Dagstuhl-Seminar 24112
EU Cyber Resilience Act: Socio-Technical and Research Challenges
( 10. Mar – 13. Mar, 2024 )
(zum Vergrößern in der Bildmitte klicken)
Permalink
Bitte benutzen Sie folgende Kurz-Url zum Verlinken dieser Seite:
https://www.dagstuhl.de/24112
Organisatoren
- Mila Dalla Preda (University of Verona, IT)
- Serge Egelman (ICSI - Berkeley, US)
- Anna Maria Mandalari (University College London, GB)
- Narseo Vallina-Rodriguez (IMDEA Networks Institute - Madrid, ES)
Kontakt
- Michael Gerke (für wissenschaftliche Fragen)
- Jutka Gasiorowski (für administrative Fragen)
Gemeinsame Dokumente
- Dagstuhl Materials Page (Use personal credentials as created in DOOR to log in)
Programm
Introduction and Motivation
The increasing number of cyberattacks affecting digital products has caused significant security and financial costs to societies. For example, the Mirai attack in 2016 compromised millions of Internet of Things (IoT) devices by exploiting default usernames and passwords, turning them into a botnet army that launched a massive Distributed Denial of Service (DDoS) attack. This attack significantly impacted critical Internet services, causing major outages and disruptions on platforms like Twitter and Netflix [1].
The European Commission has proposed in 2022 the EU Cyber Resilience Act (CRA) to define the legislative framework of essential cybersecurity requirements that product manufacturers must meet when placing any product with digital elements on the internal market, while empowering users to make better security-aware decisions when purchasing and deploying digital products. Following its adoption in 2024, manufacturers will have two years to comply with the new rule, with specific deadlines for different types of products. The roadmap for CRA adoption follows a multi-phased approach, focusing on high-risk products first and progressively expanding to cover a broader range of digital products over the next few years, aiming to ensure robust cybersecurity standards across the EU. Specifically, during the first year, the focus will be on raising awareness among stakeholders and providing guidance on compliance requirements. The European Commission and national authorities will offer support and resources to help manufacturers understand the new obligations. Then, during the second year, manufacturers and developers will need to ensure that their products meet CRA requirements. This includes implementing necessary security measures, conducting risk assessments, and updating product documentation.
In this scenario, device and software analysis methods – from formal methods to black-box testing – are essential for facilitating compliance at different stages of the product life-cycle, but also for self-attestation and independent verification and certification. However, the rapid evolution and increasing complexity of new technologies and other socio-technical factors such as developers’ awareness and incentives for compliance may add further challenges and barriers to adoption.
On the one hand, it is essential to understand whether regulatory requirements are realistic, unambiguous, and whether they are partially misaligned with technology trends, manufacturers’ incentives and goals, and with users’ privacy and security awareness. For example, research evidence has shown that many developers do not fully comply with the General Data Protection Regulation (GDPR) and the USA Children Online Privacy Protection Act (COPPA) requirements due to their dependency on obscure third-party components for development support and advertising, economic incentives, poor software engineering habits, or even a lack of awareness about the regulations’ existence and scope (and hence their compliance obligations). On the other hand, we need to assess to which extent existing device and software analysis methods are fit for aiding developers and manufacturers in assessing compliance, but also for independent certification by third-parties and regulatory enforcement. Yet, current software and device analysis techniques (e.g., black-box testing) often over-simplify the complexity of digital products and present various scalability and coverage limitations that prevent them from reliably auditing and testing whether observed software properties in digital products comply with regulatory requirements. This Dagstuhl Seminar united a multidisciplinary group of tech and legal academics, industry actors, and policy experts to share their knowledge and experience to collaboratively explore the complex landscape of research and socio-technical challenges for the adoption and enforcement of the CRA. These challenges arise from developer practices and incentives, user awareness, and the feasibility of existing software analysis methods for certification and enforcement.
Seminar Structure
The seminar had a dynamic structure during the 3 days, combining dedicated presentations, panels, and multi-disciplinary working groups to encourage active participation and dialogue between different communities and stakeholders. Arriving on Sunday and starting with a welcome dinner at Schloss Dagstuhl. The three-day seminar activities were structured as follows:
- Day 1. The first morning was dedicated to participant introductions, setting common ground on seminar objectives through short elevator pitches by participants, followed by two seminar-like talks and guided discussions. This engaging round of introductions provided a comprehensive overview of the diverse knowledge and skills present in the room, setting the scene for collaborative and constructive discussions. Following these introductions, the seminar continued with an introductory talk by the organizers, a key presentation by Christin Hartung-Kümmerling and Anna Schwendicke from the BSI on the fundamentals, goals, and roadmap of the CRA, and a talk by Vicent Toubina (CNIL) on their experiences with GDPR implementation and enforcement. Following these, participants engaged in open discussions to identify sub-problems of interest. At the end of the first day, participants formed multidisciplinary discussion groups to summarize seminar outputs and a brainstorm session for identifying three key topics for further discussion: (i) Understanding and Aiding the Developer Ecosystem; (ii) Standardization Efforts; and (iii) Tools for Regulatory Enforcement.
- Day 2. The second day continued with the interactive group discussions, finalizing with a final all-hands group to consolidate the outputs of the discussions. The day ended with a social activity involving a guided visit to the Völklingen Ironworks, and a dinner in Saarbrücken.
- Day 3. The final day involved several all-hands sessions to identify the main outcomes of the seminar, and research challenges for easing CRA adoption and compliance, ensuring continued progress beyond the seminar.
References
- Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. Understanding the mirai botnet. In 26th USENIX security symposium (USENIX Security 17), pages 1093–1110, 2017.
- Jukka Ruohonen and Kalle Hjerppe. The gdpr enforcement fines at glance. Information Systems, 106:101876, 2022.
- Célestin Matte, Nataliia Bielova, and Cristiana Santos. Do cookie banners respect my choice?: Measuring legal compliance of banners from iab europe’s transparency and consent framework. In 2020 IEEE Symposium on Security and Privacy (SP), pages 791–809. IEEE, 2020.
- Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman, et al. “won’t somebody think of the children?” examining coppa compliance at scale. In The 18th Privacy Enhancing Technologies Symposium (PETS 2018), 2018.
- Christoph Bösch, Benjamin Erb, Frank Kargl, Henning Kopp, and Stefan Pfattheicher. Tales from the dark side: Privacy dark strategies and privacy dark patterns. Proceedings on Privacy Enhancing Technologies, 2016.
- Noura Alomar and Serge Egelman. Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proceedings on Privacy Enhancing Technologies, 2022.
- Michael Backes, Sven Bugiel, and Erik Derr. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pages 356–367, 2016.
- Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. A {Large-scale} analysis of the security of embedded firmwares. In 23rd USENIX security symposium (USENIX Security 14), pages 95–110, 2014.
- Gianluca Anselmi, Anna Maria Mandalari, Sara Lazzaro, and Vincenzo De Angelis. COPSEC: Compliance-Oriented IoT Security and Privacy Evaluation Framework. Association for Computing Machinery, New York, NY, USA, 2023.
- Aniketh Girish, Tianrui Hu, Vijay Prakash, Daniel J Dubois, Srdjan Matic, Danny Yuxing Huang, Serge Egelman, Joel Reardon, Juan Tapiador, David Choffnes, et al. In the room where it happens: Characterizing local communication and threats in smart homes. In Proceedings of the 2023 ACM on Internet Measurement Conference, pages 437–456, 2023. 24112
Creative Commons BY 4.0
Mila Dalla Preda, Serge Egelman, Anna Maria Mandalari, and Narseo Vallina-Rodriguez
The growth of Consumer Connected Devices such as Smart TVs and Smart Speakers has introduced unprecedented challenges for preserving consumers’ security and privacy, and nations’ cybersafety. The European Union has been at the regulatory forefront, developing strict regulatory frameworks to protect consumers and increase European cyber-resilience. However, the path towards compliance and enforcement is not straight-forward.
In May 2018, the EU General Data Protection Regulation (GDPR) was implemented to protect users’ privacy and digital rights. However, 5 years later, its success has been moderate due to developers’ inability (or lack of incentives) to comply with the regulation. This is aggravated by rule interpretation differences across DPAs, which is causing developers confusion and different criteria for enforcement. Now, the new EU Cyber Resilience Act aims to enforce security requirements for digital products like IoT devices by establishing a framework for secure development and empowering users to make security-aware decisions. This is complemented by a European-wide Cybersecurity Certification Framework (ECCS) and the new NIS 2 Directive, which puts in place cybersecurity requirements including supply chain measures. The combination of these regulations aims at ensuring that digital products are vulnerability-free, transparent, and vendor-supported throughout their life cycle, while also respectful with citizen’s digital rights and privacy. However, what will be the barriers and challenges for compliance and enforcement?
Device and software analysis methods—from formal methods to black-box testing—are essential for facilitating compliance at different stages of the product life cycle, but also for independent certification and enforcement as ECCS mandates. However, the rapid evolution and increasing complexity of new technologies and other socio-technical factors may add further challenges and barriers for compliance and enforcement. On the one hand, it is essential to understand whether regulatory requirements are realistic, unambiguous, and if they are completely misaligned with technology trends, manufacturers’ incentives and goals, and with users’ privacy and security awareness. For example, research evidence has shown that many developers do not fully comply with GDPR and COPPA requirements due to their dependency on obscure third-party components for development support and advertising, economic incentives, poor software engineering habits, or even lack of regulation awareness. On the other hand, we need to assess to which extent device and software analysis methods are fit for aiding developers and manufacturers in compliance, but also for independent certification and enforcement. Yet, current software and device analysis techniques (e.g., black-box testing) often over-simplify the complexity of digital products and present scalability and coverage limitations that prevent them from testing whether observed software properties comply with regulatory requirements at scale.
This Dagstuhl Seminar wants to unite a multidisciplinary group of tech and legal academics, industry actors and policy experts to holistically explore the complex landscape of research and socio-technical challenges for regulatory adoption and enforcement. These arise from developer practices and incentives, user awareness, and the feasibility of existing software analysis methods for certification and enforcement. By fostering multidisciplinary dialogue across communities that are often disconnected, this workshop aims to (1) shed light on pressing research challenges and barriers for adoption and enforcement of new tech laws; (2) promote cross-disciplinary research networks and collaboration in developing innovative solutions to strengthen digital security and resilience while preserving users’ rights, and (3) produce reports to inform the regulatory debate and future research agendas at the intersection of tech and policy.
Mila Dalla Preda, Serge Egelman, Anna Maria Mandalari, and Narseo Vallina-Rodriguez
- Rainer Böhme (Universität Innsbruck, AT) [dblp]
- Mila Dalla Preda (University of Verona, IT) [dblp]
- Daniel J. Dubois (Northeastern University - Boston, US)
- Carolyn Egelman (Google - Mountain View, US)
- Serge Egelman (ICSI - Berkeley, US) [dblp]
- Hamed Haddadi (Imperial College London, GB)
- Christin Hartung-Kümmerling (BSI - Freital, DE)
- François Hublet (ETH Zürich, CH)
- Martina Lindorfer (TU Wien, AT) [dblp]
- Anna Maria Mandalari (University College London, GB)
- Federica Maria Francesca Paci (University of Verona, IT)
- Simon Parkin (Delft University of Technology, NL) [dblp]
- Sergio Pastrana (Carlos III University of Madrid, ES)
- Joel Reardon (University of Calgary, CA)
- Anna Schwendicke (BSI - Freital, DE)
- Ben Stock (CISPA - Saarbrücken, DE) [dblp]
- Volker Stocker (Weizenbaum Institut - Berlin, DE)
- Guillermo Suárez-Tangil (IMDEA Networks Institute - Madrid, ES)
- Juan Tapiador (Carlos III University of Madrid, ES)
- Vincent Toubiana (CNIL - Paris, FR) [dblp]
- Narseo Vallina-Rodriguez (IMDEA Networks Institute - Madrid, ES)
Klassifikation
- Computers and Society
- Cryptography and Security
- Software Engineering
Schlagworte
- Digital Law and Policy
- Usable security and transparency
- Cybersecurity and Cyber-Resilience
- Software Engineering and Secure Development
- Software Analysis and Certification
