Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Responsible disclosure of vulnerabilities: Sometimes earlier is not better
The European Union has had the security of connected devices in its sights since the end of 2020. And rightly so, since most IoT devices do not have designs that incorporate security requirements from the outset, but rather, are guided by a principle of competition and cost efficiency. Security has become an after-thought if it enters the equation at all.
Commission chair Ursula von der Leyen, in her September 2021 State of the Union address, mentioned the need for an EU position on cyber and urged the commission to make a proposal by the end of 2022 with common cyber security requirements for connected devices.
That proposal came in September 2022 and was called the Cyber Resilience Act (CRA) Cyber Resilience Regulation. Subsequently, in July this year, an agreement was reached on the Council's common position, which modifies some points of the Commission's proposal, but gives the green light to the Spanish Presidency to enter into negotiations with the European Parliament on the final version of the proposed legislative act.
CRA – Article 11: Manufacturers' reporting obligations
One of the articles of the proposed Cyber Resilience Regulation focuses on the obligation of manufacturers to report any actively exploited vulnerabilities to competent national authorities within 24 hours of becoming aware of them. Sounds good, doesn't it?
First from a transparency standpoint. Second, the sooner it is known, the sooner detection and response teams can be alerted and the potential impact of exploitation of such a vulnerability on businesses and citizens can be minimized. Right?
Not always. As is often the case in cyber security, the balance between transparency and security is very unstable and sometimes faster does not mean safer, or at least that is the understanding of a group of more than 50 technology experts and organizations who have signed an open letter calling on the European Union to reconsider that Article 11 of the forthcoming Cyber Resilience Act.
Signatories to the letter include representatives from Google, Arm, the Electronic Freedom Foundation and many of today's leading security vendors, such as Trend Micro, Rapid7, Tenable and HackerOne to name a few.
The signatories of the open letter argue that Section 11 of the CRA greatly expands the number of organizations that will have immediate knowledge of actively exploited vulnerabilities, which, in turn, increases the risks to manufacturers, their customers and the public at large.
The three risks they highlight in their open letter
In the opinion of the signatories, the current wording introduces new risks that interfere with its original purpose of improving cyber security in Europe.
1. Misuse of reported vulnerabilities for surveillance and intelligence work
Information on actively exploited bugs may end up in the hands of some intelligence agencies and be misused for intelligence and surveillance operations.
This is not a bad shot, especially after some EU member states have been caught misusing spyware in the last three to four years, in obvious cases of illegal surveillance.
2. Risk of exposure to malicious actors
The risk of accidental leaks and disclosures increases with so many new parties involved in the processing of information from a ZeroDay. These cases would provide, details about the active exploit to cybercriminals, who could recreate the exploits and abuse the same bugs in their own campaigns.
Recall that this disclosure has to be made within 24 hours of knowledge which implies that there are potentially or even probably no fully developed patches or mitigations.
3. Disincentivize vulnerability reporting by security researchers
Experts also fear that the new EU ZeroDay disclosure rules will interfere with current coordinated disclosure procedures, which, in some cases, tend to keep ongoing exploitation secret until they can prepare and test patches before making vulnerability information public.
Counterproposal from technology experts and organizations
The signatories claim to agree with the obligation to report vulnerabilities promptly but consider it crucial to retain a responsible and coordinated vulnerability disclosure process.
They propose either to remove the 24-hour notification paragraph in its entirety or to include the following modifications:
- Agencies should be explicitly prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
- Require that only vulnerabilities that can be mitigated be reported to agencies and within 72 hours of effective mitigation measures (e.g., a patch) being made public.
- The CRA should not require reporting of vulnerabilities that are only privately exploited and reported by bona fide security researchers, as they do not pose a security threat because they are not actively exploited by malicious actors.
Conclusions
Sometimes the intention of trying to be diligent in the interest of improving cyber security, for companies and citizens of the European Union, collides head on with the reality of the complexity of vulnerability disclosure.
All of us who have been involved in a vulnerability discovery, patching, and mitigation process know that balance in time management is very important.
I agree, at least in my view, with the proposal of the signatories of the letter to adopt a risk-based approach. Those factors such as severity, patch availability, potential impact on users and likelihood of large-scale exploitation be taken into account.
It would be easier the traditional if it was compulsary ... but there is a long gray scale between black and white. Oh surprise, surprise! Unfortunately cyber security is not easy!
Image from Harryarts on Freepik.
