Today, the Cybersecurity Tech Accord takes a step forward in enhancing cybersecurity best practices by endorsing greater transparency around receiving, handling and communicating about vulnerabilities. In doing so, we echo guidance from the Global Forum on Cyber Expertise (GFCE)’s Global Good Practices on Coordinated Vulnerability Disclosure (CVD).  Launched in 2015 in The Hague, the GFCE is a global platform that aims to strengthen cyber capacity and expertise globally, while upholding the values of an Internet that is free, open, and secure. Today’s endorsement of the GFCE’s CVD good practice for transparency by the Cybersecurity Tech Accord – a group of leading technology companies committed to protect and empower civilians online and to improve the security, stability and resilience of cyberspace – demonstrates our signatories’ commitment to minimizing the harm to society resulting from the malicious exploitation of vulnerabilities. In addition, on an ongoing basis, we also commit to working with the GFCE to achieve greater alignment between the Global Good Practices Guide and best practices for CVD in use by Cybersecurity Tech Accord companies.

Nearly – if not all – organizations and individuals use software today: it runs in products we use every day such as laptops, mobiles, TVs, cars, or even household appliances, but also enables critical infrastructures and services, from public transportation to hospitals, banks, governments, and electricity/water supplies. Any weaknesses in software can enable an attacker to compromise the integrity of these products and services.  In an interconnected world, our ability to manage the risks that can be associated to their use is therefore essential.

Software vulnerabilities have become more prevalent and must be reduced to strengthen cybersecurity: over 14,500 new vulnerabilities were recorded in 2017, compared with just 6,000 the previous year. As vulnerabilities can be maliciously exploited, it is crucial that the affected vendors are informed when they are found, enabling vendors to resolve the issue without exposing users to undue risk.

While the process of disclosing such vulnerabilities can be straightforward, a vast number of different stakeholders are involved (e.g., manufacturers, vendors, reporters, government agencies, IT security providers), adding significant operational and legal complexities. Moreover, stakeholders may have very different motivations to disclose (or not) vulnerabilities: technology companies would want to preserve the integrity and security of their products and services and, ultimately, their reputations; security firms could profit from sharing such information; researchers may want to use vulnerabilities for academic purposes; and, criminals could exploit them.

CVD can significantly contribute to addressing these issues prior to public release. The Cybersecurity Tech Accord signatories strongly believe in CVD and support the idea that this approach should be endorsed by all companies – not just software companies – that develop technology.  While there have been different approaches to CVD, the GFCE has, in our view, developed the most comprehensive guide for good practices.

This guide was published in 2017, building on the efforts of the Dutch, Hungarian, and Romanian governments and industry representatives to establish proven cooperation mechanisms within the cyber security community to effectively find and fix software vulnerabilities. It outlines a set of good practices for all stakeholders involved.  From an industry perspective, it proposes that manufacturers, vendors, and user organizations should:

• Use existing standards and guidelines (e.g. ISO/IEC standards, FIRST’s guidelines, ENISA good practice, OIS framework);
• Implement the required processes to deal with incoming reports, investigate the reported vulnerabilities, and communicate with reporters, being as transparent as practicable about risk-based remediation timelines. This also includes publishing CVD policies on organizations’ websites;
• Allocate adequate resources to implement CVD policies to ensure that organizations have the necessary expertise. This could include running a pilot and starting with a narrow set of in-scope products/services, using a third-party bug bounty platform, and/or consulting with similarly situated organizations that have CVD policies and processes in place;
• Ensure continuous communication with all stakeholders, explicitly stating expectations towards reporters and third-party organizations;
• Agree on timelines on a case-by-case basis, avoiding a ‘one-size-fits-all’ policy and maintaining flexibility in handling various vulnerability discovery cases;
• And provide a clear explanation of pros and cons to the legal counsel, ensuring they have a good understanding of the national legal framework on CVD and the importance and advantages of CVD for an organization. Legal counsel needs to have the right information to give the best legal advice.

As a first concrete step, the Cybersecurity Tech Accord’s signatories commit to publish their CVD policies, in line with one of the GFCE’s best practices inviting organizations to be as transparent as possible (links below). In addition, we call on more technology companies to adopt CVD policies and hope to announce further actions to encourage this initiative in the coming months.

CVD policies of the Cybersecurity Tech Accord signatories:

ABB | ARM | ATLASSIAN | AVAST | BITDEFENDER | BT | CA TECHNOLOGIES | CARBON BLACK | CISCO | CLOUDFLARE | CYBER ADAPT | DATASTAX | DELL | DOCUSIGN | ESET | FACEBOOK | FASTLY | FIREEYE | F-SECURE | GIGAMON | GITHUB | GITLAB | GUARDTIME | HP INC | HPE | INTUIT | JUNIPER NETWORKS | KOOLSPAN | KPN | LINKEDIN | MEDIAPRO | MICROSOFT | NIELSEN | NOKIA | ORACLE | RSA | SALESFORCE | SAP | STRIPE | TELEFONICA | TENABLE | TRENDMICRO | VMWARE | WISEKEY

About the Global Forum on Cyber Expertise (GFCE)

The Global Forum on Cyber Expertise (GFCE) is a global platform for countries, international organizations, and private companies to exchange best practices and expertise on cyber capacity building. The aim is to identify successful policies, practices, and ideas and multiply these on a global level. Together with partners from NGOs, the tech community, and academia GFCE members develop practical initiatives to build cyber capacity.

Modern warfare has moved online and the “fifth domain” of cyberspace is today a battlefield in its own right. But in many ways that is where the similarities to other domains end, as cyberweapons and the techniques used to develop and employ them are meaningfully distinct from the conventional weapons of modern warfare.  To create a cyberweapon, governments and sophisticated threat attackers exploit unintentional weaknesses or “vulnerabilities” found in mass-market hardware and software products or services and apply techniques developed to exploit those weaknesses.  The damaging effects of the resulting cyberweapons – especially when mishandled – can extend far beyond an intended target, potentially impacting millions of innocent users around the world.

In a further departure from conventional weaponry, cyberweapons can be recycled easily and indefinitely by third parties.  After being released “into the wild,” cyberweapons can be, wholly or in part, co-opted for ulterior purposes by nation states and cyber-criminals alike, as demonstrated in the WannaCry attack in May 2017 that downed computer systems in 150 countries.  And once in use by cyber-criminals, the security community continues to fight to eradicate a vulnerability for years, possibly for the entire lifecycle of the product, hardware, or service being exploited.

Governments are beginning to consider the risks associated with discovering or acquiring cybersecurity vulnerabilities and the wide-ranging scope of potential impact if they are exploited for use in a cyberweapon.  While there may be national security benefits from acquiring and retaining such vulnerabilities, these benefits must be weighed against the risks that those same vulnerabilities may be used against a government’s own computing infrastructure, all its citizens, and, potentially, interdependent organizations around the world.  The speed and ease with which cyberweapons can be recycled heighten these risks in ways that are incomparable to other domains of conflict and, at a certain point, become unacceptable.  Minimizing risk in developing these capabilities requires governments have deliberative processes in place that include relevant stakeholders, and the potential damage of such capabilities requires that such processes be made public.

At the end of 2017, the US government took a promising step towards greater transparency in this space, when it revised and, more importantly, publicly released significant portions of its Vulnerability Equities Process (VEP).   The VEP details when and how the US government will choose to disclose cyber vulnerabilities it either uncovers or purchases, and work on this process has spanned three years and two administrations. The 2017 update enhanced the transparency of the process, in part by identifying the respective departments and agencies represented on the vulnerability review committee (a mix of intelligence and civilian agencies), the criteria used for determining whether to disclose a vulnerability, and the mechanism for handling disagreements within the committee.  It also calls for annual reports on the program’s performance.

Yet areas for improvement remain, both in the United States and around the world.  The US government approach does not yet share its calculus for assessing the broader economic impact when it discovers or acquires a vulnerability, including not only how it measures direct impacts to consumers but also economic security issues related to the resilience and reliability of the global technology ecosystem.  The U.S. approach also does not seem to include in its analysis the “long tail” of cleanup when a vulnerability is released into the broader public, nor does it yet take into consideration how to address other forces seeking to leverage vulnerabilities at the State or local level, where law enforcement needs may call for the use of a vulnerability as part of an investigation.

While estimates of how many countries have cyber offensive capabilities vary widely, the lowest begin at forty.  The number of VEPs around the world is even more difficult to ascertain, with the United States being one of the few governments willing to openly discuss its process.  While it is rumored that other countries have put similar frameworks in place and that a few more, predominately European, countries are likely to adopt them soon, this remains an opaque area of government action that requires both transparency and input from the private sector companies that will need to mitigate the effects of those exploits in products around the world. This is especially concerning given the growing interest and willingness among various government departments to “hack” their way to accomplishing national security or law enforcement objectives.

To strike an appropriate balance between risks and benefits, governments should optimize investing in defensive rather than offensive technologies and develop policies that clearly define how they acquire, retain, and use vulnerability information. Central to this approach should be a presumption of private disclosure over the retention of vulnerabilities and principles underpinning this process should do the following:

• Presume disclosure as the starting point;
• Clearly consider the impact on the computing ecosystem if the vulnerability is released publicly and the costs associated with cleanup and mitigation;
• Clearly define the process of making a disclosure decision and identify the stakeholders at the departmental level, ensuring that stakeholders represent not only national security and law enforcement but also economic, consumer, and diplomatic interests;
• Make public the criteria used in determining whether to disclose a vulnerability or not. In addition to assessing the relevance of the vulnerability to national security, these criteria should also consider threat and impact, impact on international partners, and commercial concerns;
• Mandate that all government-held vulnerabilities, irrespective of where or how they have been identified, go through an evaluation process leading to a decision to disclose or retain it;
• Prohibit any vulnerability non-disclosure agreements between governments and contractors, resellers, or security researchers and limit any other exceptions, e.g., for sensitive issues;
• Prohibit use of contractors or other third parties as a means of circumventing the disclosure process;
• Ensure any decision to retain a vulnerability is subject to a six-month review;
• Establish oversight through an independent body within the government with an annual public report on the body’s activities;
• Expand funding for defensive vulnerability discovery and research;
• Ensure disclosure procedures are in line with coordinated vulnerability disclosure, an industry best practice; and
• Ensure that any retained vulnerabilities are secure from theft (or loss).

The signatories of the Tech Accord have always believed that protecting the public interest in cyberspace requires robust collaboration between the government and private sectors.  When the government approach to vulnerabilities favors stockpiling over disclosure, this critical collaboration is weakened, and we risk losing the public’s trust in cyberspace.  For technology companies and for technology developers, to be effective partners in protecting users, they must be active participants in the awareness and mitigation of new vulnerabilities.  In particular, it is incumbent upon developers to be transparent about how they receive vulnerability information, to use it in a timely, risk-based manner, and to communicate with affected customers and users about the existence of vulnerabilities and about the availability of mitigations. Finally, having a coordinated vulnerability disclosure policy in place demonstrates companies’ commitment to acting on vulnerability information received and to contributing concretely to the stability of cyberspace.

In May 2018, the European Union’s General Data Protection Regulation (GDPR) officially became law. However, dust on its implementation is far from settled, as companies continue to learn how to navigate the new legal landscape and adapt their business practices accordingly. We are also beginning to realize that the legislation might have certain unexpected consequences. Ironically, some of them may serve to undermine the security of Internet users, rather than protect them. One example is the Internet Corporation for Assigned Names and Numbers (ICANN) and its attempt to ensure compliance of its WHOIS system.

For years, cybercriminals have exploited the domain names system to launch coordinated and automated attacks on a global scale. Attackers often use domain names disguised as major brands to install malware on targeted computers and take control of legitimate servers or websites to cause mass disruption or obtain critical information. Over the past two decades, the global WHOIS directory, has been used by millions of individuals, businesses, organizations and governments, who registered domain names to support a transparent online ecosystem that protects users and customers. The resulting database was searchable, which allowed cyberdefenders to determine the owner of a domain name and IP address, and has provided viable means to obtain the information necessary to identify criminal actors, prevent harm, and protect the online ecosystem.

Since May, ICANN has struggled to come to terms with Europe’s new data protection law. Through an attempt to operate under GDPR, ICANN adopted a temporary resolution in May to ensure a common framework for handling registration information by reducing the quantity and ease of access to WHOIS data. Under the temporary specifications, registrars would collect all of the same data points about their customers yet limit how much of that information is made available through public WHOIS searches. This has not only hampered the ability to identify malicious actors online, but also resulted in divergent approaches by registrars and registries, potentially fragmenting the WHOIS system as a whole in the long run.

In late June, a discussion to develop a framework for an accreditation and access model started the draft of Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data. The Framework proposes a tiered-access model, with prospective users having to apply for accreditation from specific bodies before gaining access to full WHOIS data. This leaves many details including query types undefined with the intent that the ICANN multi-stakeholder community will generate policy to fill the gaps.

Ultimately, the framework falls short on delivering solutions that allow cybersecurity companies to address the increasing number of cyberspace threats. While we welcome the framework as a starting point for the discussion and are delighted that ICANN has turned to the multi-stakeholder community to provide feedback and help develop a sustainable approach in its consultation process, more needs to be done. The Cybersecurity Tech Accord signatories therefore call on ICANN, in the policy position published today,  to expedite the development and implementation of an accreditation model that allows for broad, persistent and frictionless access to WHOIS data for legitimate purposes, such as cybersecurity.

We strongly embrace an individual’s right to privacy outlined under the GDPR, however we also recognize that there is no privacy without strong security. The WHOIS data represents an important tool that our cybersecurity defenders rely upon to help maintain a stable and secure Internet, and we believe access to such data for the purpose of cybersecurity, needs to be maintained. It is therefore critical that a workable accreditation model is developed, and developed quickly.

Today, the Cybersecurity Tech Accord endorses the Mutually Agreed Norms for Routing Security (MANRS), an initiative launched in 2014 by a group of network operators and managed by the Internet Society (ISOC), a non-profit organization promoting the development of an open Internet. The pledge to promote the MANRS initiative and support its ongoing work to help increase the resilience and security of the Internet’s global routing system, is the first public step demonstrating the principles that bind the Cybersecurity Tech Accord signatories.

“This is an important first step for the Cybersecurity Tech Accord. Challenges related to routing security are real and pressing, impacting citizens’ and business interactions online daily. These challenges will only be resolved through the coordinated action and activities of the many divergent parties. The MANRS initiative reflects the values at the core of the Cybersecurity Tech Accord: to identify cybersecurity challenges that we can only address as a collective and act to solve them.” – the Cybersecurity Tech Accord signatories.

The speed and continuity of our communications requires a stable and secure online environment. The reality is that accessing an online website, paying with a credit card, as well as looking for and exchanging information can be delayed at any time by incidents affecting routing infrastructure. In 2017 alone, more than 14,000 routing outages or attacks, such as  hijacking, leaks, or spoofing led to stolen data, lost revenue and reputational damage. One example is the hijacking event from April 2018 affecting the Ethereum cryptocurrency. Connecting to the service (MyEtherWallet), users were faced with an insecure SSL certificate, a broken link in the site’s verification. Clicking through that, they were redirected to a server in Russia, which proceeded to empty their wallet (the attackers appear to have taken $13,000 in Ethereum during two hours before the attack was shut down).

It is therefore clear that much needs to be done to address the very common challenges related to routing security. The MANRS initiative focuses on four actionable measures that can deliver immediate results in the online security environment. They include:

• Filtering, to help combat the propagation of incorrect routing information. This measure aims to ensure the correctness of operator and customer routing announcements to adjacent networks with prefix and AS-path granularity;
• Anti-spoofing, a measure by which network operators implement a system that enables source address validation for at least single-homed stub customer networks, their own-end users and infrastructure. The goal is to prevent packets with an incorrect source IP address from entering and leaving the network;
• Coordination, to ensure that network operators maintain globally accessible up-to-date contact information in common routing databases and coordination with their peers; and
• Global validation, to enable network operators to publish routing data, so others can validate routing information on a global scale.

The Cybersecurity Tech Accord signatories strongly believe that a more robust and secure global routing infrastructure demands shared responsibility and coordinated actions from the community of security-minded organizations. We see the efforts undertaken so far under the MANRS initiative as a fantastic example of different stakeholders coming together and partnering towards a common objective – a more secure environment, benefiting all of us – from users, to governments and the industry. As such, we believe this effort firmly falls under the 4^th principle guiding our efforts – partnering with each other and with likeminded groups to enhance cybersecurity.

Two of our signatories – KPN and Swisscom – already actively participate in the MANRS initiative today, whilst many of our signatories are considering steps to become more involved going forward. As a group, we will promote MANRS itself, as well as raise awareness of the challenges of routing security and encourage actions to address those, in addition to prompting the culture of collective responsibility of the Internet’s global routing system.

Furthermore, we have today established a working group between the Cybersecurity Tech Accord and the MANRS initiative that will investigate how companies beyond network operators and IXPs can contribute to routing security. We hope to announce concrete steps that will help to evolve the initiative and create a framework for technology companies in the coming weeks and months.

About the Internet Society (ISOC)

Founded by Internet pioneers, the Internet Society (ISOC) is a non-profit organization dedicated to ensuring the open development, evolution and use of the Internet. Working through a global community of chapters and members, the Internet Society collaborates with a broad range of groups to promote the technologies that keep the Internet safe and secure, and advocates for policies that enable universal access. The Internet Society is also the organizational home of the Internet Engineering Task Force (IETF).

About the Cybersecurity Tech Accord

The Cybersecurity Tech Accord is a public commitment among 44 global companies to protect and empower civilians online and to improve the security, stability and resilience of cyberspace. Learn more at www.cybertechaccord.org

June 20, 2018 — Today, two months after announcing the Cybersecurity Tech Accord, eleven new companies have joined the watershed agreement to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The new signatories include Atlassian, Carbon Black, Cyber adAPT, ESET, Gigamon, GitLab, KoolSpan, KPN, MediaPRO, Salesforce, and WISeKey. These companies oversee important aspects of the world’s communications infrastructure including cloud-based customer relationship management, collaboration tools, telecommunications, endpoint security, datacenter security, and encryption.

Read More

Companies across every layer of internet communication vow to defend against misuse of their technology; promise to protect all customers regardless of nationality, geography or attack motivation.

REDMOND, Wash. — April 17, 2018 — On Tuesday, 34 global technology and security companies signed a Cybersecurity Tech Accord, a watershed agreement among the largest-ever group of companies agreeing to defend all customers everywhere from malicious attacks by cybercriminal enterprises and nation-states. The 34 companies include ABB, Arm, Cisco, Facebook, HP, HPE, Microsoft, Nokia, Oracle, and Trend Micro, and together represent operators of technologies that power the world’s internet communication and information infrastructure.

“The devastating attacks from the past year demonstrate that cybersecurity is not just about what any single company can do but also about what we can all do together.” said Microsoft President Brad Smith. “This tech sector accord will help us take a principled path towards more effective steps to work together and defend customers around the world.”

The companies made commitments in four areas.

Stronger defense
The companies will mount a stronger defense against cyberattacks. As part of this, recognizing that everyone deserves protection, the companies pledged to protect all customers globally regardless of the motivation for attacks online.

No offense
The companies will not help governments launch cyberattacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution.

Capacity building
The companies will do more to empower developers and the people and businesses that use their technology, helping them improve their capacity for protecting themselves. This may include joint work on new security practices and new features the companies can deploy in their individual products and services.

Collective action
The companies will build on existing relationships and together establish new formal and informal partnerships with industry, civil society and security researchers to improve technical collaboration, coordinate vulnerability disclosures, share threats and minimize the potential for malicious code to be introduced into cyberspace.

The companies may have adhered to some or all of these principles prior to the accord, or may have adhered without a public commitment but this agreement represents a public shared commitment to collaborate on cybersecurity efforts. The Tech Accord remains open to consideration of new private sector signatories, large or small and regardless of sector, who are trusted, have high cybersecurity standards and will adhere unreservedly to the Accord’s principles.

“The real world consequences of cyber threats have been repeatedly proven. As an industry, we must band together to fight cybercriminals and stop future attacks from causing even more damage,” said Kevin Simzer, Chief Operating Officer, Trend Micro.

The victims of cyberattacks are businesses and organizations of all sizes, with economic losses expected to reach $8 trillion by 2022.* Recent cyberattacks have caused small businesses to shutter their doors, hospitals to delay surgeries and governments to halt services, among other disruptions and safety risks.

The Tech Accord will help to protect the integrity of the one trillion connected devices we expect to see deployed within the next 20 years,” said Carolyn Herzog, General Counsel, Arm. “It aligns the resources, expertise and thinking of some of the world’s most important technology companies to help to build a trusted foundation for technology users who will benefit immensely from a more security connected world.”

Companies that signed the accord plan to hold their first meeting during the security-focused RSA Conference taking place in San Francisco, and will focus on capacity building and collective action. Future actions may include jointly developed guidelines or broadly deployed features, as well as information sharing and partnering to combat specific threats to make the online world a safer place for people and businesses everywhere — and uphold the promise and benefit technology offers society.

* Losses are cumulative over five year, 2017 – 2022. James Moar; Juniper Research: The Future of Cybercrime & Security: Enterprise Threats & Mitigation 2017-2022 (April 25, 2017); https://www.juniperresearch.com/researchstore/innovation-disruption/cybercrime-security/enterprise-threats-mitigation