The EU’s proposed Cyber Resilience Act, which would introduce cybersecurity standards and regulations for all products and connected devices, is not enough to actually mitigate the increasing risk of cyberattacks.
There is no question that the act, first introduced late last year by European Commission president Ursula Von der Leyen in her State of the Union address, is admirable and may go a long way toward raising awareness about cybersecurity and cybercrime. Heightened threats continue, especially from Russia and China, and are aimed at Europe and the United States—these attacks could ultimately affect civilians. With the proliferation of connected devices, attack surfaces and the potential consequences for both governments and civilians are also growing at record rates.
“If everything is connected, everything can be hacked,” Von der Leyen said. But, even if the regulation—along with another proposal known as NIS2 that would set out uniform cybersecurity standards for those providing critical services—is eventually approved later this year, it will not reduce the number of attacks or the increasing damage they cause. This is true of cybersecurity regulations in general, including the updated password compliance directives from the National Institute of Standards and Technology (NIST) in the U.S.; on their own, they are not sufficient and may even provide a false sense of security.
Regulations are the Outcome of Attacks
These regulations arose after a number of significant cyberattacks were conducted or discovered over the last few years, especially in 2021. One of the major reasons the proposed EU regulations will not materially address cyberrisk is that they are reactive, not proactive, and will likely be out-of-date by the time they are approved and adopted. We are seeing malicious actors constantly changing their tactics and, along with the constant change in technologies and software, these threats are extremely dynamic, exploiting known and unknown vulnerabilities at organizations and disrupting legitimate processes.
This requires constant vigilance and active threat-hunting and threat intelligence to avoid the damage inflicted to a company’s reputation.
At their core, these moves by American and European agencies are well-intentioned; trying to better combat cybercriminals and attackers by creating a baseline level of cybersecurity and network conduct in government, civilian and critical entities and include reporting requirements and time frames during which companies must remedy incidents.
But such regulations will also likely be too broad to bring real protection to any one sector or organization’s product or service. The cybersecurity maturity and abilities within sectors vary widely; for example, the financial sector is more advanced than the retail and medical fields—and FinTech is even ahead of a lot of companies in the high-tech field—when it comes to overall cybersecurity. Not to mention that smaller supply chain companies are easier targets than big ones. For that reason, programs and processes used by one sector or one organization are not necessarily applicable or relevant to others.
While there is no question that these different sectors and verticals can learn from each other, it is not reasonable to ask them to all adopt the same standards; for some, that would be a step up (maybe too big a step up), and for others a step down. Not to mention that security upgrades such as this are costly and many smaller organizations won’t be able to afford to do so.
Even for those organizations that would upgrade their cybersecurity standards to comply, this would not necessarily mean actual increased protection. Actual protection only increases if it is tailored to specific needs and balances risk assessment of attackers and critical assets, whether that’s intellectual property, consumer data privacy or something else. Simply making general improvements is not a guarantee of increased protection.
Regulations are Almost Impossible to Enforce
While well-intentioned, the Cyber Resilience Act also fails to take into account the human element. An organization cannot simply upgrade its cybersecurity technology or applications. It needs the appropriate talent to run the cybersecurity defense systems; not only that, but it needs skilled professionals with the experience and wisdom to understand which threats and vulnerabilities should be prioritized. Again, this comes down to each individual organization having a cybersecurity team and cybersecurity talent tailored to its industry, market, assets or products as well as to the threats it faces along with better awareness by employees.
Lastly, even if regulations do lead to some organizations adopting better cybersecurity practices for their products or services, the regulations themselves will be nearly impossible to enforce.
This is not to say that regulations shouldn’t be implemented. But in addition to these regulations, the most efficient way to lower the potential damage to government, civilian and critical entities is for organizations to take the initiative themselves to shore up areas of weakness and defend against enemies. Such ventures, although not regulated, should be conducted on every company’s devices, services and related data by highly skilled cybersecurity professionals with extensive knowledge and the ability to correlate that to fend off threats. This will help protect against known and emerging cyberattacks.