Who is to blame for the obsolescence of business equipment?

If you bought an electronic device earlier this year, you may have noticed a small, coloured logo with a score out of ten. This is the repairability index. Adopted as part of the anti-waste law for a circular economy (aka AGEC, its French acronym), which came into force on 1 January 2022, this score will be calculated according to five criteria: the quality of the documentation provided by the seller; the demountability, access and tools; the availability of spare parts; the price of those spare parts; and the type of product. It will be monitored by the French DGCCRF (General Directorate for Competition Policy, Consumer Affairs and Fraud Control).

This repairability index is part of a fundamental trend taken up by the French regulatory authorities to fight against planned obsolescence. This practice—which consists of a manufacturer or publisher designing a device or software so that its user is forced to replace it regularly—has been banned on the French consumer market since 2015. But in professional markets, companies still have to deal with ageing assets. This was the subject of the inCyber breakfast on 30 November 2021, at which Christophe Leray, Chief Information Officer (CIO) for ‘Les Mousquetaires’ group, Anthony di Prima, Head of Industrial Cybersecurity at Sanofi, and Maxime Molkhou, lawyer and founder of Nemrod Avocat were invited.

“I don’t know of any other example of planned obsolescence that has been as successful as in the technology sector,” said Christophe Leray at the start of the debate. And with good reason: we have come a long way! The concept of planned obsolescence dates back to the Great Depression, when, after the stock market crash of 1929, an American real estate agent, Bernard London, proposed to “put an end to the crisis thanks to planned obsolescence” in his book The New Prosperity, published in 1932. The concept thus began as a voluntary economic strategy.

The principle of publisher liability enshrined in French law

Today, at a time when the Paris Agreement aims to become carbon neutral by 2050, planned obsolescence is no longer popular. The year 2015 “was the marker of this change of gear in France,” Maxime Molkhou reminded us, with the law of 17 August on the energy transition, which quite simply prohibits that practice and imposes fairly strong criminal penalties—a fine of €300,000 or 5% of turnover and two years in prison—on those who engage in it. It was further strengthened by the order of 14 March 2016.

More recently, the order of 29 September 2021 on updates to goods containing digital elements under the legal guarantee of conformity was a new blow to software obsolescence, since it “includes security in the panel of compulsory updates” and “introduces a duty of information and a principle of liability for the publisher“, continued the lawyer.

Two months later, the law of 15 November 2021 aimed at reducing the environmental footprint of digital technology in France elaborated a definition of digital sobriety. Maxime Molkhou commented that now that the repairability index has come into force, new bills against obsolescence are being discussed, such as “the amendment aimed at adding to the consumer code the principle of obliging publishers who do not keep their software secure to open their source code.”

Within companies: “Obsolescence on the one hand, the race to constant updates on the other”

However, all these regulations are mainly aimed at the consumer market. If “we can expect this fight against obsolescence to move from B2C to B2B,” as the lawyer assured us, Anthony di Prima pointed out the fact that, at present, manufacturers have to “make new technologies and obsolete equipment cohabit.” The reason for this is that “industry knows how to make hardware last better than IT departments, which are subject to the diktat of permanent renewal.” A good thing, one might think. Except that the hardware (which remains efficient for the tasks it is asked to perform) and its accompanying software are not always up to date. This sometimes makes the hardware incompatible with more modern equipment and, above all, vulnerable to cyberattacks and malfunctions (hardware failures and software bugs).

According to NTT’s 2020 Global Network Insights Report, 48% of the equipment in European organisations is now ageing or obsolete and therefore has unpatched flaws and software vulnerabilities. At the same time, “CIOs and CISOs are now being forced into a frantic pace of software patching, which puts them in an untenable situation,” added Christophe Leray.

“Obsolescence on the one hand, the race to constant updates on the other,” summarised Maxime Molkhou, explaining that industrial network managers are caught in a vice. Fortunately, risk mitigation methods exist, “such as the implementation of supervision tools, network segmentation, and microsegmentation to isolate the most vulnerable assets,” detailed Anthony di Prima, who also suggested that Industry 4.0—with its more scalable factories—could help solve some of these problems.

Towards security certifications

But this is far from enough, especially as software obsolescence and cyber vulnerability increasingly bring new risks of non-compliance with increasingly stringent security regulations, or reputational risks—which can be a significant factor in an acquisition, for example. The real issue of business equipment obsolescence lies in a simple question with a complex answer: who is responsible for the obsolescence of a product if something goes wrong? Is it the customer, who should have upgraded or changed their equipment? Is it the manufacturer or the software publisher? Is it the author of the brick used by said publisher that turned out to be vulnerable?

One thing is certain, according to Christophe Leray: “Today, IT has become a Wild West in which customers buy a product at their own risk, without any guarantee of anything.” To put order in this Wild West, the three speakers agreed on the need to design security certifications for business equipment and software and security maintenance procedures recognised by the States. They “could be based on the U.S. government’s NVD and CVE framework,” which the entire cybersecurity industry has now largely adopted, proposed Maxime Molkhou.

“We should also draw inspiration from what the automotive sector has already put in place, which is very advanced in this area,” added Anthony di Prima. Finally, Christophe Leray took advantage of his role as vice-president of the Cigref (the IT Club of large French companies) to refer to the report published in October 2021 by this organisation, which makes “recommendations on the drawing up of specifications” for designing such certifications. The future will tell us whether the European Commission—which is working on a European regulation on the subject—will find inspiration in one of these ideas.