Mandates for extensive vulnerability reporting undermine cybersecurity

Strategic Insight 031/2023

Nick Ashton-Hart

23 November 2023

Mandates for extensive vulnerability reporting undermine cybersecurity

The Cybersecurity Tech Accord, a coalition of more than 150 companies worldwide dedicated to improving global cybersecurity, welcomes regulatory efforts to improve cybersecurity, but has significant concerns with recent proposals for the reporting or public disclosure of unpatched vulnerabilities in IT products. While there are reasonable concerns surrounding these vulnerabilities, policymakers should consider how regulatory efforts are likely to impact overall risk.

In both the EU’s Cyber Resilience Act and the United States’ Federal Information Security Modernization Act 2023, provisions mandating the reporting of unpatched vulnerabilities to government agencies will expand the number of individuals aware of them, thereby undermining product security.  As an industry coalition, the Cybersecurity Tech Accord strongly recommends that governments reconsider such provisions based on existing best practices for vulnerability management.

To improve vulnerability management and thereby reduce risk, the Cybersecurity Tech Accord encourages policymakers to consider policies that either encourage secure software development practices or which expedite the mitigation of vulnerabilities in a risk-based manner. To this end, the industry coalition has long promoted vendors adopting Coordinated Vulnerability Disclosure (CVD) policies. These are policies which proactively outline how a company will receive notifications about potential vulnerabilities in their products, coordinate necessary information sharing, and then responsibly disclose information about vulnerabilities and their mitigations to different stakeholders. CVD is a well-established industry best practice, reflected in ISO and NIST standards, among others, which would be undermined by overzealous vulnerability reporting requirements.

Cybersecurity Tech Accord signatories understand that governments have well-founded concerns surrounding vulnerabilities in IT products, especially those supporting critical infrastructure, thus driving a desire to know more about potential risk. While the notion of reporting vulnerabilities to keep government agencies better informed sounds attractive, inevitably the more widely information is shared the more likely it is to leak, despite the best intentions of responsible recipients. There are many historical examples of secure systems that were compromised, leading to confidential information being disclosed and taken advantage of by the unscrupulous. This notably includes a 2013 incident in which information on unpatched vulnerabilities held by the US National Security Agency was stolen by a hacker group known as the Shadow Brokers and subsequently used in cyber attacks resulting in billions of dollars of damage worldwide.

Responsibly mitigating vulnerabilities

IT vulnerabilities generally refer to errors in code which can be used by malicious actors to gain illicit access to a system. Reducing the overall number of security vulnerabilities in IT products should be a top priority for industry and regulators alike. This can be accomplished either through more secure software development practices to limit vulnerabilities in the first place or via patching vulnerabilities in products when they are discovered. Consistent with our first principle, namely a commitment to support strong defence for our customers, the Cybersecurity Tech Accord is a strong proponent of companies utilising a secure development lifecycle to minimise the impact of security vulnerabilities.

Unfortunately, even the most responsible engineering practices will not eliminate every vulnerability beyond an irreducible minimum – errors will still occur. Vulnerabilities are generally uncovered by the company responsible for the product, other stakeholders in the supply chain, or independent security researchers who responsibly disclose it to the vendor for patching.  In each scenario, there must be processes in place for triaging discovered vulnerabilities. It is important that policymakers consider how requirements for reporting vulnerabilities would impact such processes. When a security vulnerability is discovered, the goal must be to limit the risk exposure of individuals or business users – who should be appropriately informed – and to ensure that a solution is developed expeditiously through a risk-based approach.

Not all vulnerabilities in IT products are alike – some may pose no risk at all while others might present a serious threat. Some may be simpler to fix while others take more time – this is why vendors need discretion regarding patching on a case-by-case basis in order to prioritise the most pressing vulnerabilities. Regardless of the relative severity of a vulnerability, however, a key element is ensuring that the number of individuals and organisations which know about a product vulnerability remains small until it is fixed, for the reasons articulated above. Even within a company vendor, knowledge of vulnerabilities should be restricted, consistent with the principle of least privileged access. Every additional person and information storage represents a new potential point of failure, amplifying risk.

Mandated disclosure dramatically increases cyber risk

Regulations that require reporting of IT vulnerabilities or public disclosure to government agencies before a patch is developed, or before the vulnerability is being actively exploited, introduce significantly more risk. Enlarging the circle of people who know about a vulnerability increases the likelihood that it will be discovered by malicious actors before a solution is available. Government agencies are generally not in a position to develop a patch or otherwise triage a known vulnerability, so reporting requirements only serve to aggravate risk and complicate the security situation by introducing more variables. This increases the potential for inadvertent unauthorised disclosure for the reasons previously articulated. Moreover, vendors do not operate with limitless resources, and such regulations will require time and attention to be spent on reporting mechanisms at precisely the time when focus should be squarely on remediation of the problem.

None of this precludes the timely and safe private sharing of vulnerabilities – even before a fix is available – between trusted stakeholders in the private and public sectors who can help to mitigate the vulnerability (where immediate public sharing is not appropriate to allow for the necessary remediation to be planned and implemented).

However, there are several discrete ways in which extensive vulnerability reporting requirements will undermine security. First, leaking of vulnerabilities. Reporting a known vulnerability to a government authority (or multiple uncoordinated authorities) before a patch is available will immediately expand the number of people aware of the vulnerability who may – wittingly or not – share that information. This consequently allows it to be weaponised by a malicious actor before customers can be protected.

Second, proliferation of reporting requirements. While many may feel confident that their government is equipped to responsibly handle knowledge around unpatched vulnerabilities without risk of leaking, adopting such regulations in one market encourages others to follow that may be less capable. Third, government abuse is a concern. While governments play an important role in supporting cyber defences, they are also some of the most advanced threat actors with possible interest in weaponising reported vulnerabilities to combat criminals or target adversaries. Some governments have even adopted, or are considering, policies requiring independent security researchers to report vulnerabilities to government agencies before disclosing to vendors for remediation, thus creating further risk of abuse. Fourth, a healthy cybersecurity ecosystem benefits from good faith security researchers who independently discover vulnerabilities and responsibly disclose them to vendors. If companies must report vulnerabilities to governments before they are fixed, security researchers will have less incentive to responsibly disclose such vulnerabilities to vendors.

To conclude, industry should be held accountable for following up on known product vulnerabilities and ensuring patches are developed in a timely fashion. However, requiring rapid reporting of known unpatched vulnerabilities to entities or persons who are not involved in remediation only weakens security. It creates a race-to-the-bottom across markets on reporting requirements. Policymakers should consider other avenues for promoting industry accountability for mitigating vulnerabilities.

Such alternatives might include encouraging companies to adopt CVD policies in keeping with industry best practices, as reflected in the more than 100 CVD policies on the Cybersecurity Tech Accord website. They might also consider what kind of after-action reporting could be required to ensure visibility into when a vulnerability was discovered and how it was remediated. This would allow governments to confirm that responsible practices are implemented, without compromising a vulnerability or distracting attention from issuing a patch.

Nick Ashton-Hart is Head of the Secretariat for the Cybersecurity Tech Accord and APCO Worldwide’s Senior Director for Digital Economy Policy. The Cybersecurity Tech Accord serves as the voice of the tech industry on matters of peace and security online, including cybersecurity and cybercrime policy.

The Azure Forum is a nonpartisan, independent research organisation. In all instances, the Azure Forum retains independence over its research and editorial discretion with respect to outputs, reports, and recommendations. The Azure Forum does not take specific policy positions. Accordingly, all author views should be understood to be solely those of the author(s).

The Azure Forum for Contemporary Security Strategy is Ireland’s first and only independent think tank dedicated to providing recommendations on peace, security and defence. As Ireland’s first national security research institute, the Forum aims to contribute to national and international security analysis and strategic studies for a more peaceful, secure, resilient and prosperous future nationally and globally at a time of emerging global risk.