Hi Jan
I don't think it's sensible to demand that information about
unmitigated vulnerabilities be classified SECRET and not shared.
We've been saying for some years that it's wrong for the national
security establishment to hoard this information. If a vulnerability
gets disclosed in a car, for example, it will have to be shared with
the vehicle OEM and with the maintainer of the affected subsystem. The
information about breaches and exploits may have to be shared with
insurers and the local traffic police.
Sure, the US system privileges CERT and the NSA has an inside track on
that. Sure, that gives them some zero-days, and maybe ENISA or Europol
wants to catch up. But CERT also provides the infrastructure for
coordinated disclosure, for example when a new vulnerability in a
shared resource like Linux affects dozens to thousands of firms. See
for example
https://arxiv.org/abs/2209.10717
It's also counterproductive to say that firms should be able to
withhold disclosure from government agencies. The big role played by
the state in the coordinated disclosure ecosystem is in providing a
liability shield for researchers. If I disclose a vuln to Barclays
Bank, I get a nastygram from their lawyers, and it costs me money to
apologise and promise to keep it quiet forever. But if I disclose it
to the European Central Bank, they then disclose it to Visa who
disclose it to Barclays, which does not dare to complain. Similarly,
if I find a vuln in Volkswagen I'm going to tell TUV first, and if I
find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they
will see to it that Apple actually fixes it.
I think this letter needs a radical rewrite.
Regards
Ross
On 06/06/2023, Jan Penfrat (EDRi) <jan.penfrat(a)edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to compel
manufacturers of connected devices to notify the EU's Agency for
Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA
<https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
and would like to kindly ask you to *co-sign it individually if you can
_by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>