How a Proposed European Union Cybersecurity Law Could Affect Things on This Side of the Atlantic
Kir Nuthi: Yeah, [the Cyber Resilience Act] is going to be a world leading beginning step for cybersecurity. The U.S. and the UK are already trying to get there as well. So it’s kind of a race to who does it first.
Tom Temin: Because in the United States, the software supply chain is the focus of cybersecurity right now. And that takes many forms. There’s an executive order on that, there is the CMMC program, the Cybersecurity Maturity Model Certification program, trying to get going in the Defense Department. But it’s all kind of has a theme there. Do these themes clash in some way?
Kir Nuthi: I think the US, the UK and the EU are all broadly tackling the same space, which is the digital products available in their markets, so the connected devices in their markets. The White House specifically has a plan for connected devices to create labeling standards, which is really similar to the EU Cyber Resilience Act, and the UK has, what they’re calling a product security and telecom infrastructure bill, which is a really clunky name that essentially also creates new security requirements for consumer connected products in the UK. So all three of them are tackling at the heart of new legislation, devices we use every day that connect to the internet.
Tom Temin: But what about devices that you wouldn’t normally classify as consumer devices as you move up the chain, there are home routers, but then there are industrial routers, data center type of gear, that route, switch, and so forth. And telephone systems, IP phone systems also connected to the internet. Does it just stop at consumer products? Or what about all of these industrial products that are often hacked, and at the center of all internet traffic?
Kir Nuthi: So the Cyber Resilience Act covers a broad swath of three categories. class one is going to be the lower cybersecurity risk levels, but does take into account industrial software. So it’s password managers, remote access software, firewalls, routers, microprocessors, modems, all of these slightly less fun on consumer devices, whereas class two focuses on high risk and then industrial devices. So products with critical cybersecurity vulnerabilities that include public key infrastructure, microprocessors, industrial switches, the things that aren’t necessarily on you or me like our smartphones or smartwatches. And then there’s an unclassified category, which tends to include things that when you think of connected devices, you naturally go to like game consoles and whatnot.
