A mixed response on EU’s new vulnerability disclosure rules

Dozens of global cyber security experts have warned that new updates to Article 11 of the EU’s Cyber Resilience Act (CRA) could create unnecessary risks for consumers and businesses.

The European Cyber Resilience Act (CRA) which is a legal framework, outlines the cybersecurity requirements applicable to hardware and software products that are available in the European Union marketplace.

The objective of the CRA is to establish cybersecurity standards for products with digital elements. It seeks to enhance cybersecurity regulations for both software and hardware, with the aim of safeguarding businesses and consumers from subpar security features.

However, the senior figures of over 50 organisations, including Google, the Electronic Frontier Foundation, and the CyberPeace Institute, in an open letter, have said that aspects of the article are ‘counterproductive’ and lead to new threats that undermine the security of digital products and the people who use them.

Under Article 11, software publishers would be obligated to report any unaddressed security vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of their discovery. Information regarding these vulnerabilities would then be shared with various government agencies responsible for security in EU member states. This would necessitate software providers to feed their known vulnerabilities to a "real-time database" containing information on unpatched flaws, providing agencies with insights into ongoing or potential security challenges.

Enhancing transparency and accountability

This initiative is a part of the European Union's effort to enhance transparency and accountability, speed up the disclosure of vulnerabilities, and, above all, safeguard the interests of consumers.

Achi Lewis, Area VP EMEA for Absolute Software, added: “Timely and accurate reporting of vulnerabilities is crucial for organisations, not only to protect their own organisation, but others along the supply chain, as well as alerting software providers to potential issues.

“The current patching landscape is messy, and our Resilience Index research found that there are 14 different versions of Windows 10, for example, being used by enterprise businesses, with over 800 different patches. This is made worse by one in six devices working on an old patch, increasing the cybersecurity risks to the device, and subsequently the organisation.

“IT managers already have a difficult job managing a work-from-anywhere device fleet so ensuring patching is up to date is an important step to bolstering security, and new vulnerability reporting rules as part of the Cyber Resilience Act will support organisations to stop vulnerabilities spreading. These actions will better prepare organisations to prevent cyber incidents, as well as improve response protocols when attacks occur.”

In the open letter, critics argue that by having a repository of unaddressed vulnerabilities, organisations are placed at heightened risk, and could be targeted by threat actors. They argue that this approach simply encourages a trend of “rushing the disclosure process, creating greater pressure on security teams and software providers, potentially leading to flawed patches. 

In response, the open letter proposes a suggestion that mandatory reporting requirements should be changed to within 72 hours of achieving "effective mitigation" to mitigate the risk of exploitation.

******

For more insights into the world of Cyber - check out the latest edition of Cyber Magazine and be sure to follow us on LinkedIn & Twitter.

Other magazines that may be of interest - Technology Magazine | AI Magazine.

Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.

******

BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.

BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.