Does the Cyber Resilience Act protect consumer devices enough?

We live at a time when much of what we buy – watches, phones, fridges – is connected to the internet. Although technology has made our daily lives more comfortable, it has also made us more vulnerable.

Manufacturers have been keen to sell connected products, but often paid little attention to making them cybersecure. In other words, the market has not delivered. And the EU has been slow in setting effective rules to address this major problem.

Over the past years, Consumer organisations have repeatedly flagged that too many products on the market carry cybersecurity risks and lack the most basic security features. This must stop.

In proposing the Cyber Resilience Act, the European Commission took a major step forward. The law would establish EU-wide cybersecurity requirements by design and by default for all connected devices. However, there are still  key improvements to be made to ensure it can adequately protect consumers.

Products should be secure before and after being placed on the market

Consumers are right to expect that products on the market are not only safe and secure when they are sold, but during their expected lifetime. But the sad truth today is that products like PCs or smartphones only receive security updates for so long, after which they become vulnerable to hacking.

When manufacturers fail to protect their products with necessary software updates, these devices not only expose consumers to cybersecurity vulnerabilities, they also become slower, less performative, and sometimes unworkable way before their end date. Apart from causing consumer frustration and putting them at risk, this premature obsolescence fuels waste and is fundamentally at odds with efforts to align our society with planetary boundaries.

The new rules must ensure that consumer-facing connected products are protected before and for sufficiently long after they are bought: you can’t talk about real cybersecurity if a product you buy is only secure for a year when it can last for up to ten!

That is why BEUC is pushing for manufacturers to provide essential software updates during a product’s expected lifetime. The proposal only requires a maximum protection period of five years, which would leave all kinds of products unprotected beyond that timeframe. Think of dishwashers, fridges or TVs!

Making sure a product is secure

How can consumers be sure that a product is ultimately secure? The Commission proposal relies on self-assessment by the manufacturer for over 90% of products. That is a clear conflict of interest which has echoes of dieselgate: the manufacturer is also the certifier. Which company is going to contradict itself and say that a product it made is not in conformity with the law?

Consumers need more to go on than just the word of the manufacturer when their cybersecurity and personal safety are on the line.

Independent third parties should be tasked with verifying if a product is secure. This is especially important for certain products which, given their sensitive nature and potential risks of misuse by a cyber-attack, carry enormous risks for consumers, from violations of their fundamental rights (privacy, data protection) to even compromising their physical safety.

What about us? Consumer devices are high risk too

The new rules do recognise that certain products are too risky to leave to self-certification by the manufacturer. Although this is a step in the right direction, the option to put forward a short closed list of critical devices risks barely scratching the surface of high-risk products: without a risk methodology with clear criteria that can be applied to all products  this legislation risks overlooking many sectors. In particular, this closed list clearly risks overlooking one key stakeholder: consumers.  The proposal leaves out consumer devices from this list. The law should be aligned with what consumers expect: it should recognise the real risks posed by devices in our homes which, if hacked, have the potential to cause significant harm and substantial damage to us.

For example, it is astonishing that home internet routers are not considered important enough to go through third-party certification. And there are other consumer devices which should require mandatory certification, given the sensitivity of their use and private location (children’s devices, smart home systems, security devices) for which the manufacturers’ word is not good enough.

When everything else fails

New EU rules must provide a clear answer to the following question: what can consumers do once the harm has occurred? At the very least, consumers should be able to hold manufacturers to account. There should be a clear mechanism for reporting problems directly to manufacturers from the beginning. Consumers should also have accessible means to engage with public authorities, who have every reason to welcome the (much needed) help of civil society in the market screening and enforcement process.

And just as importantly, consumers must be able to demand compensation for damages caused by the lack of conformity with these rules. That means they need effective redress including the possibility to launch collective actions when many consumers have been affected by the same harm. It is therefore crucial the Cyber-Resilience Act is added to the annex of the Representative Actions Directive.

In conclusion, the Commission proposal for a Cyber Resilience Act is a much-welcomed first step to addressing some of the key issues currently facing consumers. However, this proposal can still go further: BEUC has issued key recommendations on key improvements to ensure that the CRA proposal is truly fit for purpose. It is now up to EU legislators to deliver.

 

This guest blog is published with the kind permission of BEUC – The European Consumer Organization and originally appeared here.

If you want to learn more about the CRA and its impacts, join our Roundtable on 17. April, where you can hear not only Claudio Teixeira speak, but also listen to the position of the European Commission, the US NIST, standardization organizations, and industry. For agenda and registration, please see https://iotac.eu/iot-day-roundtable-2023/!

Leave a Reply

12 − five =