Avatar

In the thrust and parry of cyber resilience, the European Union (EU) has forged a legal framework made of many pieces to fortify its digital defences. Yet, there remain two clear weak spots in Europe’s collective armour: the presence of unsupported connected devices within critical infrastructure networks and the opacity surrounding the handling of newly discovered, or obtained, vulnerabilities by government agencies.

In this blog, I delve into these two crucial issues for EU policymakers to enhance Europe’s cyber resilience.


Unsupported Devices: A Cybersecurity Liability

Devices that were once technological marvels can become liabilities as they age beyond their support lifecycle. Consider the healthcare or energy sector, where the stakes are incredibly high if connected devices at the brink of obsolescence are still in the system. The time is now for EU policymakers and critical infrastructure operators to address the hidden dangers of out-of-date technology.

The statistics are stark and unyielding: a 2020 NTT study unveiled that nearly half of the devices within global organizations’ networks were unsupported or nearing obsolescence. In 2017, unpatched and end-of-life software enabled the WannaCry ransomware attack to infect 300,000 machines around the world, from telecom networks in Spain and hospitals in the United Kingdom, to car manufacturing in France. Such incidents show us what may come if action is not taken.

Patching Up Europe’s Cyber Defences with Binding Requirements

Patching software is a fundamental security tenet. Most cyber-attacks exploit known vulnerabilities, not new ‘zero-days.’  In 2022, 76% ransomware attacks exploited vulnerabilities that were already discovered before 2020.  The concern only becomes more acute when you consider unsupported devices. Not only are organisations’ IT and security teams stripped of the option to update the devices in their network as the patches do not exist, but no-one except the malicious actors is even looking for vulnerabilities in the devices. They are sitting ducks.

Cisco’s Security Outcomes Study (2021) surveyed 5,100 security and IT professionals who placed a proactive technology refresh strategy at the pinnacle of factors ensuring a successful security program.

The EU has already laid the groundwork with the NIS 2 Directive (Network and Information Systems Security Directive) and the Cyber Resilience Act (CRA). The former mandates critical infrastructure operators to ensure their organisation is cyber secure, and the latter requires manufacturers to ensure their products are secure throughout their natural lifecycle. But neither provide guidance on technology that has outlived that phase.

A binding measure to retire and replace unsupported devices is the remaining critical piece of the puzzle yet to be placed. This is a low-hanging fruit in Europe’s cyber resilience policy toolkit, and it should be part of Europe’s foundational security base.

International Models for the Handling of Unsupported Devices

Looking globally, we find best practices that underscore the urgency of implementing such policy in the EU. The Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. and the National Cyber Security Centre (NCSC) in the U.K. both advocate for the removal of obsolete products from networks. Japan’s Economic Security Law of 2022 goes a step further, compelling operators to submit equipment introduction plans, with further detailed policy prohibiting the use of unsupported devices.

Vulnerability Disclosure: A Government Grey Area

The EU must also scrutinise the handling of vulnerabilities by government agencies. With the burgeoning market and utilisation of zero-day vulnerabilities, there is a tangible risk that governments may opt to retain such knowledge for intelligence or law enforcement purposes, rather than disclosing them. The NIS 2 Directive encourages Member States to adopt Coordinated Vulnerability Disclosure (CVD) policies, but it remains silent on the issue of government exploitation of these vulnerabilities.

Historical precedents, such as the Heartbleed bug and the CIA’s vulnerabilities exposed by WikiLeaks, illustrate the perils of nondisclosure. Studies suggest that a sizeable portion of vulnerabilities will be rediscovered, exacerbating the risks associated with non-disclosure.

International Models for Vulnerability Management

The U.S. has updated its Vulnerabilities Equities Process (VEP). The U.K. authorities and the Dutch government have established processes and considerations for the use of vulnerabilities. The EU can draw from these examples to foster a robust debate and establish a framework for vulnerability management.

EU policy makers should set transparent and responsible rules for handling zero-day vulnerabilities, with a presumption towards immediate disclosure to manufacturers.

A Call to Harmonise Rules and Act Swiftly

The EU should take bold steps to ensure obsolete devices are retired from critical infrastructure operators’ networks and to ensure governments have clear rules for handling and disclosing vulnerabilities, which are vital pieces of cybersecurity strategies. Policymakers and operators must work together to secure the digital infrastructure upon which virtually all sectors of the economy now depend.

So, will the new European Commission and Parliament rise to the occasion and set a new global standard for cybersecurity resilience?



Authors

Chris Gow

Senior Director, EU Public Policy

Government Affairs