EU and US authorities move to strengthen cyber-security protections

From laptops to fridges to mobile apps, smart devices connected to the internet will have to be assessed for their cyber-security risks under draft European Union rules announced on Thursday. 

“[The Act] will put the responsibility where it belongs, with those that place the products on the market,” EU digital chief Margrethe Vestager said in a statement.

Under the proposed bill, known as the Cyber Resilience Act, companies would face fines of as much as €15m (£13m) or up to 2.5 per cent of their total global turnover if they fail to fix any problems that are identified.

The Covid-19 pandemic and the war in Ukraine have increased the risk of cyber attacks, according to EU authorities. Although most companies do have plans in place to protect their digital infrastructure, the Commission stressed that most hardware and software products are not currently subject to any cyber-security obligations.

The EU said a ransomware attack takes place every 11 seconds, and the global annual cost of cyber crime is estimated at €5.5tn (£4.8bn) in 2021.

“When it comes to cyber security, Europe is only as strong as its weakest link, be it a vulnerable member state or an unsafe product along the supply chain,” said Thierry Breton, the EU commissioner for the internal market. “Computers, phones, household appliances, virtual assistance devices, cars, toys… each and every one of these hundreds of millions of connected products is a potential entry point for a cyber attack.”

If adopted, the regulation would require manufacturers to take into account cyber security in the design and development of their devices, and businesses would remain responsible for their security throughout the products’ expected lifetime, or a minimum of five years. Market authorities would have the power to withdraw or recall non-compliant devices and to fine companies that fail to abide by the rules.

The new policy builds on existing rules proposed by the European Commission in 2020, known as the NIS 2 Directive, which, in turn, expands on the scope of the current NIS Directive.

The Commission stated that the law will benefit consumers since it will improve data and privacy protection, as well as companies, which could save as much as €290bn (€253bn) annually in cyber incidents versus compliance costs of about €29bn (£25bn). 

The EU is not alone in this push toward stricter cyber-security measures. The US White House has also released this week new federal software security requirements following the 2020 SolarWinds cyber attack, which compromised several government agencies.  

The new guidance, ‘Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience‘, advises agencies on how to ensure that their third-party software usage complies with National Institute of Standards and Technology (NIST) guidance. Software vendors can also provide a “plan of action and milestones” if the NIST standards can’t be achieved.

“Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” said federal chief information security officer Chris DeRusha. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”

The guidance has been published on the same day that ride-hailing company Uber revealed it had contacted US law enforcement after suffering a massive security incident.

The breach is likely more extensive than its 2016 data breach and potentially may have compromised its entire network. The hacker was believed to have breached multiple internal systems, with administrative access to Uber’s cloud services including Amazon Web Services (AWS) and Google Cloud (GCP). There was no indication that Uber’s fleet of vehicles or its operation was in any way affected.

“The attacker is claiming to have completely compromised Uber, showing screenshots where they’re full admin on AWS and GCP,” Sam Curry wrote in a tweet. The security engineer at Yuga Labs, who corresponded with the hacker, added: “This is a total compromise from what it looks like.”

Uber has since shut down online access to its internal communications and engineering systems, while it investigated the breach, according to a report by The New York Times. The Times said the hacker reported being 18 years old and saying they broke in because the company had weak security.

Uber said via email that it was “currently responding to a cyber-security incident. We are in touch with law enforcement.” However, cyber-security experts have taken the opportunity to stress the importance of establishing strong cyber protections, to avoid falling victim to hackers. 

“Uber’s data breach reminds us that no organisation is safe, and everyone has a role to play in digital fortification,” said John Davis, director UK & Ireland, SANS Institute, EMEA, after hearing of the news. 

“Awareness and vigilance are vital weapons in our response to these threats. Businesses are battling enormous pressures in today’s climate, amid rising inflation and supply chain issues, and hackers are looking to exploit this. Cybercriminals are levelling up. Their attacks are more prevalent, more sophisticated and harder to detect.”

Dan Davies, CTO at Maintel, added: “The recent cyber-security breach at Uber demonstrates how ensuring the security of communication channels should be a number one priority for businesses. Hackers able to comprise these systems then have the potential to target further internal networks and cause major disruptions. One chink in the armour could lead to a killer blow for the entire organisation.”

Over the past year, organisations across the world, from the UK’s NHS to the US’s Apple, and even the Albanian government, have suffered severe cyber attacks that have disrupted their services and put their users’ personal information at risk.