Revised EU Cyberstrategy Pushes IPv6 Rollout, Patches for IoT Devices
More IPv6 take-up and a more prominent role for cybersecurity certification are among highlights of the EU revamped cybersecurity strategy unveiled Wednesday, officials told us. The approach in the joint communication by the European Commission and the high representative for foreign affairs and security policy includes boosting cyber-capabilities in technology and skills; ramping up efforts to detect and trace bad actors; and more international cooperation. IPv6 proponents said the new technology offers better cyber-protection than IPv4. One expert said the main takeaway is the plan's focus on cybersecurity patches.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Effective deterrence means setting measures that are "credible and dissuasive" for would-be cybercriminals, the EC said: If perpetrators have nothing to fear except failure, "they will have little incentive to stop." Law enforcement must focus on finding, tracing and prosecuting criminals quickly, it said. It cited identifying malicious actors, one key to which is spurring IPv6 rollout. The widespread practice of putting multiple users behind one Internet Protocol address makes it technically difficult to investigate online malicious behavior, so the EU will "encourage the uptake of the new protocol (IPv6) as it allows the allocation of a single user per IP address," aiding law enforcement and cybersecurity investigations, it said. As a first step, the EC said it will stress the requirement to shift to IPv6 via its policies. It urged governments to "consider voluntary agreements" with ISPs.
If all people and businesses used IPv6 only, it would be harder for attackers because unlike IPv4, the newer technology has a privacy protocol, IPv6 Forum President Latif Ladid said. ISPs deploy temporary IPv6 addresses to retain their IPv4 charging model, he said. ISPs assign private IPv4 addresses that aren't globally routable, he said. A globally routable IPv4 address that could be used to trace people costs 40-50 euros ($47-$59) a month, he said. Such addresses are leased mainly to enterprises that need to secure multisite networks or for web servers and email services that need to be identified to receive emails. Users generally don't know about the use of a routable IPv6 address, so ISPs change those addresses every 24 hours or so.
When an operating system such as Windows receives a prefix from an ISP router or DSL box, it creates two IPv6 addresses, said Ladid. With the IPv6 prefix, which is 64 bits long, the OS takes the PC or laptop identified, with 48 bits, and places it in the address suffix. The process makes an IPv6 address visible on the internet because the PC or laptop address identification essentially kills the privacy of the IPv6 address, he said. To remedy that, the OS creates a privacy address by scrambling the computer address, making it untraceable. When a user browses to a website, the OS uses the privacy IPv6 address, not the computer/laptop address, to protect against activities by advertisers or hackers, Ladid said.
Most IPv6 users use their unique address, which makes them identifiable over the internet, but "the bad guy will force IPv4 and will be hidden" behind a carrier grade network address translation address that shares one public IPv4 address with hundreds of other users, said Cisco Distinguished Engineer Éric Vyncke, of Belgium's IPv6 Council. "IPv6 is a step forward but as long as people have IPv4 it will not help so much," he said. IPv6 "is the way to go for security," so long as staff is properly trained, he said.
IPv6 "is one of the least weighty" aspects of the revised strategy, said Ross Anderson, security engineering professor at the University of Cambridge Computer Laboratory. "If the feds are seriously after you, then hiding behind the NAT (network address translation) or DHCP (dynamic host configuration protocol) isn't enough."
The "headline" of the new approach, Anderson said, is its proposal to make the European Network and Information Security Agency (ENISA) the permanent custodian of the EU network and information security directive and of cybersecurity certification. The EC said it plans to create a cybersecurity certification regime for products, services and systems that adapt the level of assurance to the use involved (such as critical infrastructures versus consumer devices).
As the IoT emerges, "cybersecurity isn't just about your phone and your laptop, it's about your car, your electricity meter and your pacemaker," Anderson said. The EU has substantial regulatory responsibilities for safety of durable goods that used to be certified by premarket testing but that in the future will be patched for security as well as for safety, he said. Anderson spelled out the implications in a report to the EU last year. "Everyone from Bosch to Qualcomm agrees that the costs of security patches for more durable goods are a big deal and getting worse," he said.
Regulating car safety means there will have to be automated systems to collect relevant data about security breaches and accidents and to send it to ENISA and the agencies responsible for auto safety, said Anderson. Automakers will have to be legally compelled to keep making patches available for 20 years, he said: "If they stop after five, like Microsoft, then that eventually means that cars will have to be scrapped after five years."