US Cyber Trust Mark VS EU Cyber Resilience Act
-
By
Carsten Gregersen
, CEO and Founder at Nabto - Featured, Network Monitoring Best Practices,
Solutions Review’s Contributed Content Series is a collection of contributed articles written by thought leaders in enterprise software categories. Carsten Gregersen of Nabto examines the US Cyber Trust Mark, the EU Cyber Resilience Act, and what they both mean for IoT security.
Finally, cybersecurity rules are coming to the Internet of Things (IoT). Following a decade of simultaneous endpoint and hacker growth, minimum cybersecurity thresholds will soon be in place for device vendors on either side of the Atlantic.
Last month, The Biden Administration announced The Cyber Trust Mark, a consumer checkmark for digital products that meet required thresholds. Meanwhile, European leaders are currently debating The Cyber Resilience Act, legislation that will enshrine strong cybersecurity into law.
But what impact will these rules have on device creators and consumers? And what differs between each jurisdiction? Let’s explore.
The US Cyber Trust Mark: Earning Consumer Trust With A Checkmark
Let’s start with The United States. The proposed voluntary cybersecurity labeling program intends to help Americans more easily choose smart devices that are safer and less vulnerable to cyber-attacks. Earning the government-backed checkmark – which will appear on approved products in the form of a shield logo – requires vendors to stick to tried-and-tested minimum thresholds for the first time. For example, the program will only give the tick of approval to vendors who create products with unique and strong passwords, data protection, software updates, and incident detection capabilities.
Such a move is overdue. IoT consumers have preferred cheaper connected products for the preceding ten years. As a result, vendors sacrificed strong cybersecurity in the race for the lowest price – and elements like always-on cloud features and default passwords became the norm. Today, with the smart home and modern office increasingly operating with connected devices, attack surfaces are more vulnerable than ever.
The idea is that consumers will vote with their wallets and back this checkmark. Much like a pre-vetting service, users will know that the devices have been assessed beforehand and reached government-defined requirements. And, with major industry players from Amazon to Samsung already backing the program, products without the checkmark will lose confidence in the eyes of the buyer. Therefore, the American approach is to hit device vendors where it hurts – their bottom line.
The Cyber Resilience Act: Regulating Norms and Penalizing Rulebreakers
In Europe, lawmakers are bolstering cybersecurity with regulation. Facing many of the same poor connected devices, The Cyber Resilience Act is a line in the sand that introduces cybersecurity requirements for products with digital elements. This includes establishing a comprehensive framework for hardware and software producers, promoting transparency in security practices, and guaranteeing secure products for consumers. Further, the regulators are also looking to ban the sale of products known to have vulnerabilities.
This is a much further-reaching set of rules compared to the US. Under the proposal announced last September, hardware and software creators will be required to conduct regular vulnerability tests. Meanwhile, European member states will create market surveillance bodies and ensure compliance. And those found non-compliant could face severe penalties. National authorities could impose fines of up to €10M for IoT device-makers, or up to 2 percent of their worldwide annual turnover.
Of course, not everyone is happy with this regulation. The open-source community, for example, fears the wording of “digital elements” is too broad. They claim the draft act will have a “chilling effect” on software development and, if passed, regulate more than 70 percent of the continent’s software without an in-depth consultation. This translates into more than €100 billion in economic impact under threat. The good news is that open-source is willing to work with regulators to improve cybersecurity without limiting innovation. Let’s hope regulators answer the call.
The Similarities, Differences, And What’s Next
These starkly different approaches are emblematic of each region and its attitudes toward business. Europe is regulating top-down (imposing cybersecurity minimums with hefty fines), while the U.S. bottom-up (incentivizing device makers to change their ways with a government-backed consumer label). One offers device-makers a carrot while the other brandishes a stick.
In both cases, though, action is necessary to establish a cybersecurity code in the respective context, especially as IoT becomes a $1 trillion global market. There’s no right or wrong way– the important part is to create a pathway toward improved cybersecurity. In my view, both approaches achieve this.
It’s now up to vendors to play ball. They must improve their cybersecurity today to lead the market tomorrow. One way to achieve this is with an IoT platform provider. Instead of going it alone, vendors can turn to established players who tailor communications and deliver encrypted, private, and secure devices.
Ultimately, vendors can no longer encourage dodgy devices that assist bad actors. Thankfully, consumers and regulators are realizing this is a big issue as devices grow in societal import. Let’s look forward to digital defenses in this sector changing drastically and for the better.
- US Cyber Trust Mark VS EU Cyber Resilience Act - August 16, 2023
Carsten Gregersen
Carsten Rhod Gregersen, the founder of Nabto, is an IoT expert with more than two decades in software and innovation. He is a regular tech commentator with features in TechRadar, The New Statesman, and others.
