Two of the the European Commission’s stated objectives in the European Cybersecurity Strategy announced earlier this year are to: 1) increase awareness of citizens and businesses on cybersecurity issues, and 2) increase the overall transparency of cybersecurity assurance of ICT products and services.
One of the most effective ways to accomplish those goals is to improve the relationship between governments and industry with respect to disclosure of vulnerabilities for patching of digital systems.
Governments, because of their roles in obtaining, creating, using, and defending against cybersecurity vulnerabilities, often have more information about these digital weaknesses than the private sector. Disclosing these vulnerabilities to the private sector allows affected companies to quickly patch them and thereby enhance the overall security and privacy of their systems, users, and the wider Internet. For small and medium-sized organizations with limited cybersecurity resources, discovery of vulnerabilities in their systems and services by governments and researchers allows them to patch weakness that they would not otherwise have discovered.
Given the significant benefits to disclosure, it is imperative that governments have robust processes for weighing and coordinating the disclosure of vulnerabilities to the private sector as part of any forward-looking EU-wide plan to respond to cybersecurity threats.
The importance of such disclosures has never been more evident. Just this year, vulnerabilities and hacking tools reportedly held and used by the U.S. National Security Agency were leaked and subsequently employed in the WannaCry ransomware attacks on a number of critical and vulnerable sectors in countries around the world. If the relevant exploits had been disclosed and patched sooner, much harm to individuals could have been avoided.
In the United States, conversation about vulnerabilities disclosure is centered on the structure and formality of the Vulnerabilities Equities Process (VEP). VEP is the interagency system through which the U.S. federal government decides whether, when, and how it should disclose to the private sector for the cybersecurity vulnerabilities and exploits it holds. The existing process is merely a policy directive, rather than an executive order or legislative mandate. Little is known about how the various equities of government stakeholders are assessed, beyond a set of criteria meant to to balance the public’s “need to know” versus the government’s interest in keeping the information secret for operational use.
Important legislation to codify and improve the VEP has been introduced in the U.S. Congress, and the Trump Administration is conducting an internal reevaluation of the existing process and its priorities. This is to say that the long-needed conversation over vulnerabilities disclosure is well-underway in the U.S.
Yet the same cannot be said for the EU, where robust vulnerabilities disclosure policies are just as important. Many Member States presently do not have internal processes for assessing vulnerabilities that they discover to decide whether to disclose those vulnerabilities to relevant companies for patching or to withhold them for operational purposes. This is not tenable given the importance of patching vulnerabilities for overall cybersecurity and the cross-border nature of cybersecurity threats. Information sharing between the government and private sector is essential for effective responses to cyberattacks in dynamic threat environments, and that information should include vulnerabilities that governments hold.
The same principles that inform the U.S. debate on the VEP are relevant in EU Member States, including formality, transparency, and accountability. The European Commission and ENISA can aid Member States in developing harmonized, consistent processes for vulnerability disclosure across the EU. This is essential to support a unified and robust approach to cybersecurity across Europe, which is necessary to respond to borderless threat actors and attack vectors.
