In an increasingly digital age, and one marked by misinformation and fake news, the big challenge is establishing trust in technology itself.
Few of us today are unaware of the significance of cybersecurity and the threat of cyber-attacks on our computers, smartphones and other devices. We are constantly being reminded never to disclose passwords and to be on the look-out for spam and phishing e-mails that attempt to manipulate you into divulging personal information – such as those passwords, bank details, social security or medical information.
This form of identity theft, although troubling, becomes even more sinister when it is directed at governments and other major institutions. “Seeing is deceiving” is the tagline of a popular BBC TV series, The Capture, which explores the impact of deepfake technology – described as the 21st century’s answer to Photoshopping – threatening national security, shaking the foundations of state, destroying trust and making us doubt reality.
Far-fetched in many respects, perhaps, but as we move deeper into the era of the Fourth Industrial Revolution, the show highlights the potential risks and threats from rapidly changing and ever-more sophisticated technologies.
The global cost of cybercrime will reach USD 10.5 trillion annually by 2025.
Prioritizing the risk
According to the World Economic Forum report Global Cybersecurity Outlook 2022, infrastructure breakdown as a result of a cyber-attack is the number one concern for cyber leaders, ahead of identity theft. The report also indicates that while 85 % of cyber leaders agree that cyber resilience is a priority for their organization, gaining decision makers’ support when prioritizing such risks against many others remains a big challenge. This challenge should not be taken lightly. CyberCrime Magazine says cyber-attacks could potentially disable the economy of a city, state or entire country and it claims the global cost of cybercrime will reach USD 10.5 trillion annually by 2025.
Cybersecurity is not new, but in our increasingly interconnected – and fragmented – world, the risks to people, organizations, services and systems from cyber-attacks have never been greater. As technology has grown in sophistication, so, too, have cybercriminals. Uncertainty is rife and trust is at a premium. Confidence and assurance that our systems are safe is now a basic requirement and two International Standards – ISO/IEC 15408 and ISO/IEC 18045 for information technology – can help to restore that trust.
The standards work together “like the pedals of a bicycle”, says Miguel Bañón, an expert in cybersecurity evaluation and certification, and Convenor of the working group on security evaluation, testing and specification, operating under the joint stewardship of ISO and the International Electrotechnical Commission (IEC). ISO/IEC 15408 establishes evaluation criteria for IT security, while ISO/IEC 18045, the companion document, defines the methodology for IT security evaluation. For practical purposes, however, they are the same thing.
In order to succeed in the market, you have to achieve the trust of your customers.
Timely revision
The recent revision of the standards could not have been more timely, evolving to meet the complex new needs of the age. “The working group is focusing on technology assurance, testing certification and providing the standards to ensure that the technology itself is secure,” Bañón says. “This is a significant part of the solution.” The standards also help to manage information and take a holistic approach, but the basic foundation is that the technology is secure.
In order to succeed in the market, you have to achieve the trust of your customers. This is as true for technology as it is for any other product. With a dizzying array of new products coming on to the market very quickly, such as connected vehicles for example, how can you rely on a connected vehicle that drives by itself if you don’t have assurance that it’s going to work properly?
As Bañón says, with ISO/IEC 15408 and ISO/IEC 18045, “we are providing the best and the only way, which is internationally agreed, on how to test and evaluate the security of products and systems”. He points out that what was once a niche area is now becoming mainstream and the market itself is putting cybersecurity upfront as a requirement. Decision makers and leaders now have to step up and prioritize cyber-risks.
The market itself is putting cybersecurity upfront as a requirement.
Building resilience
At government level, this is something that is being increasingly recognized. Bañón says that one positive outcome of this explosion of cybersecurity concerns has led, for example, to new and forthcoming legislation in the European Union to strengthen cybersecurity systems. “The EU Cybersecurity Act provides a framework for European-wide certification schemes. In the past, if you had to certify the security of your product, you could do that based on national schemes,” he says. “Now, for the first time, there will be a pan-European certification scheme for products and this new scheme is based on ISO/IEC 15408.”
As he points out, IT security is not new and the past application of the standards has had a positive impact on products in the market. He says: “Those products that have typically achieved compliance with the standards, such as operating systems or network devices, have evolved and improved to the extent that the hackers have had to target “easier” products/attack surfaces.”
Compliance with ISO/IEC 15408 requires a high level of maturity, a high level of resistance against attacks. When we hear news of major cybersecurity breaches today, Bañón says there is a high chance these hackers are exploiting products that have not been certified or analysed by this standard. “If you’re a hacker, you tend to look for the weakest link in the chain, and today, the easiest route is via products that have not been certified according to the standard.”
Independent and impartial
It’s all a matter of trust. Bañón says: “In our standards, trust is provided after a very rigorous, independent and impartial review of a product and after a process of evaluation and certification.” Just as you can’t – and wouldn’t want to – buy a washing machine that doesn’t comply with safety requirements, compliance with these standards, “which are driven by market needs and are the basis of the most successful cybersecurity schemes all over the world”, offers protection from nasty shocks and will deliver peace of mind.