Xiang Zheng Teo, Ensign InfoSecurity
Anastasiya Kazakova, DiploFoundation
As users of numerous digital products – apps, smart devices etc. – we expect a certain level of security and safety while using those products, although we don’t know how secure they are and, what’s more, don’t often have easily accessible ways to acquire such knowledge. Poorly secured digital products can become a reason for exploitation of vulnerabilities, which are reported to be often used in ransomware attacks. But not only that: a lack of security in digital products also means poor security configurations, i.e. products that are either misconfigured or left unsecured with weak controls that allow threat actors to gain initial access and compromise users’ systems.
For us as users, it’s safe to assume that those who produce digital products are expected to ensure their security. But are manufacturers on the same page? And if they are, who defines the security in (an incredibly diverse set of) digital products produced, manufactured, assembled, distributed, consumed in multiple jurisdictions at the same time? Is it the European Union (again after setting personal data protection standards once in 2018) with the proposal for a new landmark legislation?
We discussed these questions with Xiang Zheng Teo, Vice President of Advisory, Consulting, Ensign InfoSecurity in the Geneva Dialogue podcast, but we felt there is more to unpack and below there is a conversation with with XZ and further ideas to find the answer to the question in the title.
Hope you’ll enjoy both the podcast and the short conversation below, and if you have thoughts, don’t hesitate to share – contact us and let’s discuss more!
When we speak about the cybersecurity rules for digital products, what do we mean?
Anastasiya: XZ, I know we touched on this during the podcast conversation, but I’d like to get us back to the core question first. When we ask about the rules of the security of digital products, I believe we are highlighting the existing gap and, simultaneously, acknowledging the already materialised risks that necessitate action from both manufacturers and consumers of digital products.
So, when we talk about rules for the security of digital products, what should we practically consider and discuss here? Is there an expectation of a comprehensive regulatory framework or standardised regulations for all digital products globally, or are we looking at different types of regulations for different products? Moreover, is this discussion centred around regulations, or is it more about industry standards and policies?
XZ: I believe that standards, preferably open standards, are the crux to allowing a common reference for the evaluation of security of products and services. However, I do not believe that the standard for one type of product can be used homogeneously across all types of products. For example, medical devices and healthcare-related services must consider human safety, which is quite different from conventional products which may not need to consider this.
As we have discussed, different jurisdictions have taken approaches to labelling based on standards which they individually establish. Some of these jurisdictions see further value in establishing mutual recognition so that the efforts invested in one jurisdiction can be leveraged for other jurisdictions and markets.
It is important to note that the labelling schemes, so far, are not regulatory mandated, except for medical devices in the USA. Majority of the approaches leverage competitive pressures and market demand to spur adoption and thus drive transparency for both manufacturers and consumers.
In the case of medical devices or even safety instrumentation systems (SIS), regulations might be necessary as they go beyond conventional functional use, but have direct implications towards human safety.
Anastasiya: So great you started with standards. In the Geneva Dialogue, I believe there is almost a consensus that standardised approaches to regulating the cybersecurity of digital products are important – approaches that ensure interoperability and consistency across various markets and jurisdictions. Is this a realistic expectation, though, in the current geopolitical climate with growing polarisation?
XZ: Rather than realistic expectation, I would say it is a necessary development that the global community should work towards. We increasingly need a consensus on how to recognise the cybersecurity risks associated with the cyber supply chain and the management of vulnerabilities as the problem is accelerating in the expansion of cyberspace.
Even if we cannot come to a unified standard of recognition, we may be able to live with a few groups of standards. The parallel will be the travel adapters we need when we travel between countries. At least there are just a few standards we need to adapt and there are means to work with different groups of countries who have chosen specific standards. It would be horrible if there are as many standards as there are countries or jurisdictions.
Anastasiya: Oh, yes, I totally agree with that. Another million-dollar question of mine would be, though, how to build this interoperability between emerging standards, emerging regulatory approaches to secure digital products we consume? What are the steps to be taken and by whom, for that?
XZ: I believe that dialogue (no pun intended) and transparency is needed. The front runners in the implementation of cybersecurity labelling schemes are now having the opportunity to coalesce the global community towards a standard (or group of standards). I note that there are already efforts in the ISO/IEC AWI 27404 attempting to establish a common approach towards cybersecurity labelling. It may be an idealists’ dream to have everyone globally aligned to this, but at least this is the first effort to establish the labelling framework. Existing approaches and efforts from different jurisdictions may take reference from this to further develop and derive consensus.
The ISO/IEC standard development process already takes in contributions from multistakeholders and parties should consider how they want to join to contribute or take reference from such works. Beyond that, I believe that each jurisdiction should strive for interoperability or choose to build ‘translations’ and ‘adapters’ to help manufacturers and consumers more readily understand comparative similarities and differences between the different labelling schemes or standards.
Anastasiya: I would personally join such idealists’ dream.
Speaking very practically now – the EU Cyber Resilience Act is already under way to some extent. I mean, there is already a proposed piece of legislation to introduce global (de facto) rules for the security of digital products. And this is being done by one actor – the European Union. What reaction would you predict from manufacturers outside of the EU and regulators from other countries to the law if this is adopted? Do you anticipate a similar legislation to be introduced, in particular, in your country – Singapore?
XZ: Something I always remind is that there are big players and there are small players. All these point towards the level of resourcefulness. In the economic sense, larger markets naturally have more opportunity to drive manufacturers and consumers towards standards and regulations compared to smaller markets.
I take the point that the EU ruling on Apple to use the open USB C connector has actually led to their newer products use the USB C connector for power and data transfers. This is a large market’s regulatory influence to move for change. This may not be feasible for smaller markets to influence.
Smaller markets, generally, have to accept, or conform with approaches and standards established in larger markets. However, increasingly, it is necessary for smaller markets and their governments to establish an ‘eyes wide open’ position to better understand the risks they are exposed to and how to navigate them. This is the Singapore approach. By encouraging transparency of cybersecurity capabilities of products, we allow market forces to drive the adoption of more secure products. Approaches adopted in Singapore, for safety and electrical safety is to regulate it with local, but internationally aligned standards. However, for cybersecurity, we have adopted the Cybersecurity Labelling Scheme which is voluntary, and at the same time, contributes to the ISO standards to ensure international alignment.
Anastasiya: My final question to you as a private sector representative with a global outlook and expertise. Where, do you think, regulators/policymakers and industry/companies who manufacture digital products are principally not on the same page? In what areas do their interests and positions diverge when it comes to addressing security and safety risks arising from the use of digital products?
XZ: The greatest misalignment stands from the lack of understanding of the technical and economic context by the policy makers and the objectives of commercial entities which are to meet supply and demand.
