What makes the Charter of Trust a successful model?
Two years ago Siemens instituted the Charter of Trust – which now has 17 partners. But what has this initiative achieved in the intervening period? It’s time to take stock.
“We’re the alliance of the good guys.” When Kai Hermsen talks about the Charter of Trust, it sounds vaguely reminiscent of Star Wars. So, just who are these “good guys”? In addition to the initiators, Siemens and the Munich Security Conference, they are Airbus, Atos, Cisco, IBM, TÜV Süd and nine other major companies who have joined forces in the Charter of Trust with a view to making their businesses, products and critical infrastructure more secure and protecting them from the “dark side of the Force”: extortionists, spies and terrorists seeking to penetrate computer systems in order to steal or destroy data or extort ransom payments. For the Charter of Trust, cybersecurity offers a real chance to work alongside employees, customers and partners in a bid to build trust in digitalization and exploit its boundless opportunities.
The Charter of Trust has now been in existence for almost two years and can already be described as a genuine success story. This is because, instead of issuing vague statements of intent, it sets out specific measures which are first of all implemented at its own partners. Hermsen, international coordinator of the Charter of Trust at Siemens, calls this “leading by example”. “These well-known partners really enliven the international debate – far beyond conventional sector boundaries.” Many other companies are following the activities of the alliance closely, and even policymakers and security authorities are listening to what it has to say. Ideas are exchanged particularly closely with associated partners such as the German Federal Office for Information Security (BSI), its Spanish counterpart Centro Criptológico Nacional (CCN) and Austria’s Technical University of Graz – with more to join in the future.
These well-known partners really enliven the international debate – far beyond conventional sector boundaries.
Raising awareness and creating trust
These are illustrious names indeed. But what will all this really mean for cybersecurity? It will raise awareness for one thing. “The Charter of Trust has really galvanized the political debate,” says Johannes von Karczewski, Senior Director Global Government Outreach, and one of those who helped bring the initiative to life. With its ten basic principles, the Charter of Trust has created a common understanding of cybersecurity for the very first time, he says, as well as strengthening the bond of trust between the partners, without which nothing could be achieved in a networked world.
Cybersecurity standards for millions of suppliers
The Charter of Trust has also succeeded in bringing about specific improvements in cybersecurity. Far from acting as remote planets on a lonely orbit, Siemens and its CoT partners are closely entwined with innumerable other companies, largely small and medium-sized, which supply components for products. The Charter of Trust aims to get these companies to sign up to common security standards too. To this end, its partners have defined 17 minimum cybersecurity requirements to be complied with by supply chain participants with a view to ensuring secure collaboration. The CoT partners including, of course, Siemens have adopted these requirements in their general terms and conditions of business. All new security-critical suppliers will be required to satisfy them from the outset, with existing suppliers gradually being obliged to do so. In turn, they will have to ensure that their sub-suppliers also play along. The 17 Charter of Trust partners will ultimately have a reach of millions of suppliers – a gigantic effort, but a vital one, because cybersecurity is generally only as strong as the weakest link in the chain.
Support instead of pressure
Siemens does not intend to enforce these measures by issuing a sink-or-swim ultimatum. Many suppliers’ lack of financial clout and know-how may leave them unable to cope. “Far from abandoning these companies to their own devices, we are giving them the opportunity to improve their cybersecurity,” promises Kai Hermsen. A common risk-based approach is designed to eliminate suppliers’ individual security vulnerabilities and satisfy requirements. More suppliers than originally envisaged have already complied. As Hermsen is keen to emphasize: “Far from being an isolated initiative or public relations coup, the Charter of Trust serves as an anchor for the cybersecurity activities of its partners, thus providing a real benefit.” To this end, the partners collaborate in six task forces, which Hermsen refers to as “the cardiac chambers of the Charter of Trust”. One of these task forces was responsible for recommending the minimum supply chain requirements.
From optional to mandatory
Other topics are currently being addressed and are also scheduled to be implemented promptly, including a holistic approach to better education in the field of cybersecurity. The partners also want to lay the foundations for security by default. This involves examining the issue of how products – from smartphone software all the way to industrial machines – can provide optimum security even in their ex-factory state. Well-known examples of vulnerabilities include passwords pre-set to “0000” which are then left unchanged and present an easy target for crooks. It makes sense to demand the creation of a new password automatically when the user initially logs in. But what further measures are under consideration and what trade-offs may have to be made in the interest of user-friendliness? There have been no simple, universal answers to date, let alone specific recommendations for action. The latter are to be developed by the responsible task force before being implemented by the partners, as undertaken in the Charter of Trust. That, too, sends out an important signal: cybersecurity is no longer optional, but is now a mandatory requirement.
Subscribe to our Newsletter
Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.