EU Cybersecurity Act: Time for a two-way street on cybersecurity information-sharing
Europe can minimize and prevent repeats of WannaCry, Heartbleed and other criminal exploitation of large-scale software vulnerabilities. The way to do that is to advance a norm encouraging governments to establish internal processes to review and share information which they have obtained about software vulnerabilities. The proposed EU Cybersecurity Act is a good place to start, with ENISA, the EU Cybersecurity Agency, supporting Member States in sharing and implementing best practices.
Today, European governments and their various departments and agencies come across software vulnerabilities in multiple ways, for example through their own research and development, by purchasing them, through intelligence work, or by reports from third parties.
Vulnerabilities – especially ‘zero-day’ ones – pose a serious cybersecurity threat in that they can also be exploited by cybercriminals to cause serious damage to citizens, enterprises, public services and governments, as witnessed in, for instance, the recent WannaCry, Petya, and Heartbleed cyberattacks.
Yet despite this reality, very few EU Member States have a proper process for these agencies and departments to review and disclose the vulnerabilities they discover to relevant vendors. This inhibits the possibility of affected companies to patch their codes and protect users’ systems before these vulnerabilities become known to other actors and weaponized against the wider public. The process for review and disclosure, usually referred to as “Government Vulnerability Disclosure” (GVD), is currently being discussed in a handful of Member States, and most European governments have yet to start this conversation across all responsible departments.
At the EU level, the recent Network and Information Security Directive creates a framework for information-sharing from companies to government authorities. But as recent cases demonstrate, vulnerability information-sharing should be a two-way street to achieve meaningful cybersecurity improvements, and companies need governments to be good partners in our shared interest in defending cybersecurity by sharing vulnerabilities back out to affected vendors.
All companies want to know about the vulnerabilities of their products so that they can patch them without delay and protect their European customers. And while there may be legitimate public and/or security interests on the part of a state to delay disclosure to vendors, it is also in any government’s interest to have such processes in place. After all, ensuring that vulnerabilities are expeditiously notified to affected vendors and manufacturers is something that governments can do that will tangibly, directly, and quickly lead to improved cybersecurity for European citizens, public authorities, and companies.
In practice, all vulnerabilities known to a government agency should be subject to a periodic cross-agency review to determine the best timing for disclosing this information to the relevant vendor, taking into consideration the scale of deployment of the software where the vulnerability resides, the likelihood of discoverability and potential consequences of exploitation, the demonstrated value of keeping the information undisclosed, etc. The CEPS Task Force on “Software Vulnerability Disclosure in Europe” has recently come out with several recommendations in this regard, that serve as an effective blueprint for Member States in developing effective GVD processes.
The EU’s Cybersecurity Act is a unique opportunity to foster Government Vulnerability Disclosure across the European Union, with ENISA, the EU’s Cybersecurity Agency, acting as a platform for governments to share best practices among Member States, and assisting and advising them in their implementation. MEP Marietje Schaake, MEP Matthijs van Miltenburg and MEP Dita Charanzová have tabled several amendments which certainly go in the right direction.
Let us be clear: this is not a debate about the substantive question of whether governments should be able to acquire and exploit software vulnerabilities. This is about Member States’ responsible management of vulnerabilities that they learn about. Above all, this is about European governments partnering with software vendors to improve the state of cybersecurity for citizens, enterprise and public actors.