[Sign-on] Open letter on vulnerability disclosure in the CRA
Dear EDRis, Thank you for allowing me to cross-post this so everyone has seen it: While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities. Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits. I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*. Please also let me know should you have any major concerns with the draft letter. Thanks a lot! Jan -- JAN PENFRAT SENIOR POLICY ADVISOR EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76 www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
Hello dear Jan, Thank you for spreading the word about it! I was not aware of this! Homo Digitalis would like to sing! Many-many thanks for your work! Best, Eleftherios On 6/6/2023 2:29 μ.μ., Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
Dear Jan, Thank you for drafting this letter. Epicentre.works happily signs. One addition I would suggest appended to point 5 is something like:
“Good faith security researchers that follow coordinated vulnerability disclosure standards should be protected from retaliation by the CRA.”
We have that point in the common position and point 5 of this letter is so close to the issue, that it makes sense to reiterate it here. Best, Thomas epicenter.works – for digital rights Thomas Lohninger, Executive Director E-Mail: thomas.lohninger@epicenter.works Telephone: +43 680 123 86 11 <tel:+436801238611> Twitter: @socialhack <https://twitter.com/socialhack> Send an encrypted e-mail using this PGP key: 1B79 2E14 2E31 0E7E 2742 3990 BE16 D613 7FC1 9312 <https://pgp.key-server.io/search/thomas.lohninger@epicenter.works>
On 06.06.2023, at 05:29, Jan Penfrat (EDRi) <jan.penfrat@edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to co-sign it individually if you can by Monday, 12 June at noon.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
-- JAN PENFRAT SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org/> | Mastodon <https://eupolicy.social/@ilumium> | PGP <https://edri.org/files/pgp-keys/janpenfrat.asc><email-signature-Spring2022.png> <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
Hi Jan I don't think it's sensible to demand that information about unmitigated vulnerabilities be classified SECRET and not shared. We've been saying for some years that it's wrong for the national security establishment to hoard this information. If a vulnerability gets disclosed in a car, for example, it will have to be shared with the vehicle OEM and with the maintainer of the affected subsystem. The information about breaches and exploits may have to be shared with insurers and the local traffic police. Sure, the US system privileges CERT and the NSA has an inside track on that. Sure, that gives them some zero-days, and maybe ENISA or Europol wants to catch up. But CERT also provides the infrastructure for coordinated disclosure, for example when a new vulnerability in a shared resource like Linux affects dozens to thousands of firms. See for example https://arxiv.org/abs/2209.10717 It's also counterproductive to say that firms should be able to withhold disclosure from government agencies. The big role played by the state in the coordinated disclosure ecosystem is in providing a liability shield for researchers. If I disclose a vuln to Barclays Bank, I get a nastygram from their lawyers, and it costs me money to apologise and promise to keep it quiet forever. But if I disclose it to the European Central Bank, they then disclose it to Visa who disclose it to Barclays, which does not dare to complain. Similarly, if I find a vuln in Volkswagen I'm going to tell TUV first, and if I find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they will see to it that Apple actually fixes it. I think this letter needs a radical rewrite. Regards Ross On 06/06/2023, Jan Penfrat (EDRi) <jan.penfrat@edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
Hi Ross, Thanks a lot for your input. I have no issues removing the "classified" requirement, your paper is very helpful in this regard. That is simply removing a sentence though and you also mention that you think the letter needs "radical rewrite" -- can you elaborate what else you think should be changed based on EDRi's CRA position and maybe help change it? Note: if we want to influence the negotiations, we would need to send the letter tomorrow or Wednesday the very latest. Thanks again! Jan On 06/06/2023 22:20, Ross Anderson wrote:
Hi Jan
I don't think it's sensible to demand that information about unmitigated vulnerabilities be classified SECRET and not shared.
We've been saying for some years that it's wrong for the national security establishment to hoard this information. If a vulnerability gets disclosed in a car, for example, it will have to be shared with the vehicle OEM and with the maintainer of the affected subsystem. The information about breaches and exploits may have to be shared with insurers and the local traffic police.
Sure, the US system privileges CERT and the NSA has an inside track on that. Sure, that gives them some zero-days, and maybe ENISA or Europol wants to catch up. But CERT also provides the infrastructure for coordinated disclosure, for example when a new vulnerability in a shared resource like Linux affects dozens to thousands of firms. See for example
https://arxiv.org/abs/2209.10717
It's also counterproductive to say that firms should be able to withhold disclosure from government agencies. The big role played by the state in the coordinated disclosure ecosystem is in providing a liability shield for researchers. If I disclose a vuln to Barclays Bank, I get a nastygram from their lawyers, and it costs me money to apologise and promise to keep it quiet forever. But if I disclose it to the European Central Bank, they then disclose it to Visa who disclose it to Barclays, which does not dare to complain. Similarly, if I find a vuln in Volkswagen I'm going to tell TUV first, and if I find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they will see to it that Apple actually fixes it.
I think this letter needs a radical rewrite.
Regards
Ross
On 06/06/2023, Jan Penfrat (EDRi)<jan.penfrat@edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram.<https://edri.org/take-action/edri-gram/>
--
JAN PENFRAT SENIOR POLICY ADVISOR EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76 www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Hi Jan, I would add a 6th requirement: Provide for transparency and require publication of vulnerabilities shared with ENISA within six months upon receipt by ENISA. Regards, Walter
Hi Walter, Thanks for proposing this and sorry I only can write back now due to some off-time last week. In our position paper we point at a typical disclosure period of 90 days, so maybe we can try keeping the letter text compatible with that? Also, looking at Ross' comments on the members list it seems that the disclosure issue is more contentious than expected. If possible I would therefore suggest not add a new requirements this time and stay close to the EDRi position, would that be OK? The current wording is "3. Provide time to mitigate. In the absence of user harm or a substantial incident, organisations should have a reasonable time to remediate or address the vulnerability before requiring disclosure to governments. A typical standard period for the mitigation of known vulnerabilities is 90 days." Would Vrijschrift be interested in co-signing? Thanks a lot! Jan On 07/06/2023 12:55, Walter van Holst wrote:
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act <https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/> is going rather well (as compared to other legislative dossiers I assume), one of the problems that still persists: The EP wants to compel manufacturers of connected devices to notify the EU's Agency for Cybersecurity ENISA <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would like to kindly ask you to *co-sign it individually if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the draft letter.
Hi Jan,
I would add a 6th requirement:
Provide for transparency and require publication of vulnerabilities shared with ENISA within six months upon receipt by ENISA.
Regards,
Walter
_______________________________________________ Edri-cra-discussion mailing list -- edri-cra-discussion@mailman.edri.org To unsubscribe send an email to edri-cra-discussion-leave@mailman.edri.org --
JAN PENFRAT SENIOR POLICY ADVISOR EUROPEAN DIGITAL RIGHTS Rue Belliard 12, B-1040 Brussels Matrix: @jan:penfrat.net Phone: +32 2 274 25 76 www.edri.org <https://www.edri.org>| Mastodon <https://eupolicy.social/@ilumium>| PGP <https://edri.org/files/pgp-keys/janpenfrat.asc> Subscribe to the EDRi-gram to become a digital rights connoisseur! <https://edri.org/take-action/edri-gram/> Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
participants (5)
-
Eleftherios Chelioudakis -
Jan Penfrat (EDRi) -
Ross Anderson -
Thomas Lohninger -
Walter van Holst