Last month, the
Cybersecurity Tech Accord joined the United Nations Institute for Disarmament
Research (UNIDIR) at an event that
explored different approaches to vulnerability disclosure, bringing together
government, industry, and civil society representatives in doing so. The
gathering was organized against the backdrop of the 2015
report
of the United Nations Group of Governmental Experts in the field of information
and telecommunications in the international security, which called on states to
“encourage responsible reporting of ICT vulnerabilities and share associated
information on available remedies to such vulnerabilities to limit and possibly
eliminate potential threats to ICTs and ICT-dependent infrastructure”.
At the event, Cybersecurity
Tech Accord signatories Microsoft, Safe PC Cloud, and Panasonic discussed how
to best operationalize this international cybersecurity norm, focusing on key
concepts at the heart of vulnerability disclosure, such as “risk management” and
“zero days.” In addition, panelists highlighted crucial issues related to
vulnerability disclosure, including difficulties in identifying the relevant
stakeholders involved in the vulnerability disclosure process as well as the
need to challenge preconceived notions about who has responsibilities when it
comes to vulnerability handling. On the latter, in particular, participants emphasized
that, in today’s context, the concept of a “vendor” might well include entities
and individuals as varied as car manufacturers, researchers, and even a child
that stumbles upon a vulnerability whilst attempting to cheat parental controls
on an Xbox.
The discussion also acknowledged
that the technology industry has core key responsibility for securing their
systems, both at the development stage of products and services, as well as when
identifying and managing any vulnerabilities in their systems. This
responsibility is in fact reflected in the Cybersecurity Tech Accord’s first
principle – a commitment by signatories to design, develop, and deliver
products and services that prioritize security, privacy, integrity and
reliability. This in turn reduces the likelihood, frequency, exploitability,
and severity of vulnerabilities in our products and services. In upholding this
principle, since 2018 the group has encouraged the adoption of vulnerability
disclosure policies
throughout the technology industry as a best practice, and has advanced the
implementation of such policies among signatories in particular.
As of today, 75 of our signatories have a vulnerability disclosure policy in place, with an objective to see the rest of the group to follow suit. These signatory policies on vulnerability handling, as well as relevant contacts, are now easily found in a dedicated section on our website, which will continue to be updated in the coming months as new signatories adopt their own policies to address this issue. We hope that this centralized resource will serve as an example to the industry more broadly, encouraging them to adopt their own vulnerability disclosure policies, as well as prove a useful tool for security researchers.
The role of governments in driving
greater awareness and encouraging the adoption of good practices in this space
was also touched on at the UNIDIR event. In particular, attendees emphasized the
need to ensure that security researchers are protected from prosecution when
they discover and report vulnerabilities. The adoption of vulnerability
policies for government systems, as well as the amplification of mitigation
techniques in coordination with vendors, were also suggested as helpful tools to
drive greater awareness. Finally, vulnerability equities processes to limit the
stockpiling of vulnerabilities, such as the ones adopted by the UK and US
governments, were highlighted as practices for other governments to emulate. In
line with the Cybersecurity Tech Accord’s earlier call, it was
recommended that these policies (i) presume disclosure as the starting point, (ii)
be as transparent as possible, (iii) include stakeholders from economic,
consumer, and diplomatic circles, as opposed to simply the national security community,
and (iv) apply to all government-held vulnerabilities.
The signatories of the Cybersecurity
Tech Accord have always believed that protecting cyberspace requires robust
collaboration between the government and private sectors. When the government
approach to vulnerability handling favors stockpiling over disclosure, this
critical collaboration is weakened, and we jeopardize public trust in
cyberspace. Similarly, it is critical that private sector actors act
responsibly when notified of vulnerabilities. As the largest coalition of
global technology firms dedicated to improving the cybersecurity ecosystem, the
commitment to see all signatories adopt vulnerability handling policies is a
significant step forward and the group will continue to contribute to enhancing
cybersecurity awareness and promoting cybersecurity best practices globally.
In addition to the immediate benefits accrued to our respective users and
customers, we also hope that supporting and implementing such policies sets an
example for other technology companies around the world seeking to employ
responsible best practices to improve security.
The post Operationalizing international cybersecurity norms: Vulnerability disclosure policies appeared first on Cybersecurity Tech Accord.