Draft EU rules announced September 15 will require a broad range of connectable devices—such as TVs, printers, thermostats, door locks, alarms, and fridges – to be assessed for their cybersecurity risks. Such digital products create a myriad of connection points for hackers to enter IoT ecosystems, access customer information, or even penetrate manufacturers’ back-end systems.
The European Commission’s proposal for a new Cyber Resilience Act aims to safeguard consumers and businesses buying or using products or software with a digital component. A study by EU regulators shows that only half of the makers of hardware and software used in connected devices apply adequate safeguards against cyber attacks. The research also found that two-thirds of cyber attacks come from previously detected breaches that makers had failed to fix. The new rules will address both of these weaknesses by establishing requirements for products granted access to the EU market.
With ransomware attacks occurring every 11 seconds around the globe and the estimated global annual cost of cybercrime reaching €5.5 trillion in 2021, ensuring a high level of cybersecurity and reducing vulnerabilities in digital products – one of the main avenues for successful attacks – is more important than ever, said the EU press release. With the growth in smart and connected products, a cybersecurity incident in one product can have a ripple effect.
Indeed, the Mirai Botnet attack in 2016, one of the best known IoT device hacks, targeted DNS service provider Dyn, using a botnet of IoT devices. It managed to cripple Dyn servers and brought huge sections of the Internet down, impacting Media titans like Twitter, Reddit, CNN, and Netflix. The botnet was named after the Mirai malware that it used to infect connected devices. Once it successfully infected a vulnerable IoT gadget, it automatically searched the Internet for other vulnerable devices. Whenever it found one, the malware used the default name and password to login into the device, install itself, and repeat the process.Many of these devices had issues with outdated firmware or weak default passwords, which made them perpetually vulnerable and easy to hack.
Legislators said in the draft proposals that connected products suffered from“a low level of cyber security and “an insufficient understanding and access to information by users, preventing them from choosing products with proper cyber security features”
Companies face fines of as much as €15 million or up to 2.5% of their total global turnover if they fail to comply with the European Commission’s proposed law known as the Cyber Resilience Act, which will require manufacturers to fix any problems that are identified.
“It (the Act) will put the responsibility where it belongs, with those that place the products on the market,” EU digital chief Margrethe Vestager said in a statement.
While the number of IoT providers offering a public channel for users of consumer devices to report device vulnerabilities continues to increase,the proportion remains low – just over one in five companies surveyed, according to a November 2021 study published by the IoT Security Foundation. In its report the foundation said that “while the needle has moved a little, it is evident that it will take legislative, regulatory
and enforcement steps…to drive home the message and effect real change.”
The IoT Security Foundation found that sectors that fare better in terms of vulnerability disclosure are TV, Wi-Fi, and networking, mobile, hub and laptops, PCs and tablets. These are all categories that feature large, well known tech firms such as Sony, Panasonic, Samsung, LG, Google, Microsoft, Dell, Lenovo, Amazon, Logitech, Apple and other global brands. Categories such as lighting, security, smart home and wearables – which include a much more diverse range of companies – continue to perform poorly in providing policy details, according to the 2021 study. The workplace category also showed low levels of accessible vulnerability disclosure policy information. Products here include printers and relatively new devices to the market such as smart pens.
Under the draft EU legislation manufacturers will have to assess the cybersecurity risks of their products and take appropriate action to fix problems for a period of five years or during the expected lifetime of the products. If the draft law passes companies would be obliged to notify EU cybersecurity agency ENISA of any incidents within 24 hours after they become known and take measures to resolve them. Importers and distributors will have to verify that products conform with EU rules.
In an interview with Reuters, the Computer & Communications Industry Association (CCIA Europe) warned that the resulting red tape from the approval process could hamper the roll-out of new technologies and services in Europe.
The draft rules will need to be agreed with EU countries and EU lawmakers before they can become law.
IN OTHER NEWS THIS WEEK
The Sound Of People’s Voices Might Help Diagnose Disease
Researchers are building a database of human voices that they’ll use to develop AI-based tools that could eventually diagnose serious diseases; they’re targeting everything from Alzheimer’s to cancer. The National Institutes of Health-funded project, announced Sept. 13, is an effort to turn the human voice into something that could be used as a biomarker for disease, like blood or temperature.
Owkin’s Cancer Spotting AI Diagnostic Tools Score European Approval
Artificial intelligenc biotech company Owkin, which was founded in France, announced that AI-based diagnostic solutions designed to improve outcomes for patients with breast cancer and colorectal cancer have been approved for use in Europe. By using AI to analyze digital pathology images, they are designed to help clinicians make precision medicine – diagnostic and treatment based on a patient’s individual characteristics – more accessible to more patients at an earlier stage of their disease. Owkin’s RlapsRisk BC is the first CE-IVD approved digital pathology-based AI diagnostic that predicts the risk that early breast cancer patients will relapse, according to Owkin.. MSIntuit CRC is the first CE-IVD approved AI solution that enables the identification of microsatellite stable patients from routine histology slides, enabling a significant reduction in time and the number of diagnostic tests for detecting microsatellite instability, a factor in some colorectal cancers. These are the first approved diagnostics products developed by Owkin, which aims to develop more biomarker pre-screening and outcome prediction diagnostics across a range of disease areas.
Walmart To Start Testing Checking Accounts
Walmart is just weeks away from beta testing a digital checking account with employees and customers. One,the independent fintech unit Walmart has established under the leadership of former Goldman Sachs consumer banking chief Omer Ismail. will introduce checking accounts to thousands of Walmart employees and a small percentage of its online customers for beta testing in the coming weeks, according to Reuters..The fintech aims to make the accounts available to Walmart’s 1.6 million employees within a year before rolling out services more broadly, the people said. It also hopes to expand its offerings to loans and investments. The move marks a major escalation in the world’s largest retailer’s foray into financial services, with lending and investing products expected to follow.
Adobe agreed September 15 to acquire Figma, whose products are used by software developers to collaborate, for $20 billion. Adobe Chief Executive Shantanu Narayen hailed Figma’s business as “the future of work” and said there were “tremendous opportunities” in combining it with his company’s offerings, such as document reader Acrobat and online whiteboard Figjam.
To access more of The Innovator’s News In Context articles click here.