The European Commission recently released its new European Cybersecurity Strategy, which includes both a report and a legislative proposal. This new strategy comes four years after the Commission published its first cybersecurity strategy and a year after the first EU-wide legislation on cybersecurity, The Directive on Security of Network and Information Systems (NIS Directive), came into force. While much of the strategy focuses on creating a unified framework for cybersecurity standards and important work to uplevel the European Union Agency for Network and Information Security (ENISA) into a permanent “European Cybersecurity Agency,” the Commission’s strategy gives little attention to the critical topic of government vulnerability disclosure.
The Commission’s strategy emphasizes the need for stronger defenses to mitigate the increasing number of cybersecurity threats. Given that many attacks today have cross-border effects and can disrupt essential services across the EU, the Commission argues that “this requires effective EU level response and crisis management”.
Essential to building stronger defenses against the nearly daily barrage of cybersecurity attacks, hacks, and breaches is ensuring that governments have better systems in place for reviewing and coordinating the disclosure of the vulnerabilities that they learn about. We need only look at the recent WannaCry ransomware, for example, to see the power of a vulnerability to significantly affect hospitals, business, government agencies, and individual users. Complicating the government responsibility role further, the exploit at the heart of WannaCry was reportedly originally developed by the U.S. National Security Agency (NSA).
Mozilla has long called for governments to codify and improve their policies and processes for handling vulnerability disclosure, including speaking out strongly in favor of the Protecting Our Ability to Counter Hacking Act (PATCH Act) in the United States. Mozilla also recently joined the Centre for European Policy Studies’ Software Vulnerability Task Force, a multistakeholder effort dedicated to advancing thinking on this important topic, including mapping current practices and developing a model for vulnerability disclosure.
Governments often have unique insight into vulnerabilities, and so ensuring that governments have strong policies for reviewing and coordinating the disclosure of vulnerabilities is a critical norm that should be advanced within the EU. Yet, it appears most Member States currently lack a process for reviewing vulnerabilities that they learn about in order to decide whether to share those vulnerabilities with affected companies (allowing the companies to patch these vulnerabilities) or withhold them for operational purposes. Governments typically obtain vulnerabilities through their own research and development, by purchasing them, through intelligence work, or by reports from third parties.
Disclosing these vulnerabilities to affected companies allows companies to:
- patch them quickly;
- increase the security, privacy, and safety of their systems and users;
- reduce conflict and improve trust between companies and government; and,
- especially for organizations with limited cybersecurity resources, benefit from external discovery of vulnerabilities in their products and systems that they may not otherwise have the resources to find.
Recognizing the key role that vulnerabilities play in cybersecurity, the NIS Directive aimed to facilitate information sharing from companies to governments. However, this was never supposed to be a one-way street. We must also ensure that there are robust, accountable, and transparent systems in place to ensure that governments are sharing information about vulnerabilities back out to affected companies.
This new European Cybersecurity Strategy and corresponding proposed regulation, offers a unique opportunity to advance the norm that Member States should have robust, accountable, and transparent vulnerability disclosure processes thereby fostering greater cooperation, coordination, and resilience in Europe.
As the Commission notes in its strategy: “in the current context and looking at future scenarios, it appears that to increase collective cyber-resilience, of the Union, individual actions by EU Member States and a fragmented approach to cybersecurity will not be sufficient.”
We believe the European Commission and a newly strengthened ENISA can be powerful players in helping Member States to develop government vulnerability disclosure mechanisms and share best practices. A lot has changed in the world of cybersecurity in the last four years, and it’s clear that now more than ever governments and companies need be working better together if we are to keep Europeans and European infrastructure as secure as possible.