Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?

IF 3.3 3区 社会学 Q1 LAW
Mohammed Raiz Shaffique
{"title":"Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?","authors":"Mohammed Raiz Shaffique","doi":"10.1016/j.clsr.2024.106009","DOIUrl":null,"url":null,"abstract":"<div><p>Internet of Things (IoT) is an ecosystem of interconnected devices (IoT devices) that is capable of intelligent decision making. IoT devices can include everyday objects such as televisions, cars and shoes. The interconnectedness brought forth by IoT has extended the need for cybersecurity beyond the information security realm into the physical security sphere. However, ensuring cybersecurity of IoT devices is far from straightforward because IoT devices have several cybersecurity challenges associated with them. Some of the pertinent cybersecurity challenges of IoT devices in this regard relate to: (i) Security During Manufacturing, (ii) Identification and Authentication, (iii) Lack of Encryption, (iv) Large Attack Surface, (v) Security During Updates, (vi) Lack of User Awareness and (vii) Diverging Standards and Regulations.</p><p>Against this background, the Cyber Resilience Act (CRA) has been proposed to complement the existing EU cybersecurity framework consisting of legislations such as the Cybersecurity Act and the NIS2 Directive. However, does the CRA provide a framework for effectively combating the cybersecurity challenges of IoT devices in the EU? The central crux of the CRA is to lay down and enforce the rules required to ensure cybersecurity of ‘products with digital elements’, which includes IoT devices. To this end, several obligations are imposed on manufacturers, importers and distributors of IoT devices. Manufacturers are mandated to ensure that the essential cybersecurity requirements prescribed by the CRA are met before placing IoT devices in the market. While the cybersecurity requirements mandated by the CRA are commendable, the CRA suffers from several ambiguities which can hamper its potential impact. For instance, the CRA could provide guidance to manufacturers on how to conduct cybersecurity risk assessment and could clarify the meanings of terms such as “<em>limit attack surfaces</em>” and “<em>without any known exploitable vulnerabilitie</em>s”.</p><p>When the fundamental themes of the CRA is analysed from the prism of the cybersecurity challenges of IoT devices, it becomes clear that the CRA does provide a foundation for effectively addressing the cybersecurity challenges of IoT devices. However, the expansive wording in various parts of the CRA, including in the Annex I Requirements, leaves scope for interpretation on several fronts. Consequently, the effectiveness of the CRA in tackling the Security During Manufacturing Challenge, Identification and Authentication Challenge, Large Attack Surface Challenge and Diverging Standards and Regulations Challenge would be largely contingent on how harmonised standards develop and how the industry adopts them. The CRA seems to be more effective, albeit not fully so, in significantly addressing the Lack of Encryption Challenge, Security During Updates Challenge and Lack of User Awareness Challenge of IoT devices. However, the manner in which the CRA addresses all these cybersecurity challenges could be improved upon if an agency such as the ENISA was given the legal mandate to set elaborate standards for cybersecurity requirements under the CRA.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106009"},"PeriodicalIF":3.3000,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000761/pdfft?md5=cffbcbbedc6e57f54e9b97ba7eead7ab&pid=1-s2.0-S0267364924000761-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Law & Security Review","FirstCategoryId":"90","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0267364924000761","RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"LAW","Score":null,"Total":0}
引用次数: 0

Abstract

Internet of Things (IoT) is an ecosystem of interconnected devices (IoT devices) that is capable of intelligent decision making. IoT devices can include everyday objects such as televisions, cars and shoes. The interconnectedness brought forth by IoT has extended the need for cybersecurity beyond the information security realm into the physical security sphere. However, ensuring cybersecurity of IoT devices is far from straightforward because IoT devices have several cybersecurity challenges associated with them. Some of the pertinent cybersecurity challenges of IoT devices in this regard relate to: (i) Security During Manufacturing, (ii) Identification and Authentication, (iii) Lack of Encryption, (iv) Large Attack Surface, (v) Security During Updates, (vi) Lack of User Awareness and (vii) Diverging Standards and Regulations.

Against this background, the Cyber Resilience Act (CRA) has been proposed to complement the existing EU cybersecurity framework consisting of legislations such as the Cybersecurity Act and the NIS2 Directive. However, does the CRA provide a framework for effectively combating the cybersecurity challenges of IoT devices in the EU? The central crux of the CRA is to lay down and enforce the rules required to ensure cybersecurity of ‘products with digital elements’, which includes IoT devices. To this end, several obligations are imposed on manufacturers, importers and distributors of IoT devices. Manufacturers are mandated to ensure that the essential cybersecurity requirements prescribed by the CRA are met before placing IoT devices in the market. While the cybersecurity requirements mandated by the CRA are commendable, the CRA suffers from several ambiguities which can hamper its potential impact. For instance, the CRA could provide guidance to manufacturers on how to conduct cybersecurity risk assessment and could clarify the meanings of terms such as “limit attack surfaces” and “without any known exploitable vulnerabilities”.

When the fundamental themes of the CRA is analysed from the prism of the cybersecurity challenges of IoT devices, it becomes clear that the CRA does provide a foundation for effectively addressing the cybersecurity challenges of IoT devices. However, the expansive wording in various parts of the CRA, including in the Annex I Requirements, leaves scope for interpretation on several fronts. Consequently, the effectiveness of the CRA in tackling the Security During Manufacturing Challenge, Identification and Authentication Challenge, Large Attack Surface Challenge and Diverging Standards and Regulations Challenge would be largely contingent on how harmonised standards develop and how the industry adopts them. The CRA seems to be more effective, albeit not fully so, in significantly addressing the Lack of Encryption Challenge, Security During Updates Challenge and Lack of User Awareness Challenge of IoT devices. However, the manner in which the CRA addresses all these cybersecurity challenges could be improved upon if an agency such as the ENISA was given the legal mandate to set elaborate standards for cybersecurity requirements under the CRA.

2022 年网络复原力法案》:物联网设备网络安全的银弹还是无用功?
物联网(IoT)是一个由相互连接的设备(物联网设备)组成的生态系统,能够进行智能决策。物联网设备包括电视机、汽车和鞋子等日常物品。物联网带来的互联性将网络安全需求从信息安全领域扩展到物理安全领域。然而,确保物联网设备的网络安全远非一蹴而就,因为物联网设备面临着一些相关的网络安全挑战。在这方面,物联网设备面临的一些相关网络安全挑战包括(i) 制造过程中的安全性,(ii) 识别和认证,(iii) 缺乏加密,(iv) 攻击面大,(v) 更新过程中的安全性,(vi) 缺乏用户意识,(vii) 标准和法规不统一。在此背景下,欧盟提出了《网络复原力法案》(CRA),以补充由《网络安全法案》和《NIS2 指令》等立法组成的现有网络安全框架。然而,《物联网复原力法》是否为欧盟有效应对物联网设备的网络安全挑战提供了一个框架?网络安全法》的核心是制定和实施必要的规则,以确保 "具有数字元素的产品"(包括物联网设备)的网络安全。为此,物联网设备的制造商、进口商和分销商必须履行多项义务。制造商在将物联网设备投放市场之前,必须确保满足《通信管理局》规定的基本网络安全要求。虽然《网络安全法》规定的网络安全要求值得称赞,但《网络安全法》存在一些模糊之处,可能会影响其潜在影响。例如,《网络安全法》可指导制造商如何进行网络安全风险评估,并可澄清 "限制攻击面 "和 "无任何已知可利用漏洞 "等术语的含义。从物联网设备的网络安全挑战的角度分析《网络安全法》的基本主题,就会发现《网络安全法》确实为有效应对物联网设备的网络安全挑战奠定了基础。然而,《网络安全法》各部分(包括附件一要求)的措辞过于宽泛,在多个方面留下了解释空间。因此,CRA 在应对 "制造过程中的安全挑战"、"识别和认证挑战"、"大攻击面挑战 "以及 "标准和法规分歧挑战 "方面的有效性在很大程度上取决于统一标准的制定和行业采用情况。物联网设备缺乏加密挑战、更新过程中的安全挑战和缺乏用户意识挑战,CRA 似乎能更有效地应对这些挑战,尽管并非完全有效。不过,如果赋予 ENISA 等机构法律授权,根据《网络安全法》制定详细的网络安全要求标准,《网络安全法》应对所有这些网络安全挑战的方式就会得到改进。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
5.60
自引率
10.30%
发文量
81
审稿时长
67 days
期刊介绍: CLSR publishes refereed academic and practitioner papers on topics such as Web 2.0, IT security, Identity management, ID cards, RFID, interference with privacy, Internet law, telecoms regulation, online broadcasting, intellectual property, software law, e-commerce, outsourcing, data protection, EU policy, freedom of information, computer security and many other topics. In addition it provides a regular update on European Union developments, national news from more than 20 jurisdictions in both Europe and the Pacific Rim. It is looking for papers within the subject area that display good quality legal analysis and new lines of legal thought or policy development that go beyond mere description of the subject area, however accurate that may be.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信