In Pursuit of European Cyber Security: The ETSI Standards and Legislation Workshop
The annual security week of the European Telecommunication Standards Institute (ETSI) is a unique experience where participants from around the world gather to share perspectives on network security developments in every industry sector. The event – now in its 12th year – began with a day devoted to a largely European introspection of its efforts and initiatives devoted to implementing greater cybersecurity. Yaana had the honor this year of presenting core material for the workshop – emanating from ETSI’s Technical Committee on Cyber Security (TC-CYBER) and a related work item for which Yaana is responsible.
Like most government authorities, the European Union is attempting through legislation to require certain courses of action that it believes will further cybersecurity and related interests within their jurisdiction. In the EU, there are three relevant legislative enactments relating to cybersecurity. They consist of the (NIS) Network and Information Security Directive, the (GDPR) General Data Protection Regulation, and the (DSM) Digital Single Market strategy. All of them give rise to the needs for technical frameworks for their implementation. In considering the needed technical frameworks, TC CYBER came to several conclusions in the form of key points.
Key Points
Firstly, there is basically no cybersecurity standards gap in meeting the EU cybersecurity legislation requirements. Indeed, there are too many standards, and many are not actionable or particularly useful. Noted cybersecurity guru Tony Sager describes this situation as the “fog of standards.” There is a need, however, to converge this mass of standards toward useful, interoperable sets of standards.
Additionally, among the many existing standards, it seems apparent that where the standards are not freely available on‐line, constantly evolving, and well‐versioned, they have diminished value and represent cybersecurity impediments. Of particular concern are the specifications of ISO, IEC, and CEN/CENELEC which are only available at a handful of highly controlled sites to force purchase at hundreds or thousands of Euros for even single copies. They are often simply “process” specifications that provide general admonitions and are rarely revised only after years of slow committee activity among a small number of participants. These kinds of cybersecurity standards themselves represent a vulnerability because of such highly undesirable attributes.
The ETSI CYBER Technical Committee sought to deal with the challenge of having too many standards by discovering the entire cybersecurity ecosystem and focusing on identifying the most effective platforms and specifications that have the broadest industry support.
Secondly, there are no simple or easy cybersecurity solutions. Cybersecurity as such is not achievable given the enormity of constantly evolving vulnerabilities at every level: VLSI chipsets, devices, equipment, distribution chains, BIOS, operating systems, applications, networks, and human operators. The most that can be achieved is reducing the risks through defense control measures coupled with constant vigilance in sharing threat intelligence and mitigations – especially patches. The most prominent and effective defense measures consist of the Critical Security Controls. Among the multiple measures of threat and mitigation exchange measures, the STIX (Structured Thread Information eXchange) ensemble of specifications has assumed widespread global acceptance across multiple industry communities.
While encryption has positive benefits, there are adverse effects of end‐to‐end encryption, which has grown to become a major challenge and needs urgent attention. TC CYBER has become the principal global venue for developing a Middlebox Security Protocol to help mitigate the challenge. Additional attention will also be needed for rapidly evolving new industry platforms such as NFV‐SDN/5G and quantum computing to control cybersecurity risks.
Thirdly, it is difficult if not impossible to provide effective cybersecurity certification. Meaningful cybersecurity requires constant attention to defense and threat exchange measures. The needs and solutions are global, and unilateral schemes are likely to be counter-productive. It is unclear why EU legislators embarked on an effort to encourage a Digital Single Market certification scheme for cybersecurity. While it is possible to do this for simple interfaces such as those for power plugs, doing so for cybersecurity will not only be costly and meaningless for European users but also misleading to those users with a false sense of security.
ETSI work of relevance to cyber security
Existing work includes both published and ongoing work items. The published work includes:
- TR 103 306: Global Cyber Security Ecosystem
- TR 103 421: Network Gateway Cyber Defence
- TR 103 305-x: Critical Security Controls for Effective Cyber Defence
- TR 103 303: Protection measures for ICT in the context of Critical Infrastructure
- EG 203 310: Quantum Computing Impact on security of ICT Systems;
Recommendations on Business Continuity and Algorithm Selection - TR 103 331: Structured threat information sharing
- TR 103 304: Personally Identifiable Information (PII) Protection in mobile and cloud services
- TR 103 309: Secure by Default – platform security technology
- TR 103 369: Design requirements ecosystem
The work in progress includes:
- TR 103 456: Implementation of the Network and Information Security (NIS) Directive
- TS 103 523-1: Middlebox Security Protocol – capability profile
- TS 103 523-2: Middlebox Security Protocol – mcTLS
- TS 102 165-1: Method and proforma for Threat, Vulnerability, Risk Analysis (TVRA)
- TS 102 165-2: Protocol Framework Definition; Security Counter Measures
- DTS/CYBER-0024: Metrics for Identification of Critical Infrastructure
- TS 103 523: Attribute Based Encryption for Attribute Based Access Control
- TS 103 486: Identity management and naming schema protection mechanisms
- TS 103 485: Mechanisms for privacy assurance and verification
- TR 103 370: Practical introductory guide to privacy
- TS 103 458: Application of Attribute-Based Encryption (ABE) for data protection on smart devices, cloud and mobile services
ETSI’s value proposition for cyber security standards legislation
In a nutshell, ETSI is a proven best-of-breed global collaborative body based in Europe. It is thus uniquely able to bridge the global-Europe requirements gap.
The organization has many additional, highly desirable attributes. It is open, inclusive, expert, flexible, and highly diverse with extensive industry, SME, academic, and government participation. It avoids inventing its own specification wherever possible – especially for cybersecurity
The objective is to bring the standards that do exist to some form of order and that means we need to actually dismiss somewhere there are gaps of assurance when combining them to build best practice. The scope of its work includes critical new platforms such as Quantum Computing and Network Functions Virtualization for 5G implementations. Its reports and specifications with associated code (where appropriate) are freely available online, dynamic and well-versioned with persistent URLs. ETSI avoids insularity through established cooperative relationships and constant pro-active outreach with a very large array of highly active new security and industry bodies as well as legacy organizations and SMEs.
Standards via ETSI TC CYBER will allow the EU Digital Single Market’s reliance on the Network and Information Security Directive and the General Data Protection Regulation to be secure and viable. The special legal status of ETSI standards in Europe is especially significant. Only ETSI, CEN, and CENELEC have this status that allows their specifications to have a normative effect as a component of EU legislative Directives.