In September, the Cybersecurity Tech Accord asked governments to do more, and say more, on vulnerability handling. As we noted at the time, the increasing numbers of governments that develop or use offensive cyber capabilities have an obligation to do so responsibly and in keeping with the global, and not only national, public interest. An important signal demonstrating this is the adoption and publication of a process for handling and disclosing vulnerabilities discovered in information and communications technology (ICT) products and services.
When we first published the blog, only a few countries had acknowledged developing a process for reviewing discovered vulnerabilities and evaluating whether to disclose them to be fixed or retain them for possible exploitation. Recently, the United Kingdom released such a policy, its vulnerabilities “equities process,” And while the mere gesture of transparency would be a positive step forward in a policy area too often shrouded in secrecy, we are also encouraged by many of the particular elements of the initiative.
In our earlier blog, we encouraged governments to embrace several principles in vulnerability handling and disclosure policies, many of which are indeed reflected in the British equities process. Chief among these is a presumption of disclosure. While we know that governments will from time to time make decisions justified by national security concerns to retain discovered vulnerabilities, any such decision should be both time-bound and subject to ongoing risk assessment built around the assumption that the information should be pushed to a vendor capable of fixing or mitigating the security issue as quickly as possible. We are encouraged to see these issues addressed in the recently published UK policy.
Furthermore, the Cybersecurity Tech Accord signatories appreciate the detailed thinking that went into how discovered vulnerabilities are disclosed with the vendors. In accordance with international best practice, articulated in the International Standardization Organization standard on vulnerability disclosure (ISO 29147), the equities process outlines a “coordinated disclosure approach” and emphasizes that the government will not publicly disclose vulnerabilities before solutions are available to address them, recognizing that vendors need time to develop such solutions. Commitments such as these increase trust and confidence across sectors, facilitating greater dialogue and ultimately improving security outcomes for everyone.
However, while the release of the equities process is indeed a positive step demonstrating leadership and modeling responsible state behavior, opportunities to improve on this first iteration remain. Perhaps most pressing is the need for a greater diversity of stakeholders in the decision-making process outlined in the policy. The individuals charged with deciding whether or not to disclose a vulnerability seem to come almost exclusively from the British intelligence community, with the exception of the Government Communications Headquarters (GCHQ) Equity Board which “includes representation from other Government agencies and Departments as required.” However, these other representatives are unspecified in the process, leaving a clear need for the express inclusion of stakeholders that more directly reflect the public interest namely representatives of the industry and non-governmental organizations.
Regardless of any areas for improvement that remain, the decision by the British government to publicly release its equities process for handling and disclosing vulnerabilities is an important and commendable step in the right direction, promoting greater transparency and prompting further discussion about how to address cybersecurity challenges. We are hopeful that this kind of action will inspire other nations to follow suit and develop and release similarly-minded policies that emphasize the important role governments can and should play in defending the interests of all users of technology products and services.