Abstract
Safety is becoming cybersecurity under most circumstances. This should be reflected in the Cybersecurity Resilience Act whenever it is proposed and agreed upon in the European Union. In this paper, we define a range of principles which this future Act should build upon, a structure and argue why it should be as all encompassing as possible. We do this on the basis of what the cybersecurity research community for long have asked for, and on what constitutes clear hard legal rules instead of soft. Important areas such as cybersecurity should be taken seriously, by regulating it in the same way we see other types of critical infrastructure and physical structures, and be uncompromising and logical, to encompass the risks and potential for chaos which its ubiquitous nature entails.
We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers make fail or almost fail, all of these details must be expected and detailed. We do this through the following principles:
Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing.
To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR, and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.
We find that principles which regulate cybersecurity systems' life-cycles in detail are needed, as is clearly stating what technology is being used, due to Kirkhoffs principle, and dismissing the idea of technosolutionism. Furthermore, carefully analysing risks is always necessary, but so is understanding when and how the systems manufacturers make fail or almost fail, all of these details must be expected and detailed. We do this through the following principles:
Ex ante and Ex post assessment, Safety and Security by Design, Denial of Obscurity, Dismissal of Infallibility, Systems Acknowledgement, Full Transparency, Movement towards a Zero-trust Security Model, Cybersecurity Resilience, Enforced Circular Risk Management, Dependability, Hazard Analysis and mitigation or limitation, liability, A Clear Reporting Regime, Enforcement of Certification and Standards, Mandated Verification of Security and Continuous Servicing.
To this, we suggest that the Act employs similar authorities and mechanisms as the GDPR, and create strong national authorities to coordinate inspection and enforcement in each Member State, with ENISA being the top and coordinating organ.
Original language | English |
---|---|
Place of Publication | Ithaca, NY |
DOIs | |
Publication status | Published - 26 May 2022 |
Keywords
- encryption
- cybersecurity
- EU law
- policy