A diverse coalition of cyber notables that include top security pros and researchers from ESET, Rapid7, the Electronic Frontier Foundation, and Google’s Vint Cerf, have taken the European Union (EU) to task over requiring software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation.
In an open letter to the EU, 56 cybersecurity leaders said the EU’s proposed one-day vulnerability disclosure requirement under the Cyber Resilience Act (CRA) means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities without the ability to protect them.
They said it would create a tempting target for malicious actors, who could misuse the database for intelligence, and have a chilling effect on good-faith security researchers.
“Disclosing vulnerabilities prematurely may interfere with the coordination and collaboration between software publishers and security researchers, who often need more time to verify, test, and patch vulnerabilities before making them public,” said the open letter.
Industry pros split on Cyber Resilience Act
While many of the security researchers SC Media contacted tended to agree with the open letter, there were some who looked at the CRA news more favorably, albeit for different reasons.
“The act is a positive step forward,” said John Gunn, chief executive officer at Token. “The arguments against it are outdated and predicated on two faulty assumptions: that cyber criminals are not already discovering and sharing information about vulnerabilities at an increasing rate, and that organizations are content being exposed to risk without their knowledge or consent when they otherwise could have taken the impacted device or service offline.”
Kate Kuehn, chief trust officer at Aon Cyber Solutions, who has been very much involved in regulatory affairs in the United States, said the open letter was a step in the right direction.
“I think it’s actually not a concern, I think it’s a good thing,” said Kuehn. “We should see more adoption of this kind of behavior in the U.S. There’s a lot of grumbling going on about our disclosures, but there hasn’t been, to the point of this open letter, what the community wants the standards to be.”
To Kuehn’s point, the writers of the open letter outline several specific points they want the EU to reconsider, including:
- Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance, or offensive purposes.
- Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (a patch) becoming publicly available. Details could include the initial discovery date by the manufacturer.
- The CRA should not require reporting of vulnerabilities that are exploited through good faith security research. In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat.
Why U.S. companies should pay attention
Callie Guenther, senior manager, cyber threat research at Critical Start, said the development is of paramount importance to U.S. companies. Guenther said many American corporations operate on a global scale, and regulatory shifts in the EU could influence their global operations.
“The ripple effect of the EU's regulatory decisions, as evidenced by the GDPR's influence on the CPRA and other U.S. privacy laws, suggests that European decisions could presage similar regulatory considerations in the U.S.," said Guenther. “Furthermore, any vulnerability disclosed in haste due to EU regulations doesn't confine its risks to Europe. U.S. systems employing the same software would also be exposed. In essence, while the CRA's aim to safeguard consumers and enterprises from cyber threats is commendable, its current trajectory might have some unintended repercussions.”
When asked if regulations like the CRA involving very strict vulnerability disclosures will make their way to the United States, Token’s Gunn said he expected just a few liberal states to follow suit, as we saw with GDPR.
“But don't expect anything on a national level,” said Gunn. “Our regulatory process in the U.S. is far more influenced and constrained by businesses than that in the EU.”
Introduced in September 2022, the EU's CRA aims to apply mandatory cybersecurity requirements for products with digital elements. While it was expected to go into effect next year, this open letter and many other criticisms voiced by open source groups could slow down enactment.
