Governance Approaches to the Security of Digital Products - A Comparative Analysis
CSS' Nele Achten’s report for the Geneva Dialogue of Responsible Behavior in Cyberspace provides an overview of public policies around the security of digital products. It summarizes the challenges that public policymakers are frequently facing in this context and the solutions that have been adopted. It also elaborates how the relatively new policy area of digital product security can be distinguished from cybersecurity regulations around critical infrastructure protection and data security.
external page To the publication
Key Insights
- Security of digital products is a relatively new regulatory field that can be placed somewhere between data security regulations and critical infrastructure protection (CIP). While there is a significant overlap between product security and security of critical infrastructure (CI) (e.g., cloud services can be both), the type of rules governing both regulatory fields are generally different. Most policies and mandatory rules for CI providers have focused on best practices to strengthen the security of the organization. By contrast, emerging policies and legal frameworks addressing the security of digital products focus on security measures during the development and lifecycle of the product.
- Digital products can be all types of software, hardware or a combination thereof. Public agencies mostly address software, Internet of Things (IoT) devices and sometimes cloud services in their policies of digital products. Industry tends to have a broader understanding of digital products, including 5G and AI technologies. Policy documents and public commitments to strengthen security use the term digital products. Legal documents and guidelines establishing security objectives or proposing concrete measures, however, mostly distinguish between different types of technologies. The question arises whether it is possible to develop horizontal security requirements for all types of digital products or whether a distinction is required in order to effectively improve security of digital products.
- The depth of security regulations in the digital space differs among jurisdictions. Some jurisdictions also use different legal concepts for different policy tools. One policy tool discussed in a number of jurisdictions is the adoption of mandatory minimum baseline requirements. Maybe unexpectedly, industry representatives have signaled support for such an approach. One reason for their support might be that these minimum baseline requirements are mostly prescriptive, easy to implement and often consist of low security standards. These low standards often prove less stringent than the existing practices of big companies engaged in these policy discussions.
- Currently, most security standards developed with the goal of being applied in a broad number of jurisdictions. Even if they are developed by national, regional and international organizations at the same time, there are efforts to build upon each other. While a number of bilateral agreements recognize certificates from another country, discussions about labels usually focus on their domestic application only.