Cybersecurity: do we need new laws?

A number of key pieces of legislation are on the way that may drive the cybersecurity market further and faster forward than many commentators previously thought likely. Is this a development we should all welcome? In fact do we need new laws?

One of these pieces of legislation, in the US, is the Biden-Harris Administration National Cybersecurity Strategy. Another, also US-based, is the National Institute of Standard and Technology (NIST) Secure Software Development Framework. A third is the Cyber Resilience Act; this is an EU initiative.

They’re all driven by an entirely understandable concern about the speed with which digital technology is being adopted, despite often unaddressed security risks. Certainly these documents are evidence of a sense of urgency at government level about cybersecurity that is sometimes lacking in the many sales pitches we regularly read about a ubiquitous digital (and especially AI) future.

You would be correct to argue that many network and hardware security measures are well established and a good start for any security architecture. However, addressing security risks is still time-consuming and costly. And of course, discussing them is a lot less interesting (and a lot less of a priority for many companies) than celebrating exciting technology breakthroughs.

That means software security is often neglected until security holes are left open, leading to embarrassing headlines about major breaches. Hence, perhaps, the reminder from this proposed legislation that security should be a priority.

It’s a sentiment we at Emproof welcome, given that cybersecurity – specifically, embedded security – is an area that we focus on. Of course, these proposals discuss cybersecurity in more general terms. However, all three focus on an area that is highly relevant to both governmental concerns and our own: vulnerability.

As the Biden-Harris paper puts it: “Many of the technical foundations of the digital ecosystem are inherently vulnerable. Every time we build something new on top of this foundation, we add new vulnerabilities and increase our collective risk.”

It also says: “We must hold the stewards of our data accountable for the protection of personal data; drive the development of more secure connected devices; and reshape laws that govern liability for data losses and harm caused by cybersecurity errors, software vulnerabilities, and other risks created by software and digital technologies.”

The EU proposal echoes these sentiments, saying: “Manufacturers of products with digital elements should put in place coordinated vulnerability disclosure policies to facilitate the reporting of vulnerabilities by individuals or entities,” and: “By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the product.”

The handy (and usefully brief) factsheet that accompanies this 87-page proposal, expresses these sentiments even more bluntly: “The Act will ensure that products with digital elements placed on the EU market have fewer vulnerabilities and that manufacturers remain responsible for cybersecurity throughout a product’s life cycle.”

This, we would suggest, could be good news for consumers and end users, security solution providers and ongoing digitization and IoT projects in general, since it will increase trust. Of course some systems and software providers will complain about taking on more liability if these plans become law – but, arguably, such liability would not have been an issue had they taken security more seriously at a much earlier stage.

Luckily, this proposed legislation is about helping as well as about apportioning blame. For example, the NIST document recommends a core set of high-level secure software development practices that can be integrated into each software development life cycle (SDLC) implementation.

It adds (again with copious references to vulnerabilities): “Following such practices should help software producers reduce the number of vulnerabilities in released software, reduce the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.”

It would be unwise to read too much into such comments at this early stage, but we certainly agree that software companies should be encouraged to address “residual vulnerabilities in their software releases”.

After all, we founded an entire company based on addressing vulnerabilities – specifically, the ease with which some systems can be hacked, notably embedded systems and the associated fragmented hardware architecture and OS landscape that could allow an attacker to find a way to execute their own code on a system and take it over.

Our response to this involves a binary transformation engine. It was explained in more detail in an earlier blog. It’s a process that usually takes a couple of weeks. However, it helps software companies to avoid an altogether longer and costlier rip-and-replace strategy. It is, we think, an area of cybersecurity that has been historically overlooked with potentially disastrous consequences. And, as the proposals from the EU and US imply, it’s not the only one.

So, returning to our original point, do we need new laws? Ideally, no. But experience suggests that the lightning-fast changes that software development is bringing may outpace the development of security frameworks that can ensure they are not misapplied. Can we ensure that doesn’t happen without legislation?

We send out regular updates on new releases, industry insights and technical case studies

Privacy policy

© 2024 emproof B.V. All rights reserved. Design by Kava. Privacy PolicyTerms and ConditionsISO 26262 (ASIL B) certification