6 Jun
2023
6 Jun
'23
1:29 p.m.
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to compel
manufacturers of connected devices to notify the EU's Agency for
Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA
<https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
and would like to kindly ask you to *co-sign it individually if you can
_by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
6 Jun
6 Jun
2:37 p.m.
New subject: [EDRi-members] [Sign-on] Open letter on vulnerability disclosure in the CRA
Hello dear Jan,
Thank you for spreading the word about it! I was not aware of this!
Homo Digitalis would like to sing!
Many-many thanks for your work!
Best,
Eleftherios
On 6/6/2023 2:29 μ.μ., Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to
compel manufacturers of connected devices to notify the EU's Agency
for Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the
CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that
problem and would like to kindly ask you to *co-sign it individually
if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
4:59 p.m.
New subject: [EDRi-members] [Sign-on] Open letter on vulnerability disclosure in the CRA
Dear Jan,
Thank you for drafting this letter. Epicentre.works happily signs.
One addition I would suggest appended to point 5 is something like:
“Good faith security researchers that follow
coordinated vulnerability disclosure standards should be protected from retaliation by the
CRA.”
We have that point in the common position and point 5 of this letter is so close to the
issue, that it makes sense to reiterate it here.
Best,
Thomas
epicenter.works – for digital rights
Thomas Lohninger, Executive Director
E-Mail: thomas.lohninger(a)epicenter.works
Telephone: +43 680 123 86 11 <tel:+436801238611>
Twitter: @socialhack <https://twitter.com/socialhack>
Send an encrypted e-mail using this PGP key:
1B79 2E14 2E31 0E7E 2742 3990 BE16 D613 7FC1 9312
<https://pgp.key-server.io/search/thomas.lohninger@epicenter.works>
On 06.06.2023, at 05:29, Jan Penfrat (EDRi)
<jan.penfrat(a)edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I assume), one of the
problems that still persists: The EP wants to compel manufacturers of connected devices to
notify the EU's Agency for Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about
details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we believe it's
a bad idea to create government-run databases full of zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA
<https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem and would
like to kindly ask you to co-sign it individually if you can by Monday, 12 June at noon.
Please also let me know should you have any major concerns with the draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org/> | Mastodon
<https://eupolicy.social/@ilumium> | PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc><email-signature-Spring2022.png>
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
10:20 p.m.
New subject: [EDRi-members] [Sign-on] Open letter on vulnerability disclosure in the CRA
Hi Jan
I don't think it's sensible to demand that information about
unmitigated vulnerabilities be classified SECRET and not shared.
We've been saying for some years that it's wrong for the national
security establishment to hoard this information. If a vulnerability
gets disclosed in a car, for example, it will have to be shared with
the vehicle OEM and with the maintainer of the affected subsystem. The
information about breaches and exploits may have to be shared with
insurers and the local traffic police.
Sure, the US system privileges CERT and the NSA has an inside track on
that. Sure, that gives them some zero-days, and maybe ENISA or Europol
wants to catch up. But CERT also provides the infrastructure for
coordinated disclosure, for example when a new vulnerability in a
shared resource like Linux affects dozens to thousands of firms. See
for example
https://arxiv.org/abs/2209.10717
It's also counterproductive to say that firms should be able to
withhold disclosure from government agencies. The big role played by
the state in the coordinated disclosure ecosystem is in providing a
liability shield for researchers. If I disclose a vuln to Barclays
Bank, I get a nastygram from their lawyers, and it costs me money to
apologise and promise to keep it quiet forever. But if I disclose it
to the European Central Bank, they then disclose it to Visa who
disclose it to Barclays, which does not dare to complain. Similarly,
if I find a vuln in Volkswagen I'm going to tell TUV first, and if I
find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they
will see to it that Apple actually fixes it.
I think this letter needs a radical rewrite.
Regards
Ross
On 06/06/2023, Jan Penfrat (EDRi) <jan.penfrat(a)edri.org> wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to compel
manufacturers of connected devices to notify the EU's Agency for
Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA
<https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
and would like to kindly ask you to *co-sign it individually if you can
_by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Thanks a lot!
Jan
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
12 Jun
12 Jun
9:39 a.m.
New subject: [EDRi-members] [Sign-on] Open letter on vulnerability disclosure in the CRA
Hi Ross,
Thanks a lot for your input. I have no issues removing the "classified"
requirement, your paper is very helpful in this regard.
That is simply removing a sentence though and you also mention that you
think the letter needs "radical rewrite" -- can you elaborate what else
you think should be changed based on EDRi's CRA position and maybe help
change it?
Note: if we want to influence the negotiations, we would need to send
the letter tomorrow or Wednesday the very latest.
Thanks again!
Jan
On 06/06/2023 22:20, Ross Anderson wrote:
Hi Jan
I don't think it's sensible to demand that information about
unmitigated vulnerabilities be classified SECRET and not shared.
We've been saying for some years that it's wrong for the national
security establishment to hoard this information. If a vulnerability
gets disclosed in a car, for example, it will have to be shared with
the vehicle OEM and with the maintainer of the affected subsystem. The
information about breaches and exploits may have to be shared with
insurers and the local traffic police.
Sure, the US system privileges CERT and the NSA has an inside track on
that. Sure, that gives them some zero-days, and maybe ENISA or Europol
wants to catch up. But CERT also provides the infrastructure for
coordinated disclosure, for example when a new vulnerability in a
shared resource like Linux affects dozens to thousands of firms. See
for example
https://arxiv.org/abs/2209.10717
It's also counterproductive to say that firms should be able to
withhold disclosure from government agencies. The big role played by
the state in the coordinated disclosure ecosystem is in providing a
liability shield for researchers. If I disclose a vuln to Barclays
Bank, I get a nastygram from their lawyers, and it costs me money to
apologise and promise to keep it quiet forever. But if I disclose it
to the European Central Bank, they then disclose it to Visa who
disclose it to Barclays, which does not dare to complain. Similarly,
if I find a vuln in Volkswagen I'm going to tell TUV first, and if I
find a vuln in iOS I'll tell CERT plus perhaps Citizen Labs as they
will see to it that Apple actually fixes it.
I think this letter needs a radical rewrite.
Regards
Ross
On 06/06/2023, Jan Penfrat (EDRi)<jan.penfrat(a)edri.org> wrote:
> Dear EDRis,
>
> Thank you for allowing me to cross-post this so everyone has seen it:
>
> While the overall work on the Cyber Resilience Act
>
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
>
> is going rather well (as compared to other legislative dossiers I
> assume), one of the problems that still persists: The EP wants to compel
> manufacturers of connected devices to notify the EU's Agency for
> Cybersecurity ENISA
> <https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
> about details of unpatched security vulnerabilities.
>
> Given EU member states' track record of state-sanctions hacking, we
> believe it's a bad idea to create government-run databases full of
> zero-day exploits.
>
> I have therefore drafted an open letter to lawmakers working on the CRA
> <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
> and would like to kindly ask you to *co-sign it individually if you can
> _by Monday, 12 June at noon_*.
>
> Please also let me know should you have any major concerns with the
> draft letter.
>
> Thanks a lot!
>
> Jan
>
> --
>
> JAN PENFRAT
> SENIOR POLICY ADVISOR
>
> EUROPEAN DIGITAL RIGHTS
> Rue Belliard 12, B-1040 Brussels
> Matrix: @jan:penfrat.net
> Phone: +32 2 274 25 76
>
> www.edri.org <https://www.edri.org>| Mastodon
> <https://eupolicy.social/@ilumium>| PGP
> <https://edri.org/files/pgp-keys/janpenfrat.asc>
>
> Subscribe to the EDRi-gram to become a digital rights connoisseur!
> <https://edri.org/take-action/edri-gram/>
>
> Subscribe to the EDRi-gram.<https://edri.org/take-action/edri-gram/>
>
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
7 Jun
7 Jun
12:55 p.m.
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I assume), one of the
problems that still persists: The EP wants to compel manufacturers of connected devices to
notify the EU's Agency for Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity> about
details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the CRA
<https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that problem
and would like to kindly ask you to *co-sign it individually if you can
_by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Hi Jan,
I would add a 6th requirement:
Provide for transparency and require publication of vulnerabilities
shared with ENISA within six months upon receipt by ENISA.
Regards,
Walter
12 Jun
12 Jun
4:04 p.m.
Hi Walter,
Thanks for proposing this and sorry I only can write back now due to
some off-time last week.
In our position paper we point at a typical disclosure period of 90
days, so maybe we can try keeping the letter text compatible with that?
Also, looking at Ross' comments on the members list it seems that the
disclosure issue is more contentious than expected. If possible I would
therefore suggest not add a new requirements this time and stay close to
the EDRi position, would that be OK?
The current wording is "3. Provide time to mitigate. In the absence of
user harm or a substantial incident, organisations should have a
reasonable time to remediate or address the vulnerability before
requiring disclosure to governments. A typical standard period for the
mitigation of known vulnerabilities is 90 days."
Would Vrijschrift be interested in co-signing?
Thanks a lot!
Jan
On 07/06/2023 12:55, Walter van Holst wrote:
On 06-06-2023 13:29, Jan Penfrat (EDRi) wrote:
--
JAN PENFRAT
SENIOR POLICY ADVISOR
EUROPEAN DIGITAL RIGHTS
Rue Belliard 12, B-1040 Brussels
Matrix: @jan:penfrat.net
Phone: +32 2 274 25 76
www.edri.org <https://www.edri.org>| Mastodon
<https://eupolicy.social/@ilumium>| PGP
<https://edri.org/files/pgp-keys/janpenfrat.asc>
Subscribe to the EDRi-gram to become a digital rights connoisseur!
<https://edri.org/take-action/edri-gram/>
Subscribe to the EDRi-gram. <https://edri.org/take-action/edri-gram/>
Dear EDRis,
Thank you for allowing me to cross-post this so everyone has seen it:
While the overall work on the Cyber Resilience Act
<https://edri.org/our-work/the-cyber-resilience-act-how-to-make-europe-more-digitally-resilient/>
is going rather well (as compared to other legislative dossiers I
assume), one of the problems that still persists: The EP wants to
compel manufacturers of connected devices to notify the EU's Agency
for Cybersecurity ENISA
<https://en.wikipedia.org/wiki/European_Union_Agency_for_Cybersecurity>
about details of unpatched security vulnerabilities.
Given EU member states' track record of state-sanctions hacking, we
believe it's a bad idea to create government-run databases full of
zero-day exploits.
I have therefore drafted an open letter to lawmakers working on the
CRA <https://cloud.edri.org/index.php/s/aK6BJD2DpTs2JkF> to fix that
problem and would like to kindly ask you to *co-sign it individually
if you can _by Monday, 12 June at noon_*.
Please also let me know should you have any major concerns with the
draft letter.
Hi Jan,
I would add a 6th requirement:
Provide for transparency and require publication of vulnerabilities
shared with ENISA within six months upon receipt by ENISA.
Regards,
Walter
_______________________________________________
Edri-cra-discussion mailing list -- edri-cra-discussion(a)mailman.edri.org
To unsubscribe send an email to
edri-cra-discussion-leave(a)mailman.edri.org 
325
days inactive
331
days old
edri-cra-discussion@mailman.edri.org
6 comments
5 participants
participants (5)
-
Eleftherios Chelioudakis -
Jan Penfrat (EDRi) -
Ross Anderson -
Thomas Lohninger -
Walter van Holst