The latest version of the most extensive and all-powerful cybersecurity legislation ever drafted appeared a few days ago. (look: Report on the Draft Regulations of the European Parliament and of the European Council on Horizontal Cybersecurity Requirements for Products with Digital Elements and Amendments to Regulation (EU) 2019/1020) The European Union (EU) Cyber Resilience Act (CRA) defines all “products with digital elements” as “any software or hardware product and its remote data processing solution (including software or hardware components)” seeks to assert jurisdiction and control over Marketed. ”
Imposing dozens, if not impossible, of compliance requirements on all “products with digital elements” in the name of taking the lead in global cybersecurity and protecting EU citizens, It seeks to impose relevant obligations on all “manufacturers, importers or distributors.” Control will be imposed through extensive surveillance, “sweep up”, CRA bounty hunters and enforcement measures combined with huge fines imposed for non-conformance of products or non-compliance of “economic operators” with CRA obligations. become.
Although the CRA is well-meaning, the long history of cybersecurity over the past 55 years has proven that approach to be ineffective, misdirected, and potentially vulnerable in its own right. Masu. One of the many fatal flaws is the reliance on specific named standards.
The CRA will use the “harmonized standards” of the three “European Organizations for Standardization (ESO)” (CEN, CENELEC, ETSI) to provide this omnipotent “taking into account existing or pressing problems”. Accomplish your mission. International standard It is “for cybersecurity” and is implemented through the “European Cybersecurity Certification Scheme”. [Note that although ETSI is primarily a major international standards organisation, it also serves the EU as an ESO with separate standards.]
Unstoppable standard myth
Buried among the 47 definitions of the new draft.international standard“” is defined to mean “standards produced by the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the International Telecommunications Union (ITU).” Wow! what? The EU CRA has, incredibly, used the criteria of a designated monopoly cartel consisting of CEN/CENLEC in favor of ISO/IEC, as well as ETSI (ESO mode) and ITU, to certify all “digital elements” worldwide. We exercise full control over cybersecurity regulations over products that include
As a legal historian, the embedded mystery was why the EU CRA designates ISO, IEC and ITU as the only bodies to create “international standards”. The EU is effectively rebuilding a cartel of three organizations that had complete control over international telecommunications and computing technology and services that existed 30 years ago. Doing so today seems unlikely to benefit her EU and its member states. The world of cartels is long gone. It was and was very anti-competitive. Nearly all ICT products in use around the world today, including cybersecurity features, are developed using standards created by a diverse ecosystem of other industry-led international standards bodies, including the product developer community. It has been.
The alleged basis for international organizational cartels is stated on page 155 of the CRA Clarification Statement Supplement (37a) as follows:
“The WTO Agreement on Technical Barriers to Trade states that where technical regulations are required and relevant international standards exist, WTO members are required to use those standards as the basis for their own technical regulations. International standards aim to promote the harmonization of national and regional technical regulations and standards, thereby reducing non-tariff technical barriers to trade, thus avoiding duplication of work among standards bodies. is important. Given that cybersecurity is a global issue, the Coalition should seek maximum cooperation. ”
But neither the WTO’s technical barriers to trade agreements nor the more specific General Agreement on Trade in Telecommunications Services (GATS) say what is being claimed. GATS said:
7. RELATIONSHIP WITH INTERNATIONAL ORGANIZATIONS AND AGREEMENTS
(a) Member States, recognizing the importance of international standards for the worldwide compatibility and interoperability of telecommunications networks and services, through the activities of relevant international organizations, including the International Telecommunications Union and the International Organization for Standardization; Commit to promoting such standards.
(b) Member States recognize the role played by intergovernmental and non-governmental organizations and agreements, in particular the International Telecommunications Union, in ensuring the efficient operation of national and global telecommunications services. Members shall make appropriate arrangements for consultation with such organizations on matters arising from the implementation of this Annex, as appropriate.Available at: https://www.wto.org/english/tratop_e/serv_e/12-tel_e.htm
In the more general Trade Technical Barriers Agreement, “this Agreement requires Member States to apply their own regulations or parts thereof, unless their use is ‘ineffective or inappropriate’ to achieve a stated policy objective.” encourages the use of existing international standards in Commonly refers to ISO, IEC, and ITU.look https://www.wto.org/english/tratop_e/tbt_e/tbt_info_e.htm
It’s also worth noting the context. First of all, this provision began negotiations in 1988, when the WTA was still GATT, and was finalized in the early 90s, when GATT became her WTO. The incident comes at a time when public telecommunications service providers and equipment vendors are trying to tap into global markets and are concerned that national technical standards will be used to prevent market entry.
Several aspects of this agreement are noteworthy. The first is scope, which applies only to “access to and use of public telecommunications transport networks and services”. These terms were understood to narrowly define traditional telecommunications services. At the time, it was used to provide internetworking and mobile services, so access to private leasing services and “reselling” is widely mentioned. The only treatment of the standard is in Section 7. Note that Article 7 is not prescriptive and only states that standards are promoted “through the activities of relevant international bodies, including the International Telecommunication Union and the International Organization for Standardization”.
7(b) further states that “Members shall recognize the role played by intergovernmental and non-governmental organizations and agreements in ensuring the efficient operation of national and global telecommunications services, in particular the International Telecommunications Union. .”
There is currently only one global intergovernmental standards body and that is the ITU. ISO, like most other standards bodies, is simply a private legal entity. Are all non-governmental organizations within the scope of Article 7(b)? Thirty years ago, this drafting process had no intention of creating an international standards cartel.
why is this important? Because almost all standards related to cybersecurity have been developed through consensus by international standards bodies other than ISO, IEC, and ITU, and are used globally in both the private and public sectors. . Organizations such as 3GPP, IETF and IEEE are important today.
At the time these negotiations took place, I was responsible for ITU telecommunications regulation and relations between member states, acted on behalf of the Secretary-General when the negotiations took place, and in 1991 became the We have created clauses to protect your interests. The former director-general of the WTO Secretariat’s GATS division admitted that he knew no basis for restricting international ICT or cybersecurity standards to only ISO, IEC and ITU standards.
We need to stop spreading myths.