already points out that 10% to 20% of vulnerabilities are being revisited and repatched. Admins applying security patches are finding that it’s becoming harder to time updates and determine the impact of patching on their organizations. More patching means more risks of downtime and disruption. That will certainly grow, which is precisely opposite to the regulation's stated objectives.

One could list many other unintended consequences of such regulations, but it's already worrying that the proposal looks already outdated even before its adoption sometime during 2022.