Workshop on Government Vulnerability Disclosure

22/11/2022

Vulnerabilities in hardware and software products are a gateway for cyber criminals, and state actors should thus be interested in promoting responsible disclosure and timely remediation. However, intelligence and security agencies also exploit vulnerabilities, sometimes holding vulnerabilities back or even actively seeking to acquire them. Thus, the role of state actors within the global vulnerability economy remains ambivalent.

What impact do these contradictions have on global cybersecurity? Where and how do different goals and normative ideas of states clash? How can the role of security researchers be strengthened, and their best practices disseminated? These questions were at the centre of an event by IFSH’s "International Cybersecurity" team in cooperation with the Federal Foreign Office. Security researcher Mehmet Ince first gave an insight into the practical challenges faced daily by the community, followed by expert inputs from Anastasiya Kazakova (Kaspersky), Nick Kelly (Good Faith Cybersecurity Researchers Coalition), and Stewart Scott (Atlantic Council). The event was introduced and moderated by Mischa Hansel (IFSH).

During the discussion, the global character of the issue was emphasised repeatedly, as vulnerabilities are not confined to national borders. Recent nationalisation efforts and trade restrictions on IT imports, such as by the US or Russia, will not change this any time soon. Despite all UN member states having – at least in principle – committed to promoting the responsible disclosure of IT vulnerabilities, the corresponding norms are still too vague in practice and are partly counteracted by geostrategic competition.

In this context, there was intensive discussion about China’s 2021 “Regulations on the Management of Network Product Security Vulnerability” that requires vulnerabilities to be reported to state authorities within 48 hours. As one participant commented, this would contradict the widespread practice of sharing such findings with manufacturers first. Furthermore, depending on how the regulation is enforced, it could stifle transnational security research or cause a further politicisation of vulnerabilities. However, an empirical study by the Atlantic Council showed only modest effects on the number of vulnerability submissions by Chinese researchers, although anonymised reports increased. Whether the "digital trade war" between the USA and China will affect transnational cooperation between security researchers is also yet to be seen, particularly given more recent reports of an increasing exploitation of zero-day vulnerabilities by state-linked actors in China.

Participants agreed that it is illusory to expect substantial and reliable restrictions on the hoarding of vulnerabilities by states, particularly against the background of the current global political constellation. Yet, various confidence-building measures, led for example by regional organisations such as the OSCE, could ease pressures. Similarly, states could explicitly state that vulnerabilities reported to civilian cybersecurity authorities will not be disclosed at all to intelligence services or the military, or at least limited the cases and insist on oversight. While such efforts exist, with the US Vulnerability Equities Process being a prime example, many questions remain unanswered.

Greater international coordination and harmonisation would also be desirable with regard to the legal framework for security researchers. Currently, they are confronted with a patchwork of not always consistent and often even contradictory laws and regulations. Too often, vendors and manufacturers still complicate, or even deter vulnerability disclosures. Worse, many countries still criminalised unauthorised access to computer systems across the board, regardless of the intention.  A greater effort has to be made to draw on already existing policy recommendations, such as for example OECD’s comprehensive catalogue on vulnerability management and their online courses. Another avenue could be the Good Faith Cybersecurity Researchers Coalition, a global multi-stakeholder initiative presented at the event.

The fact that a lot can be achieved through dialogue between researchers and decision-makers has been shown in the past, for example in the context of the Wassenaar Arrangement, said one participant. Thanks to lively consultations with security researchers, there is now consensus that exceptions must exist for the cross-border disclosure of vulnerabilities and research. Some participants emphasised the need for more and not less state intervention in the global market to counter structural imbalances. But to intervene specifically in certain areas, reliable data collection is first needed, as one participant from academia mentioned.

The event ended on the topic of spyware misuse, as well as grey and black markets for vulnerabilities, as often even ready-to-use spyware is excluded from international regulation efforts, resulting in "jurisdiction hopping". And yet, the market does not determine everything, other participants pointed out. Many security researchers are not purely motivated by financial gain, but the desire to improve IT systems. Thus, fostering "safe havens" for such research coupled with more transparent procedures for dealing with vulnerabilities should be a priority.

Speakers:

Mischa Hansel, IFSH ICS
Mehmet Ince, Cybersecurity Researcher
Anastasiya Kazakova, Kaspersky / Vladimir Radunovic, DiploFoundation
Nick Kelly, Cybersecurity Advisors Network (CyAN)
Stewart Scott, Atlantic Council