The Cybersecurity Act: strengthening Coordinated Vulnerability Disclosure at the European Level

In March 2019, the EU Parliament adopted the Cybersecurity Act. The EU Cybersecurity Act aims to strengthen the role of the European Agency for Network and Information Security (ENISA) and introduces a common certification framework for ICT products (Hardware, Software and Services).

Before this, in 2018, the European Commission advocated the creation of a network of Cybersecurity expertise centers to reinforce research and the deployment of new capabilities in the European Union.

The European Commission has pushed to invest more than €2 billion to reinforce cybersecurity in the Digital Europe Program along with the H2020 Program, with €63.5 million invested in four pilot projects.

One of the four funded projects is called SPARTA, bringing together 44 partners. As a SPARTA partner, YesWeHack asserts its role in advocating operational Coordinated Vulnerability Disclosure and Crowd-sourced security at the European level.

Since its creation in 2013, YesWeHack has been defending and promoting Coordinated Vulnerability Disclosure.

In March 2018, YesWeHack CEO Guillaume Vassault-Houlière and Romain Lecoeuvre (CTO) contributed to the ground-breaking ​report on Software Vulnerability Disclosure processes in Europe published by CEPS experts including Lorenzo Pupillo, Afonso Ferreira and Gianluca Varisco.

As a result, only the Netherlands, followed closely by France, have a decent national CVD policy. Needless to say, a huge amount of work remains to be done in this field.

CVD policy in Europe
A mapping of the state of play, by country | Source CEPS’ own elaboration.

Back in 2016, France – through its National Cybersecurity Agency of France aka ANSSI – included Vulnerability Disclosure in its revised legislative framework. ( Source > Law for a Digital Republic Article 47 )

Let us take a look at how Coordinated Vulnerability Disclosure (CVD) is incentivized and framed by the EU Cyber Security Act.

+ Read More

Open Source software audits via Bug Bounties for the EU institutions: digital.security and YesWeHack awarded.

digital.security and YesWeHack are glad to be part of the 3 winners of the tender for Free and Open Source Software Audit (FOSSA OSS-BB). FOSSA OSS-BB’s main goal is to help improve the overall security of the Internet by focusing on free and open source tools used by Citizens and Public entities of European Union.

YesWeHack supports Paris’ call to strengthen cooperation between digital players.

YesWeHack supports the Paris’ Call for Trust and Security in Cyberspace.

With its founding members from the French and European Hacker community, YesWeHack promotes actions to share and transmit knowledge, as well as to strengthen digital sovereignty for the creation and maintenance of trusted environments.

Guided by its founding principles, YesWeHack is dedicated in uniting, cooperating with all digital actors and commit to better securing cyberspace.

Today, YesWeHack makes its CrowdSecurity platform available to all stakeholders who are committed to following the Paris’ Call. This platform brings together a community, the largest in Europe, made of 5000+ ethical hackers.

In a complex geopolitical context, facing the increasing cyber-threats and economic and political risks, YesWeHack is committed to defending an idea of the trust and security of cyberspace on a daily basis.

Our commitment is to the development of digital technology in order to defend our democracies, our informational assets and therefore the data protection for all citizens in the European Union and elsewhere.

Protecting our democracies is a major challenge in terms of cybersecurity and it is important to propose appropriate solutions to better secure digital tools used by citizens, both on a daily basis and during election periods.

Guillaume Vassault-Houlière, CEO of YesWeHack

***

The Paris Call

***

YesWeHack soutient l’appel de Paris pour renforcer la coopération entre les acteurs du numérique.

YesWeHack soutient l’Appel de Paris pour la confiance et la sécurité dans le cyber-espace.

Fort de ses membres fondateurs issus de la communauté de Hackers français et européens, YesWeHack promeut les actions de partage et de transmission de la connaissance, ainsi que de renforcement de la souveraineté numérique pour la création et le maintien des environnements de confiance.

Guidé par ses principes fondateurs, YesWeHack continue à fédérer, à coopérer avec l’ensemble des acteurs du numérique et à s’engager pour mieux sécuriser le cyber-espace.

Aujourd’hui, YesWeHack met à disposition sa plateforme de CrowdSourced Security à tous les acteurs ayant à cœur de suivre la ligne directrice de l’appel de Paris. Cette plateforme rassemble une communauté, la plus importante d’Europe, de plus de 5000 hackers éthiques.

Dans un contexte géopolitique complexe, face à des cyber-menaces croissantes et aux risques économiques et politiques, YesWeHack s’engage au quotidien pour défendre une idée de la confiance et de la sécurité du cyber-espace.

Notre engagement est du côté d’un développement du numérique soucieux de la défense de nos démocraties, de nos patrimoines informationnels, et donc de la protection des données de tous les citoyens l’Union Européenne et d’ailleurs.

Nos démocraties sont un enjeu fort en matière de cybersécurité et il est important de proposer des solutions adaptées pour mieux sécuriser les outils utilisés par les citoyens et ce, au quotidien et pendant les périodes électorales.

Guillaume Vassault-Houlière, CEO de YesWeHack

***

L’Appel de Paris

***

YesWeHack rejoint l’Alliance pour la Confiance Numérique

Depuis février 2018, YesWeHack est membre de l’ACN (Alliance pour la Confiance Numérique).

Déjà membre de la FNTC, YesWeHack vient grossir les rangs de l’Alliance pour contribuer à la consolidation d’un écosystème industriel en France dont les priorités sont : la sécurité, la souveraineté, la compétitivité et l’influence.

Le hacking éthique est une composante de plus en plus importante du vaste domaine de la confiance numérique dont l’ACN a vocation à assurer la représentation institutionnelle au niveau national et européen. C’est pourquoi nous sommes très heureux qu’un acteur aussi emblématique que YesWeHack se joigne à l’ACN pour participer à l’action collective de notre secteur.

Yoann KASSIANIDES, Délégué Général de l’ACN

YesWeHack oeuvre pour stimuler la coopération entre les divers acteurs de la sécurité. En rejoignant la communauté de l’ACN, YesWeHack participera activement au travail d’identification et de clarification des besoins de la confiance numérique, de promotion de la vision de l’ACN au niveau Européen tout en facilitant la discussion, les échanges avec toutes les communautés et les entreprises de toutes tailles.

Nous sommes fiers de faire partie de l’ACN car nous adhérons complètement aux valeurs de l’Alliance et nous serons force de proposition pour l’aider à mener ses actions concrètes de développement de marchés et de solutions en Europe.

Guillaume Vassault-Houlière CEO de YesWeHack

European Regulation for the Protection of Personal Data and Data Security


By

Eric A. Caprioli, Attorney Admitted to Practice Before Court of Appeals, Juris Doctor, Member of French Delegation to United Nations
&
Isabelle Cantero, Associate (Caprioli & Associés), Lead for Privacy and Personal Data Practice


The European Regulation for the Protection of Personal Data (GDPR) was adopted on April 27, 2016 after 4 years of involved negotiations. Being a directly applicable regulation in each of the Member States (that is, not requiring a national law to implement), it should enable the harmonization of the statutes having to do with the protection of personal data within the European Union and bring the principles of protection into line with the realities of the digital era. It will go into effect on May 25, 2018. For many companies, these new provisions will involve costs related to the investment required to bring their current tools or procedures into compliance with the new rules.

Single Flexible Protective Statute for All EU Member States

The regulation is applicable to every entity in the private and the public sectors. It applies to the issues of Big Data, profiling, Cloud Computing, security of transborder data traffic, data portability when changing service providers… These issues are to be placed alongside the new advance protection principles (privacy by design or by default), analysis-based protection (impact assessment), documented protection (mandatory documentation serving as evidence of statutory compliance), cascading protection (processor liability and the possibility of joint liability), and stronger protection (rights of individuals and consent). And finally, the accountability principle (i. e. the obligation to prove statutory compliance of how personal information is being handled).

As far as stronger protection for the rights of individuals in concerned, consent should be the focus since it should never be implicit or general and it must be provable (documented and traceable) by the controller. Further, in addition to the conventional rights of individuals, such as access, correction/deletion and objection, the GDPR creates new rights (limitation on data processing, portability, etc.).

As for sanctions handed down by the enforcement authority  (CNIL), it should already be noted that they could be as high as EUR 3 million pursuant to the Digital Republic legislation of October 2016 but with GDPR, for violations of obligations set forth in matters of individual rights they could go all the way to 4% of global revenues, or EUR 20 million. For violations of other obligations prescribed by GDPR, the fines could be as high as 2% of global revenue, or EUR 10 million.

And to round off this brief summary of the changes, the current Ombudsperson for IT and Freedoms (optional designation) will be replaced by a Data Protection Officer whose functions will clearly be broader. This designation is mandatory under certain conditions: in a Government body or authority, whenever data processing enables regular and systematic large-scale monitoring of individuals, whenever sensitive or criminal record information is being processed on a large scale, or whenever required by Union or Member State law.

Personal Data Protection Core Security

+ Read More