ALEXANDRE LALLEMAND (unsplash)
The European Union’s Cyber Resilience Act (CRA) has the potential to be leveraged by governments for intelligence or monitoring activities, as stated by an assembly of experts.
An open document, endorsed by 50 leading professionals from the cybersecurity domain encompassing both the business and academic sectors, has encouraged the EU to reassess the clauses in Article 11 of the CRA, which pertain to the protocol of revealing software vulnerabilities.
As of now, the stipulations in Article 11 mandate that software developers inform government entities of any software vulnerabilities yet to be patched within a day of them being exploited. This letter suggests that such a mandate would enable numerous government bodies to maintain an ongoing record of software that contains unchecked vulnerabilities. This could potentially be manipulated to amass intelligence or to oversee enterprises and individuals.
The experts noted that there are no clear limitations on how the revealed vulnerabilities through the CRA can be utilized offensively. Furthermore, the lack of a clear supervisory process in the majority of the EU nations may lead to possible misuse. Among the endorsers of this letter are names like Ciaran Martin, previously in charge of the UK National Cyber Security Centre, Toomas Hendrik Ilves, past president of Estonia, and Vint Cerf, Google’s VP and primary internet advocate.
Introduced by the EU Commission in September 2022, the CRA’s purpose is to lay down baseline cybersecurity norms for interconnected devices. By July 2023, a consensus on the suggestions was achieved with the European Council, and currently, the Commission is in dialogue with the European Parliament about the final draft of the upcoming legislation.
Security Reservations Expressed Over Article 11
The letter goes on to spotlight additional security apprehensions concerning Article 11. One major issue is the risk of security breaches concerning the vulnerability data retained by the government. This could render enterprises susceptible to security threats. The letter indicates that mere awareness of a software flaw can empower a competent individual to reverse engineer it.
Furthermore, the experts pointed out that swiftly making vulnerabilities public could deter researchers with honest intentions, as they frequently need an extended time frame to authenticate, trial, and rectify these flaws prior to disclosing them.
The letter also emphasizes that the one-day stipulation might diminish the willingness of manufacturers to accept security disclosures and could deter researchers from revealing vulnerabilities.
Proposition to Rethink Article 11
The consortium of experts implored the EU to revisit its stance on Article 11, endorsing a vulnerability disclosure strategy based on perceived risk to prevent inadvertently subjecting both consumers and institutions in Europe and elsewhere to emerging cybersecurity threats.
The letter proposes the following modifications:
- Forbid agencies from utilizing or disseminating vulnerabilities reported via the CRA for intelligence or monitoring intentions.
- Only report vulnerabilities that can be rectified to agencies, and this should be done within 72 hours of effective solutions becoming accessible. Details might comprise the initial detection date.
- The CRA shouldn’t necessitate the reporting of vulnerabilities uncovered during genuine security research. Contrarily, sincere security research doesn’t present a security risk.
- Incorporate ISO/IEC 29147 in Article 11-1 and establish it as the standard for all EU vulnerability disclosures. In April 2023, industry representatives of the open-source community addressed an open letter to the EU, emphasizing that the CRA could potentially deter software creation.