The Risks and Controversy Surrounding EU’s Vulnerability Disclosure Rule

The EU‘s Controversial Vulnerability Disclosure Requirement

Introduction

The European Union (EU) has proposed a new rule under Article 11 of the Cyber Resilience Act (CRA) that would require software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. While some IT security professionals support this rule, there is growing concern among industry experts that it may be counterproductive and pose risks to both organizations and individuals. In an open letter signed by 50 prominent cybersecurity professionals, they argue that the 24-hour window is insufficient and opens doors to potential abuse and exploitation.

The Concerns of IT Security Professionals

The main concern raised by IT security professionals is the potential misuse of vulnerability disclosure requirements for intelligence or surveillance purposes. There is a fear that governments could exploit the vulnerabilities instead of prioritizing patching and protecting systems. This could leave citizens and critical infrastructure exposed to threats and undermine the security of digital products.

Gopi Ramamoorthy, senior director of security and GRC at Symmetry Systems, highlights the urgency of patching vulnerabilities, but cautions against publicizing them before updates are available. Publishing vulnerability information without patches raises concerns that it may enable further exploitation of unpatched systems, putting organizations and citizens at greater risk.

Callie Guenther, senior manager of cyber threat research at Critical Start, acknowledges the commendable intent of the EU‘s Cyber Resilience Act but urges a consideration of the broader implications and potential unintended consequences. She suggests alternative approaches to vulnerability disclosure, such as implementing tiered disclosure based on severity and impact, providing preliminary notifications to vendors with a grace period, and promoting coordinated vulnerability disclosure that involves researchers, vendors, and governments working together responsibly. Guenther emphasizes the need for explicit clauses to prohibit the misuse of vulnerabilities and restrict access to the disclosed information to mitigate risks.

A Thoughtful Approach to Vulnerability Disclosure

John A. Smith, CEO at Conversant Group, highlights the importance of a thoughtful approach to vulnerability disclosure. Traditionally, responsible disclosure has included a careful process that allows organizations and security researchers to understand the risk, develop patches, and mitigate threats before exposing the vulnerability to potential exploiters. Smith argues that the mere knowledge of a vulnerability’s presence can trigger threat actors to probe, test, and actively exploit it. He cautions against requiring disclosure to individual governments, as it may reduce consumer confidence and damage commerce due to the risk of nation state spying. Instead, Smith suggests requiring software companies to acknowledge reported vulnerabilities within an expedited timeframe, report progress to the discovering entity regularly, and provide a public fix within a maximum of 90 days.

Impacts Beyond the EU

Guenther highlights the importance of the EU‘s decisions for US companies operating on a global scale. Regulatory shifts in the EU have influenced global operations of American corporations in the past, as seen with the General Data Protection Regulation (GDPR) influencing the California Consumer Privacy Act (CCPA) and other US privacy laws. Any vulnerability disclosed hastily due to EU regulations would not confine its risks to Europe but also impact US systems that employ the same software.

Editorial: Finding a Responsible and Balanced Approach

It is evident that the EU‘s proposed 24-hour vulnerability disclosure requirement has sparked concern and controversy within the cybersecurity community. While the goal of enhancing cybersecurity is laudable, it is crucial to carefully consider the potential unintended consequences and risks associated with such a requirement.

The concerns raised by IT security professionals regarding the potential abuse of vulnerability disclosure for intelligence or offensive purposes are valid. Governments must prioritize patching and protecting systems over exploiting vulnerabilities. Striking a balance that allows timely disclosure while mitigating risks is essential.

Alternative approaches discussed by experts, such as tiered disclosure, preliminary notifications, and coordinated vulnerability disclosure, offer potential solutions. These approaches provide flexibility based on severity, allow for a grace period, and emphasize responsible collaboration among researchers, vendors, and governments.

However, it is important to acknowledge that implementing such approaches is not without its challenges and risks. Proper clauses must be included in any rule to prevent misuse of disclosed vulnerabilities and restrict access only to authorized personnel. Privacy and security concerns should be at the forefront of any decision-making process.

Furthermore, it is crucial for the US to pay attention to the developments in the EU and learn from them to develop well-informed cybersecurity policies. As US companies operate globally, regulatory shifts in the EU can have a significant impact on their operations. The ripple effect of the EU‘s regulatory decisions, as seen with GDPR and US privacy laws, highlights the need for proactive preparation and observation.

In conclusion, finding a responsible and balanced approach to vulnerability disclosure is essential. Flexibility, collaboration, and a mindful consideration of potential risks should guide policymakers. It is crucial to prioritize patching over surveillance, protect the security of digital products and individuals, and ensure that any disclosure requirements are implemented with caution and thoughtfulness.