GlobalPlatform calls for global alignment on cybersecurity levels
GlobalPlatform, the standard for secure digital services and devices, has released a whitepaper highlighting the potentially confusing implementation of security levels in the EU Cybersecurity Certification Scheme (EUCC) proposed by the European Union Agency for Cybersecurity (ENISA) as part of the Cyber Security Act (CSA).
"Businesses and citizens need clarity and confidence to adopt technology. If a device is certified as highly secure, that achievement should equate to the robustness of the device’s security and the functionality it can support. In differing from well-established security levels used in industry, the EUCC has introduced confusion and disturbed ecosystems founded on existing security schemes,” comments Olivier Van Nieuwenhuyze, Chair of the GlobalPlatform Security Task Force.
Highlighting misalignment in security levels
In its analysis, GlobalPlatform commends the European Union for taking a proactive approach to cybersecurity certification, particularly in light of today’s threat landscape, before asserting that the EUCC approach may ultimately undermine confidence in product security while increasing ecosystem fragmentation and consumer confusion.
According to the EUCC’s current framework, only public schemes operated by national bodies can certify that a product meets the highest level of cybersecurity. By extension, certifications from established security certification schemes – such as those managed by GlobalPlatform, and other industry organisations, which represent best practices for cybersecurity across many different industries – can only be recognised as ‘substantial’ under the EUCC.
This approach confuses robustness with assurance, highlighting to end users that the entity that certified the device is more important than the robustness of the device’s security.
“Fundamentally, end users must have accurate information to make educated choices. For a time, only security experts will be able to understand the security robustness of a product. If a product does not meet the expectations of end users, brands may be exposed and damaged,” adds Van Nieuwenhuyze.
Calling for collaboration
The paper calls for greater collaboration between public and private certification schemes, and increased emphasis on input from the industry, to ensure cybersecurity certification schemes are transparent, aligned with industry, and accessible to the end user.
“The EU CSA, ENISA and the EUCC has a fundamental role to play in the future of cybersecurity on both the European and global stages. Alignment with existing cybersecurity initiatives and security levels will help the ecosystem demonstrate the capabilities of products, foster confidence and adoption, and provide greater end-to-end security, privacy, simplicity, and convenience for everyone,” adds Gil Bernabeu, Technical Director of GlobalPlatform.
Read the white paper here.