Security in Digital World

I’ve written earlier about world going digital from the point of view of our ordinary life (https://www.dhirubhai.net/feed/update/urn:li:linkedInArticle:6962050141440626688/) and also in a context of ever-creasing legislation regulating the digital world (https://iprinfo.fi/artikkeli/when-law-meets-the-digital-world/). The aspect that is very much present in many new EU regulations is digital security.

Security means many things. For babies, security means being in proximity of one’s parents, and getting regularly fed and nursed. For bigger kids, security can relate to traffic security on their way to school and to safe school environment. For elderly people, security relates to managing life at home and health security. But for most of us, security is probably associated with aspects like personal safety and securing one’s assets, and of course during these days related to the utmost important nation’s independence and military security.

I’ve compared the phenomenon and things in the ordinary, traditional world to those in the digital world. For example, our living rooms are no longer furnished with bookshelves and record collections as books and music has moved to digital, intangible world. Our letter boxes do not need to be emptied on daily basis any more as the magazines, mail and invoices have been also transferred into electronic form. Going forward, our wallets and all cards and certificates therein will be transferred to our digital identity wallet, of which I’ve wrote an article couple of years ago: https://iprinfo.fi/artikkeli/matrix-of-digital-identity/. Now, the legal framework for European Digital Identity, eIDAS 2.0, has been approved, so digital identity wallet is coming.

In addition to our material assets transferring to digital form, also lot of our data is currently stored digitally. We don’t have anymore paper cards containing all our vaccinations, but they reside in digital health records in databases. Also, other health data of ours is located in digital databases. Same applies to our data e.g. as tax payers, employees, loyalty program customers etc. Now, when securing our material, tangible assets and property such as our home and car, we ourselves are responsible for actions that prevent outsiders to get access to them. We keep door to our house and car locked, and we don’t provide “back doors” to malicious parties to get in. However, with our digital assets we have to trust the service providers doing that, providing sufficient security means to prevent any unauthorized parties to get access to our data.

Technologies evolve all the time, and so do means for hacking the digital systems and passwords. Along quantum computing it is easier to brute force, namely attack and break, many encryption algorithms that were previously considered secure. Hacking in general has evolved so stronger protection is needed. EU has tried to tackle this development by initiating fair amount of legislation related to data and digitalization. ?I’ve written about some of the latest EU regulations related to digitalization of data in my earlier articles but mainly from Data Acts’ point of view. But there are also many new EU directives and regulations in the field of digital security. In essence, these regulations force companies to strengthen protection of their technical systems and processes against potential cyber attacks. However, these requirements are such that any company in digital business would be wise to apply anyway. I introduce some of the regulations here:

NIS2, namely Directive on measures for a high common level of cybersecurity across the Union, replaces the earlier Directive (NIS1) and extends the scope of application from traditional digital businesses to new areas such as energy, waste water and food production. The rational behind this is to safeguard the necessary infrastructure and production in case of potential cyber attack. The directive came into force in January 2023, and in Finland the national law is anticipated to become into force in autumn 2024 already. This means that companies falling within the scope of NIS2 application shall evaluate their practices and processes in terms of digital security, and notably not only their own but also of their supply chains.

CER, the Directive on the Resilience of Critical Entities, also came into force in January 2023, and there is currently steering group being established by Finnish Government, for national implementation of CER.

CRA, namely Cyber Resilience Act, just had its EU trilogue and it relates to security of Internet of Things. Originally it was applicable only to devices connected in the internet but discussions are ongoing, whether it should be applied also to cloud services and software. It is very important for consumers to trust that their smart home devices such as hoover, lawn mower and refrigator are safe to use and cannot be hackered.

CSA, the Cyber Solidarity Act, once enacted, will aim to create a “European Cybersecurity Shield”, to improve the preparedness, detection and response to cybersecurity incidents across the EU. As such, it introduces a harmonized European system for the cybersecurity certification of ICT products and services.

DORA, the Digital Operational Resilience Act, creates a new regulatory framework for financial sector, containing rules for protection, detection, recovery and repair capabilities against ICT-related incidents.

Cybersecurity – that’s what security in the digital world currently is called. In general, same rules as in the physical world should apply also in the digital environment. Indeed, in a recent webinar I attended, related to Corporate responsibility in digital security, Finnish EU Parliament Member Henna Virkkunen said in her speech that in future, we might not talk about separate cybersecurity anymore, but just “security”.

Security is associated with trust. You are safe with the person that you trust. Your assets are safe when you trust them to a party that diligently takes care of them. When you trust your data and digital assets to a service provider storing them digitally, you have to trust that they have sufficient technical measures implemented, to keep the assets secured. Be it a bank storing your financial documents, health care company possessing all your sensitive health data or digital identity wallet provider securing your digital assets, attribute attestations and certificates, they all base their information security to software programs and technologies they use in storing and transferring the data and digiassets. They have used consideration in selecting technology partners offering them cloud services and other storage space as well as software. The technology providers on the other hand have made their own choices of encryption algorithms (whether post-quantum safe or not), code (open source or proprietary), transfer protocols etc. when developing their own solutions. Thus, ultimately it is the technology that we have to have trust for in the digital world.

“In technology we trust.”

?