GlobalPlatform, the standards organisation for digital services and devices, has released a whitepaper which highlights the “confusing” way which security levels are assigned to certifications carried out by national agencies as opposed to private certifications.
It indicates a disparity between certifications conducted by larger entities which were recognised as meeting the highest level of security, versus private certifications only being given a ‘substantial’ recommendation. As the whitepaper outlines, this suggests that a more secure procedure is followed by larger agencies to advise the security and safety of devices which could impact the user’s trust. GlobalPlatform states this confuses security robustness with assurance that all devices are secure.
The security categories are provided as part of the EU Cybersecurity Certification Scheme (EUCC) proposed by the European Union Agency for Cybersecurity aligned with Cyber Security Act.
Olivier Van Nieuwenhuyze, Chair of the GlobalPlatform Security Task Force, explained the pitfalls of damaging trust: “Businesses and citizens need clarity and confidence to adopt technology” he said.
“If a device is certified as highly secure, that achievement should equate to the robustness of the device’s security and the functionality it can support. In differing from well-established security levels used in industry, the EUCC has introduced confusion and disturbed ecosystems founded on existing security schemes” he commented.
While the standard for high levels of security within digital devices is implemented, it is undermined by the user’s damaged trust of a product and varying standards of security within the industry.
Moreover, the lack of standardisation across certifications is problematic due to damaging the credibility of established security certification schemes, such as those managed by GlobalPlatform and other reputable industry organisations. It places more importance on the entity that certified the products than the security and safety of the device.
Oliver also said that end users must be given the accurate information to make informed choices which affect buying. “For a time, only security experts will be able to understand the security robustness of a product” he says, which critically needs to be shared with the consumer and end-user and must meet their expectations, otherwise brands face being exposed and damaged.
The whitepaper calls for greater alignment between public and private certification schemes, and increased involvement from the industry, to ensure cybersecurity certification schemes meet the right requirements for standardisation and accuracy, and do not negatively impact the sales power of a product.
Gil Bernabeu, Technical Director of GlobalPlatform, says: “The EU CSA, ENISA and the EUCC has a fundamental role to play in the future of cybersecurity on both the European and global stages. Alignment with existing cybersecurity initiatives and security levels will help the ecosystem demonstrate the capabilities of products, foster confidence and adoption, and provide greater end-to-end security, privacy, simplicity and convenience for everyone”.
