EU lacks 'unified vision' for 'important' standards on cyber security, says ENISA

Out-Law News | 30 Mar 2015 | 2:35 pm | 1 min. read

There is no "unified vision" from the EU institutions on the development and adoption of standards in the area of cyber security, the European Network and Information Security Agency has (ENISA) said.

The body, which is an EU agency which advises policy makers on cyber security issues, said that standards for cyber security, such as for security products, testing of network and information security, and processes and procedures for cross border communications between regulators on cyber security incidents, were "important". This is particularly the case for electronic identification (e-ID) and the verification of online identities by trust service providers, it said.

However, it said that it currently takes too long for cyber security standards to be introduced (31-page / 821KB PDF) after new technology has been brought into use.

ENISA said the EU needs to "address" its "strategy towards standardisation in the area of ICT" in general because its "current approach" is "not consistent and lacks a unified vision".

"At the time of writing, there is no single, continuous 'line of standards' related to cyber security, but rather a number of discrete areas which are the subject of standardisation," ENISA said in a new report. It said these standards relate to technical matters, metrics that are mostly related to business continuity, cyber security definitions and "organisational aspects".

ENISA said that there is perhaps over-standardisation "on information security governance and risk management" but a lack of standards in other areas of cyber security.

"For example there are relatively few standards that deal with compliance to privacy and data protection legislation," ENISA said. "Similarly, there are not many standards covering service levels, or more broadly, service agreements and service contracts, terms of use and conditions, et cetera. A quick look across the different offerings of cloud providers will show that every provider has a different lengthy legal text describing the terms of use and exceptions to obligations."

ENISA admitted that standardisation has the potential to introduce "vulnerabilities" into a large number of systems, but maintained this does not mean that cyber attacks cannot be averted.

"By structuring the approach to deploying new technologies or business models, standards help to reduce the complexity of the business environments that deploy them, which in turn makes it easier to secure the resulting environment," ENISA said. "Although there is also an argument against standardisation in this respect, notably that any vulnerabilities associated with such systems will also be ‘standardised’, making it possible to conduct attacks against large numbers of systems in a short timescale."

"The usual way of dealing with this however is not to avoid standardisation but to ensure that the defences used to protect information systems are not critically dependent on a single system or type of system – this is the principle of defence in depth," it said.