In Pursuit of European Cyber Security: 
The ETSI Standards and Legislation Workshop

June 20, 2017

The annual security week of the European Telecommunication Standards Institute (ETSI) is a unique experience where participants from around the world gather to share perspectives on network security developments in every industry sector. The event – now in its 12th year – began with a day devoted to a largely European introspection of its efforts and initiatives devoted to implement greater cyber security. Yaana had the honor this year of presenting core material for the workshop – emanating from ETSI’s Technical Committee on Cyber Security (TC-CYBER) and a related work item for which Yaana is responsible.

Like most government authorities, the European Union is attempting through legislation to require certain courses of action that it believes will further cyber security and related interests within their jurisdiction. In the EU, there are three relevant legislative enactments relating to cyber security. They consist of the (NIS) Network and Information Security Directive, the (GDPR) General Data Protection Regulation, and the (DSM) Digital Single Market strategy. All of them give rise to needs for technical frameworks for their implementation. In considering the needed technical frameworks, TC CYBER came to several conclusions in the form of key points.

Key Points

Firstly, there is basically no cyber security standards gap in meeting the EU cybersecurity legislation requirements. Indeed, there are too many standards, and many are not actionable or particularly useful. Noted cyber security guru Tony Sager describes this situation as the “fog of standards.”  There is a need, however, to converge this mass of standards toward useful, interoperable sets of standards.

Additionally, among the many existing standards, it seems apparent that where the standards are not freely available on‐line, constantly evolving, and well‐versioned, they have diminished value and represent cyber security impediments. Of particular concern are the specifications of ISO, IEC, and CEN/CENELEC which are only available at a handful of highly controlled sites to force purchase at hundreds or thousands of Euros for even single copies. They are often simply “process” specifications that provide general admonitions and are rarely revised only after years of slow committee activity among a small number of participants. These kinds of cyber security standards themselves represent a vulnerability because of such highly undesirable attributes.

The ETSI CYBER Technical Committee sought to deal with the challenge of having too many standards by discovering the entire cyber security ecosystem and focusing on identifying the most effective platforms and specifications that have the broadest industry support.

Secondly, there are no simple or easy cyber security solutions. Cybersecurity as such is not achievable given the enormity of constantly evolving vulnerabilities at every level: VLSI chipsets, devices, equipment, distribution chains, BIOS, operating systems, applications, networks, and human operators. The most that can be achieved is reducing the risks through defense control measures coupled with constant vigilance in sharing threat intelligence and mitigations – especially patches.  The most prominent and effective defense measures consist of the Critical Security Controls. Among the multiple measures of threat and mitigation exchange measures, the STIX (Structured Thread Information eXchange) ensemble of specifications has assumed widespread global acceptance across multiple industry communities.

While encryption has positive benefits, there are adverse effects of end‐to‐end encryption, which has grown to become a major challenge and needs urgent attention. TC CYBER has become the principal global venue for developing a Middlebox Security Protocol to help mitigate the challenge.  Additional attention will also be needed for rapidly evolving new industry platforms such as NFV‐SDN/5G and quantum computing to control the cyber security risks.

Thirdly, it is difficult if not impossible to provide effective cyber security certification. Meaningful cyber security requires constant attention to defense and threat exchange measures. The needs and solutions are global, and unilateral schemes are likely to be counter-productive. It is unclear why EU legislators embarked on an effort to encourage a Digital Single Market certification scheme for cyber security. While it is possible to do this for simple interfaces such as those for power plugs, doing so for cyber security will not only be costly and meaningless for European users, but also misleading to those users with a false sense of security.

ETSI work of relevance to cyber security

Existing work includes both published and ongoing work items. The published work includes:

The work in progress includes:

ETSI’s value proposition for cyber security standards legislation

In a nutshell, ETSI is a proven best-of-breed global collaborative body based in Europe. It is thus uniquely able to bridge the global-Europe requirements gap.

The organization has many additional, highly desirable attributes. It is open, inclusive, expert, flexible, and highly diverse with extensive industry, SME, academic and government participation. It avoids inventing its own specification wherever possible – especially for cyber security

The objective is to bring the standards that do exist to some form of order and that means we need to actually dismiss some where there are gaps of assurance when combining them to build best practice. The scope of its work includes critical new platforms such as Quantum Computing and Network Functions Virtualization for 5G implementations. Its reports and specifications with associated code (where appropriate) are freely-available on-line, dynamic, and well-versioned with persistent URLs. ETSI avoids insularity through established cooperative relationships and constant pro-active outreach with a very large array of highly active new security and industry bodies as well as legacy organizations and SMEs.

Standards via ETSI TC CYBER will allow the EU Digital Single Market’s reliance on the Network and Information Security Directive and the General Data Protection Regulation to be secure and viable.  The special legal status of ETSI standards in Europe is especially significant. Only ETSI, CEN, and CENELEC have this status that allows their specifications to have normative effect as a component of EU legislative Directives.