The global cybersecurity market was valued at $167.13 billion in 2020 and is predicted to expand by 10% annually until 2028. The alarming increase, frequency, and sophistication of cyberattacks in recent years can be blamed for the market's growth. And with this need to counter the intensity of cybercriminal activity with advanced cybersecurity measures comes the demand for better frameworks, processes, and techniques.
In 2019, the European Cyber Security Act (CSA) was adopted, establishing a cybersecurity certification framework for all “critical infrastructure” sectors, including software development and IT outsourcing services. However, while the framework has benefits like increasing transparency and trust for end-users, certification bodies, manufacturers, software providers face particular challenges that keep them from fully embracing and implementing the new terms. Here are ten challenges you should know about software cybersecurity certification:
- There are different assurance levels for certification defined by the new European Union (EU) cybersecurity regulation CSA that certification bodies and manufacturers must consider when certifying their systems.
- Certain factors impact the certification of the system and its components during its lifecycle, including software updates and design principles that deal with the inter-relationships of its components.
- Cybersecurity certification practitioners, software manufacturers, and software providers must be interested in software updates and software composability as these aspects define the relationship between different certification levels.
- For organizations to allow software providers to maintain control of systems, they must develop and follow coordinated vulnerability disclosure (CVD) procedures.
- Because a single Information Communication Technology (ICT) system comprises various components and subsystems, each additional software module will need to be certified in composition (when applicable) and using specific assurance levels and certification schemes.
- New certification processes or recertification may be required when certain modules are not valid for the system's composition, such as specific hardware or operating systems.
- Automated and lightweight techniques should be used in the recertification processes to reduce the reluctance of manufacturers and software providers to update their systems regularly due to time and costs.
- The CSA promotes using a repository of vulnerabilities to foster trust in ICT systems, mitigate attacks, promote cooperation and collaboration among stakeholders, and bridge the gap between the software sector and certification bodies.
- The CVD framework supports the vulnerability disclosure process, which encourages manufacturers and software providers to report and publish vulnerabilities and testing processes. The program aims to increase transparency for end-users, share cybersecurity information, expose threat models, and align software development.
- Emerging technologies and platforms, including blockchain, AI, 5G systems, and quantum computing, are being considered to help align the cybersecurity certification process and software development activities.
While the CSA aims to create a unified framework to align cybersecurity certification, manufacturers, and software developers while increasing end user trust, some hesitation remains. Because the intentions of the Act are for the benefit of all stakeholders, raising increasing awareness of these factors is key to fostering adoption.