The Cybersecurity Act: strengthening Coordinated Vulnerability Disclosure at the European Level

In March 2019, the EU Parliament adopted the Cybersecurity Act. The EU Cybersecurity Act aims to strengthen the role of the European Agency for Network and Information Security (ENISA) and introduces a common certification framework for ICT products (Hardware, Software and Services).

Before this, in 2018, the European Commission advocated the creation of a network of Cybersecurity expertise centers to reinforce research and the deployment of new capabilities in the European Union.

The European Commission has pushed to invest more than €2 billion to reinforce cybersecurity in the Digital Europe Program along with the H2020 Program, with €63.5 million invested in four pilot projects.

One of the four funded projects is called SPARTA, bringing together 44 partners. As a SPARTA partner, YesWeHack asserts its role in advocating operational Coordinated Vulnerability Disclosure and Crowd-sourced security at the European level.

Since its creation in 2013, YesWeHack has been defending and promoting Coordinated Vulnerability Disclosure.

In March 2018, YesWeHack CEO Guillaume Vassault-Houlière and Romain Lecoeuvre (CTO) contributed to the ground-breaking ​report on Software Vulnerability Disclosure processes in Europe published by CEPS experts including Lorenzo Pupillo, Afonso Ferreira and Gianluca Varisco.

As a result, only the Netherlands, followed closely by France, have a decent national CVD policy. Needless to say, a huge amount of work remains to be done in this field.

CVD policy in Europe
A mapping of the state of play, by country | Source CEPS’ own elaboration.

Back in 2016, France – through its National Cybersecurity Agency of France aka ANSSI – included Vulnerability Disclosure in its revised legislative framework. ( Source > Law for a Digital Republic Article 47 )

Let us take a look at how Coordinated Vulnerability Disclosure (CVD) is incentivized and framed by the EU Cyber Security Act.

· Full version of the EU Cyber Security Act

Firstly, we are struck by the long list of paragraphs preceded by the opening phrase “Whereas“.

However, these introductory paragraphs have no legal value and only serve as a guide for the interpretation of the text.

We have spotted an interesting number of paragraphs in this list.

Paragraph 16: “it is necessary to review ENISA’s mandate, to establish its role in the changed cybersecurity ecosystem and to ensure that it contributes effectively to the Union’s response to cybersecurity challenges” …” as recognized during the evaluation of ENISA, the current mandate is not sufficient.”

Paragraph 17: “It (ENISA) should promote the exchange of best practices between Member States and private stakeholders, offer policy suggestions to the Commission and the Member States, act as a reference point for Union sectoral policy initiatives with regard to cybersecurity matters, and foster operational cooperation, both between Member States and between the Member States and Union institutions, bodies, office and agencies.”

Paragraph 20: “ENISA should actively support national efforts and should proactively contribute to Union efforts while carrying out its tasks in full cooperation with the Union institutions, bodies, offices and agencies and with the Member States, avoiding any duplication of work and promoting synergy. In addition, ENISA should build on input from and cooperation with the private sector as well as other relevant stakeholders.”

These three paragraphs underline the importance of ENISA‘s duty to strengthen cooperation between actors and thus help democratize the Coordinated Vulnerability Disclosure policy, and other policies, as well as its related standards to all Member States.

Paragraph 29: “With a view to stimulating cooperation between the public and private sector and within the private sector, in particular to support the protection of the critical infrastructures, ENISA should support information sharing within and among sectors”.

Paragraph 30: “Coordinated vulnerability disclosure specifies a structured process of cooperation in which vulnerabilities are reported to the owner of the information system, allowing the organization the opportunity to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. The process also provides for coordination between the finder and the organization as regards the publication of those vulnerabilities. Coordinated vulnerability disclosure policies could play an important role in Member States’ efforts to enhance Cybersecurity.”

Paragraph 31: “In that context ENISA should involve the private sector within the framework of Directive (EU) 2016/1148 which lays down the grounds for the voluntary exchange of technical information at the operational level, in the computer security incident response teams network (‘CSIRTs network’) created by that Directive.”

Cooperation between CSIRTs/CERTs, the private sector and researchers is crucial for establishing CVD policies and achieving Member States’ goals of strengthening their Cybersecurity. In this respect, ENISA recently updated its Maturity Evaluation Methodology for CSIRTs (April 09, 2019)

In terms of legal content, the following four articles deal specifically with Coordinated Vulnerability Disclosure (CVD)

  • Article 6(b): Capacity-building

ENISA shall assist Member States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis

EU CYBERSECURITY ACT · ARTICLE 6 (b)

ENISA’s role is clear in this field. Although ENISA is not supposed to force Member States to adopt CVD policies, its role is clearly that of a CVD enabler.

  • Article 54(1)(m): Elements of European cybersecurity certification schemes

Rules concerning how previously undetected Cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with.

EU CYBERSECURITY ACT · ARTICLE 54 (1) (m)

The European cybersecurity certification scheme shall comply with mandatory criteria including the above which relates to Coordinated Vulnerability Disclosure.

  • Article 50: Website on European cybersecurity certification schemes

1. ENISA shall maintain a dedicated website providing information on, and publicizing, European cybersecurity certification schemes, European cybersecurity certificates and EU statements of conformity, including information with regard to European cybersecurity certification schemes which are no longer valid, to withdrawn and expired European cybersecurity certificates and EU statements of conformity, and to the repository of links to cybersecurity information provided in accordance with Article 55.

2. Where applicable, the website referred to in paragraph 1 shall also indicate the national cybersecurity certification schemes that have been replaced by a European cybersecurity certification scheme.

EU CYBERSECURITY ACT · ARTICLE 50

This announces that ENISA’s Website would provide real time monitoring and/or index CVD initiatives.

  • Article 55(1)(c): Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes

Contact information of the manufacturer or provider and accepted methods for receiving vulnerability information from end users and security researchers.

EU CYBERSECURITY ACT · ARTICLE 55 (1) (c)

Globally speaking, the new framework requires manufacturers and publishers to provide a – secure – communication channel which allows users and researchers to report vulnerabilities.

Existing projects such as Security.txt and ZeroDisclo.com are likely to be supported and promoted by this new framework.

ENISA is definitely the orchestrator of this Cybersecurity Act and the best players are required to ensure its success: YesWeHack and its community are ready to play their part!