Cyber Mavens Slam Europe's Cyber Resilience ActExperts Warn Vulnerability Disclosure to Government Agencies Increases Hacking Risk
More than four dozen cybersecurity mavens say a proposed European Union mandate for software publishers to inform the trading bloc's cybersecurity agency of zero-day exploits within 24 hours of their discovery risks harming cybersecurity efforts.
In an open letter addressed to the EU Internal Market Commissioner Thierry Breton on Tuesday, 56 cybersecurity experts agreed that the European Union should kill the proposed mandate, a part of the Cyber Resilience Act. The proposal, put forward by the European Commission in 2022, passed a key parliamentary committee in July and was fast-tracked to negotiations between parliamentary backers and representatives of nation-state members in talks mediated by the European Commission.
A section of the proposal requires disclosure within 24 hours of detecting "any actively exploited vulnerability" to the European Union Agency for Cybersecurity, which would forward the notification to a designated national computer security incident response team.
"This means that dozens of government agencies would have access to a real-time database of software with unmitigated vulnerabilities," the letter says. Even disclosures stripped of technical details are "sufficient for a skillful person to reconstruct" the exploit. Signatories include executives from Eset, Rapid7, Bitdefender and Trend Micro. Chris Painter, a former U.S. Department of State cyber coordinator, is a signatory, as is Marietje Schaake, a former member of the European Parliament.
If enacted, the proposal would have several negative consequences, the letter asserts. The database of recently discovered exploits, which may not yet have patches, would become the target of hackers. Secret government databases full of exploits have leaked before, the letter says - an apparent reference to zero-day vulnerabilities held by the U.S. National Security Agency that hackers calling themselves the "Shadow Brokers" published in 2016 and 2017 (see: Mystery Surrounds Breach of NSA-Like Spying Toolset).
Letter signatories also raise the possibility of governments misusing the data for surveillance.
Alex Rice, co-founder and CTO of incident response firm HackerOne and a letter signatory, said the 24-hour vulnerability reporting deadline can lead to premature disclosure.
Companies would be less inclined to accept vulnerability research from outside researchers, signatories say, since each new disclosure would trigger a wave of government notifications. Responsible disclosure of zero-day flaws typically requires more than 24 hours after discovery since patches take time to code and test.
Open-source communities have separately argued the proposal could have "chilling effect" on their operations in Europe. In an April open letter, organizations including the Linux Foundation and Open Forum Europe said the bill would impose untenable obligations on open-source coders.
Following the concerns raised by the open-source communities, lawmakers adopted an amendment to the text excusing open-source developers from complying with the bill, provided they don't receive financial remuneration for their coding.
Letter signatories say that, should European negotiations prefer not to eliminate the disclosure language entirely, they should prohibit European governments from using submitted exploit data for surveillance or offensive purposes. They also call for shifting the reporting burden from 24 hours of discovery to 72 hours of issuing a patch. The Cyber Resilience Act also should not require reporting of vulnerabilities exploited for good faith security research, the signatories say. "In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat."