Virtual lock showing EU Cyber Resilience Act and vulnerability disclosure

EU Cyber Resilience Act Proposal Requires Controversial 24-Hour Vulnerability Disclosure

A collection of about a dozen digital rights organizations, including the EFF and Open Source Initiative, have penned an open letter in opposition to the vulnerability disclosure terms put forward in the EU’s Cyber Resilience Act proposal. Meant to establish strong baseline security standards for “smart” and connected devices, the rights groups feel that open source software should be granted certain exemptions to avoid what they see as an inevitable chilling effect on development due to fears of legal reprisal.

Introduced just over a year ago, the Cyber Resilience Act is still in the process of ping-ponging between the two major EU legislative bodies. Parliament Members from the Committee on Industry, Research and Energy backed the draft Cyber Resilience Act in a July vote, but it is unlikely that any organization will feel its impact for years. If it is eventually codified into law, manufacturers would be given a grace period of two years after adoption to come into compliance under the current terms.

Cyber Resilience Act criticized over requirements for disclosure of unmitigated vulnerabilities

The Cyber Resilience Act attempts to address the persistent problem of smart device security by adding assorted design and disclosure requirements. The key term that open source groups object to is a vulnerability disclosure requirement that would have all manufacturers report to the government within 24 hours of first discovered exploitation. In most cases, this would mean disclosing before the vulnerability has been mitigated.

The digital rights organizations see this as a negative development for device security. Government agencies would end up with large databases full of unmitigated vulnerabilities, something that could either be abused by state intelligence or siphoned off by hackers that might be “living off the land” in an agency network. The development would certainly provide an impetus for hackers to step up their attempts on these agencies, particularly the most state-backed threat groups.

The coalition of rights groups offers several suggestions for modifying the Cyber Resilience Act to address these issues, the first of which is a stipulation that limits the details that organizations have to provide in vulnerability disclosures to those that can’t be used to reconstruct it. The groups are also asking for expanded time in which to mitigate if there has not yet been known user harm or a “substantial incident”; it cites a reasonable standard period of 90 days. They also call for requirements to formally prohibit government agencies from using reported vulnerabilities for offensive purposes, and to have strong safety and sharing requirements put in place.

Vulnerability disclosure policy likely well-intended, but not properly informed

Some activists and security researchers point out that EU politicians, who very often do not have any kind of IT background, may simply be misunderstanding how the process of vulnerability disclosure works and what generally accepted best practices are. The government being in possession of the vulnerability information immediately would do little to nothing to promote patching, but would increase the amount of vectors by which the information might escape or be abused prior to manufacturers being able to complete a good faith effort to issue a patch. The worst case scenario would be a clumsy public notice from the government well ahead of any mitigation measures being developed, which would be a beacon for the world’s malicious hackers to come and take advantage of the flaw.

Privacy and open source software advocates also worry that the Cyber Resilience Act terms could cripple software development, particularly “white hat” security research vital to spotting flaws before they can be exploited by “black hat” actors. Bug bounty programs would be de-incentivized, and even researchers that do work without expectation of compensation would be hampered by more complex reporting processes and greater resistance from organizations.

There is some confusion about the extent to which open source software would be covered by the current Cyber Resilience Act terms. One provision in the bill seems to indicate that not-for-profit open source software would not be subject to the vulnerability disclosure terms, but the definition of “commercial activity” it cites is not entirely clear, leaving room for employees or open source foundations that earn money while contributing to a free project to potentially be subject to the regulation.

Amanda Brock, CEO of OpenUK, expands on this particular concern: “For many years, open source companies and projects have managed legal requirements on expert control by blocking access to their code for download in those countries. Liability will be created for the entity responsible for ‘placing on the market’ as the first provider making a digital product available for distribution or use in the EU market in the course of a commercial activity, whether in return for payment or free of charge. Of course, all open source licences allow for this, so this could easily capture individual developers and not for profits. If the CRA enters into force in its current form, I believe that we can expect to see projects avoiding the liability which sits with this by blocking access to their products from their repos and leaving the bigger commercial entities to be the first to distribute in the EU. This just cannot be a good position for any country that wants to be recognised as a digital hub or force on the world stage.”

George McGregor, VP of Approov, adds that United States developers will also need to be wary should the Cyber Resilience Act proceed in its current form: “These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU.  The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered so the obligation will be worldwide in scope. This is clearly understood by the number of US based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours. The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement. With this level of industry reaction, the CRA requirements should certainly be relaxed.”

Some security researchers have taken the opposite position, however, arguing that criminals are already discovering flaws long before vulnerability disclosures can be made and that organizations would likely prefer to be notified as soon as possible so as to have the option of taking impacted systems offline before the attack can spread.