Think of software like a web of code, woven as a system that is supposed to be intact, but in which small holes can exist unknowingly. These small holes can in turn be used to enter the software on someone's mobile phone, laptop or computer covertly, which is how criminals and intelligence organizations can access people's digital information. It is essential that such vulnerabilities are repaired, or 'patched', as soon as possible in order to genuinely improve 'cyber'security. Security researchers who are scanning software code to look for these vulnerabilities should not fear negative legal consequences for these activities. To the contrary, we need to close loopholes in EU law that would create uncertainty for these researchers, and so that vulnerability disclosure and patching are incentivized instead.
Vulnerability disclosure has been the subject of a decade-long debate in the information security community. It moved from Bruce Schneier’s famous quote that “full disclosure is a damn good idea” in the late 1990s to the idea that responsible disclosure should be done in a coordinated fashion. This suggests that releasing all vulnerability details without a protocol or a proposed solution, in other words 'in the wild', can result in negative consequences for everyday computer users.
Another debate has emerged that focuses more in particular on the role, responsibilities and accountability of government. Government actors can have access to, or actively make use of, vulnerabilities for national security purposes. We live in an age where vulnerabilities are leaked or sold by criminals to those with potentially geopolitical motives, and where certain governments are stockpiling vulnerabilities as offensive weapons.
It is high time to address how to best deal with vulnerabilities, to improve overall cybersecurity, protect the public and to create a predictable level playing field in the European Union.
First of all, we must create a legal landscape which ensures that vulnerability reporting is not captured by criminal and civil legislation. This can be done by creating a sound coordinated disclosure framework, which is currently lacking in the majority of EU Member States. ENISA could assist and advice member states that want to create such a framework, and I tabled a number of amendments to the EU’s Cybersecurity Act which would bring this task within ENISA’s mandate.
Secondly, every EU member State needs to have a framework in place that guides their intelligence agencies in using and disclosing software vulnerabilities. Now intelligence agencies can decide for themselves - without proper accountability and oversight - what to do when they find vulnerabilities. With the creation of a governmental vulnerability disclosure review process, this practice would stop.
In reality, the decision to disclose or retain a vulnerability is not a binary choice (to either disclose or retain). The most relevant concern is about timing, to determine when to disclose. The goal of a governmental review process is to delineate the parameters of this decision making process regarding the timing of disclosure.
Last year the White House released its Vulnerabilities Equities Process, which provides some increased transparancy around this process in the US. It is high time for us to do the same in Europe.
First of all, without transparency European citizens have less confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Our system of governance depends on an informed and vigourous dialogue between all relevant stakeholder in order to generate the best ideas related to this process.
Secondly, we all have a shared responsibility to promote resilience in our digital architecture, in order to reduce the possibility that rogue actors will succeed in future cyber attacks.
So we need to close the loopholes in the law, to make sure the holes in software are closed, in the fastest, most responsible way.
On the 27th of February Marietje Schaake organised a hearing in the European Parliament on software vulnerability disclosure in Europe with speakers from Airbus, Microsoft, Access Now, Mozilla and SNV. The CEPS Task Force presented its initial findings there.
You can watch the video of the event below.