Cybersecurity experts have urged EU policymakers to reconsider a crucial part of the Cyber Resilience Act (CRA), the vulnerability disclosure requirements, in an open letter published on Tuesday (3 October).
The European Commission proposed the CRA in September 2022 to introduce EU cybersecurity requirements such as mandatory security patches and vulnerability handling for connected devices that can collect and share data, known as Internet of Things (IoT) products.
The Act would require organisations to disclose software vulnerabilities to government agencies within 24 hours of exploitation. However, such disclosures would “undermine the security of digital products and the individuals who use them”, the experts argued in the open letter.
“Overall, this is a good piece of legislation to improve European cyber security. But sometimes good intentions make for bad law, and the provision requiring the disclosure of vulnerabilities is an example,” signatory Ciaran Martin, professor and former head of the UK National Cyber Security Centre, told Euractiv.
The letter was sent to the addressed policymakers, Thierry Breton, commissioner for Internal Market, Carme Artigas Brugal, Spanish secretary of state for Digitisation and AI and Nicola Danti, the Parliament’s CRA-rapporteur on Monday.
Vulnerability disclosure requirements
Requirements for vulnerability disclosure, stipulated in the CRA, oblige software manufacturers to disclose “unpatched” vulnerabilities to the authorities within 24 hours of the vulnerability having been discovered.
“In a rush to create cybersecurity policy, EU leaders have fundamentally misunderstood the essential flow of information when fixing vulnerabilities. Governments are not in the best position to create fixes for vulnerabilities themselves, so should not interfere by forcing organisations to tell them about vulnerabilities before affected vendors can create and test patches,” Katie Moussouris, CEO and Founder of Luta Security, told Euractiv.
Government agencies would have access to a real-time software database with unpatched vulnerabilities. Apart from the lack of protection, these databases are tempting for malicious actors and hackers.
This is especially true in supply chain vulnerabilities, where vendors must coordinate among multiple parties to address issues safely, explains Moussouris. She continued that prematurely including governmental authorities in the process would have the opposite effect as intended and make critical infrastructure more vulnerable if governments try to issue warnings before patches are available.
According to the signatories, other risks include the state’s misuse of the databases for surveillance purposes and the researcher’s discouragement from reporting vulnerabilities.
“If passed, it will have a chilling and counterproductive impact on vital cyber security research into flaws in technology,” former UK National Cyber Security Centre head Martin added.
Moussoris recommends that governments should follow the international standards for vulnerability handling processes, as laid out by the International Standardisation Organisation.
“We recommend that the CRA adopt a risk-based approach to vulnerability disclosure, taking into account factors such as the severity of the vulnerability, the availability of mitigations, the potential impact on users, and the likelihood of broader exploitation,” the open letter reads.
In June, other cybersecurity stakeholders raised similar concerns about the disclosure requirements.
“The more this kind of information is spread, the more likely it is to be misused for state intelligence or offensive purposes, or to be inadvertently exposed to adversaries before a mitigation is in place,” reads an open letter signed by 11 digital rights organisations, among them the European Digital Rights Association (EDRi).
A week later, 36 cyber industry players, including DIGITALEUROPE and EuroISPA, the pan-European association of Internet Services Provides Association, published a joint statement, also considering the section on unpatched vulnerabilities as an exposure of products to cyberattacks, thereby undermining cybersecurity efforts.
[Edited by Nathalie Weatherald/Alice Taylor]
Read more with EURACTIV