Cybersecurity researchers in the European Union need legal certainty and consistent standards across its 28 member states if they are to hunt for software vulnerabilities, according to a blue-ribbon commission established by the Center for European Policy Studies.
“What we should avoid is that there are 27 or 28 different [legal] frameworks for coordinated vulnerability disclosure and also that there are different definitions being used — of hacking or vulnerability or disclosure — so that this again creates uncertainty for people working in the field,” said European Parliament member Marietje Schaake, chair of the CEPS Task Force on Software Vulnerability Disclosure.
Only three of 28 member states currently have a policy on responsible disclosure, although 13 are in the stages of developing one, she told a recent roundtable at the European Parliament.
Each member-state has been taking its own approach to vulnerability disclosure, Schaake said, “ranging from sophisticated thinking … to sort of blank pages and a lack of any policy at all.”
The fractured ecosystem is having a chilling effect on vulnerability research, according to task force member Lucie Krahulcova. White hat researchers “can’t be certain they won’t be prosecuted,” she said.
As an example, she cited a case last year where an 18-year-old student was arrested by Hungarian authorities after he found a flaw in the Budapest transit system’s online ticket portal. The flaw allowed users to set any price they wanted for a ticket simply by pressing F12. He reported the flaw to the transit system management, who later accused him of launching a cyberattack against the portal.
The charges were eventually dropped, Krahulcova said, but the case illustrates the fact that “there just isn’t the level of understanding that you need.”
To remedy the situation, the task force is calling for vulnerability disclosure policy to be harmonized across the EU on the basis of two International Standards Organization (ISO) standards: ISO 30111 on vulnerability handling and ISO 29147 on vulnerability disclosure.
“Hopefully we can connect the dots and create a level playing field that’s predictable for everyone in Europe,” said Schaake.
The EU Cybersecurity Act
The European Parliament will vote March 28 on a package of measures — the Cybersecurity Act — proposed last year by the EU Commission. It envisages a new cybersecurity agency for the bloc, expanding the existing European Network and Information Security Agency’s (ENISA) reach and authority. It also envisages a broad-ranging certification scheme for every kind of connected device that mandates patching of known vulnerabilities.
But policy on coordinated vulnerability disclosure is an “afterthought” in the measure as it’s currently written, said Krahulcova, who is an EU policy associate with digital rights advocates Access Now. “It’s kind of sad when a cybersecurity policy framework basically ignores” the issue of disclosure, she said.
“The Commission has been very dismissive of our concerns about [disclosure],” she told CyberScoop, “They brushed us off.”
The CEPS task force includes experts from civil society groups like Access Now and the Center for Democracy and Technology; large tech companies like Microsoft, SAP and Mozilla; and European institutions like the European Parliament and the EU Commission.
Due to report in April, the task force hurriedly issued an interim report so that its recommendations could be considered in the run up to the crucial parliamentary vote, Lorenzo Pupillo, head of the CEPS cybersecurity initiative, and the task force coordinator, told CyberScoop.
The report recommends that ENISA’s expanded role includes running a web portal where vulnerabilities can be reported. There is also a recommendation to work with software manufacturers, security researchers and other stakeholders to ensure responsible and coordinated disclosure of newly discovered security flaws.
It also recommends that ENISA, if expanded, be mandated to produce EU-wide guidelines for responsible disclosure. The guidelines would include training for officials and private sector executives on how to create a responsible disclosure program.
Pupillo said the task force is also pulling for the creation of a legal safe harbor for white hat hackers if they engage in responsible disclosure.
He referred to July 2017 Justice Department policy memo outlines how companies and other organizations should design vulnerability disclosure programs so as to minimize the chances that white hats might fall afoul of the Computer Fraud and Abuse Act.
“The decision to prosecute [hacking crimes in the Netherlands] is based on intent,” said Krahulcova, adding that this “creates the legal clarity” vulnerability researchers need.
Krahulcova said she was “pretty optimistic” that through the measure or some other mechanism, the EU could get on the right page for vulnerability disclosure.
“There’s really no downside for the governments,” she said. “I haven’t seen or heard any pushback.”
Government vulnerability disclosure
A separate section of the report deals with the way EU governments handle vulnerabilities that their security agencies find.
“From one side, we look at coordinated vulnerability disclosure; from the other side, we look at government vulnerability disclosure,” said Pupillo.
“We know that [European] intelligence agencies have been stockpiling vulnerabilities” to use in hacking operations, said Schaake. She added that there was no public visibility and often little supervision on these operations.
“At the moment there’s often a lack of oversight … intelligence agencies can roughly decide for themselves [whether or not to disclose a newly discovered vulnerability] without proper accountability,” she added.
“We [in Europe] have learned a lot from our American counterparts.”
Schaake cited the release last year of an updated Vulnerabilities Equities Process — the policy machinery by which U.S. agencies decide whether to disclose vulnerabilities or secretly retain them for use in espionage or law enforcement operations. Officials say it is tilted towards a presumption of disclosure.
“Hopefully we can follow suit here in the EU,” said Schaake. But, acknowledging the EU’s limits in matters of intelligence and security, the key policy recommendations about GVD are aimed at national governments, not EU institutions.
Britain and the Netherlands both have equivalent processes to the VEP and “Germany is well on their way” to developing one, Venable attorney Ari Schwartz told CyberScoop. Schwartz, who helped develop the first iteration of the U.S. VEP, briefed the task force this month.
He said that the policies the U.S. implemented after the Edward Snowden mega-leak revealed the extent of NSA hacking and created a model that transparency advocates in Europe could point to.
The U.S. is “much more transparent” about its intelligence agencies than most European nations, said Schwartz. “That work we did post-Snowden put pressure on the European agencies … to some extent it helped push this work forward.”
Schwartz added that because the supranational EU institutions like the European Parliament and the European Commission have no authority over national intelligence and security agencies in the 28-member bloc, pushing the same U.S. model would be challenging.
And even though the EU does have some authority over law enforcement through the so-called Third Pillar, the task force decided that national governments were the right place to try to get government-focused vulnerability disclosure policies implemented.
“It’s a better mechanism for each government to have a policy,” said task force member Krahulcova, “because that can deal with the full range of agencies [intelligence, security and law enforcement] in that country,” rather than an EU-wide policy that only covered police agencies.
In the meantime, the report calls for the European Commission or ENISA to conduct a study of how member states handle GVD. “Probably the member states would not talk to us, or to any other think tank, in detail about this issue,” said Pupillo.