Why I'm in Favor of the EU Cyber Resilience Act and You Should Be Too

in #cybersecurity2 months ago

I like the EU Cyber Resilience Act! There, I said it! Yes, this will make companies nervous in the short term, but this regulation is a watershed moment that will fundamentally shift how digital products are secured and maintained! This will FORCE the industry to adapt in more transparent and accountable ways.

I don’t like regulations in the tech world but will support such extreme measures when companies are not doing what is best for their customers. In this case, the industry has chosen not to voluntarily support good security practices such as these in the past. They often keep customers in the dark when attackers are running rampant and exploiting weaknesses in their products until they have a fix ready. Customers, if informed in a timely way, may be able to mitigate risks in other ways while waiting for a patch. But not if the company purposely chooses to keep them in the dark. So now, customers may be able to hold manufacturers accountable if they choose not to be forthcoming.

There are several aspects to this act which is designed to inform and protect consumers of digital products:

1. Notification of exploitation (when vulnerabilities are being used by attackers to victimize targets)

2. Security patching support for the lifetime of the product

3. Differentiation between security and functionality updates where feasible

Those companies who are worried about reporting, when attackers are exploiting vulnerabilities in their products, are basically saying they don’t want their customers to be aware.

I find the arguments against this act are outdated. My favorite illogical argument is that “if we report when our products are exploited, then attackers will exploit them more” Um, the genie is already out of the bottle. How about doing the decent thing and informing your customers that they are at serious risk of being victimized!


Many companies won't want to be forced to invest in cybersecurity!

"2. Security patching support for the lifetime of the product"

What immediately occurs to me is that this is inadequate for many products that involve biometric information. 23 and Me has just had hackers offer up it's datahoard. $1000 for 10,000 records of a group listed. Some of the records are of extremely wealthy and powerful people. The life of this product can be considered instant, however, and the 'product' the information delivered to customers as to their genetic origins. The lifetime of the DNA, however, is longer than the lives of the customers, because it affects their children, their relatives, and even their larger ethnic group, many of whom long outlive the specific customer.

Security patching isn't available for biometric data. The Russian Federation has just had it's records hacked, and many peoples medical information is on offer. Anyone that used their retinal scans, fingerprints, or other biometric data as some form of ID is now able to be spoofed by hackers, and they can never, ever change their biometric data, which will forever be linked to whatever crimes hackers spoof the owners of biometric data did. I don't seen any improvement in the situations of these people, from this regulation and I think that is a urgently needed matter.

Also, who will hold governments, not private companies accountable? I hesitate to even speculate what information 5 eyes governments have on their subjects, or how valuable it could be to blackmailers, competitors, or enemies of theirs. What good is this regulation if it does nothing at all to curb tyrannical governments acquisition of such data from private companies? Are companies compelled to indemnify their customers against being tortured as a terrorist by their government security forces? Excluded from private clubs for their genetic background, or being outed as a snitch and gutted by criminals? How will this regulation help them afflicted with private surveillance for sale to the state, as many companies, like Goolag, Fakebook, and Twatter today do?

Even the most mercenary of Black Hat hackers, like the ones selling data from the hacks I mention above, are less harmful than governments that buy data from companies that sell it voluntarily. Do companies have to reveal to their customers they have sold them out, rather than been hacked? Yahoo! famously just gave up it's customers to the NSA some years ago. Would this have helped them if Yahoo! did that today?


 last month 

Visibility is the first step towards accountability. This regulation will help drive that accountability at the most senior level, which should motivate change in a positive direction. It is just another step on the journey, not crossing the finish line.

It is a step forwards in that regard, but the caprice of data fiduciaries is unconscionable IMHO.