Europe can minimize and prevent repeats of WannaCry, Heartbleed and other criminal exploitation of large-scale software vulnerabilities. The way to do that is to advance a norm encouraging governments to establish internal processes to review and share information which they have obtained about software vulnerabilities. The proposed EU Cybersecurity Act is a good place to start, with ENISA, the EU Cybersecurity Agency, supporting Member States in sharing and implementing best practices.
Today, European governments and their various departments and agencies come across software vulnerabilities in multiple ways, for example through their own research and development, by purchasing them, through intelligence work, or by reports from third parties.
Vulnerabilities – especially ‘zero-day’ ones – pose a serious cybersecurity threat in that they can also be exploited by cybercriminals to cause serious damage to citizens, enterprises, public services and governments, as witnessed in, for instance, the recent WannaCry, Petya, and Heartbleed cyberattacks.
Yet despite this reality, very few EU Member States have a proper process for these agencies and departments to review and disclose the vulnerabilities they discover to relevant vendors. This inhibits the possibility of affected companies to patch their codes and protect users’ systems before these vulnerabilities become known to other actors and weaponized against the wider public. The process for review and disclosure, usually referred to as “Government Vulnerability Disclosure” (GVD), is currently being discussed in a handful of Member States, and most European governments have yet to start this conversation across all responsible departments.