Responsible management and disclosure of vulnerabilities
The Cybersecurity Tech Accord’s first principle commits its signatories to design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability. In upholding this principle, the group has, from the outset, promoted the adoption of vulnerability disclosure policies by companies throughout the technology industry. In 2019, we went a step further and committed to having every Cybersecurity Tech Accord signatory work towards having their own vulnerability disclosure policy in place. As the largest coalition of global technology firms dedicated to improving the cybersecurity ecosystem, a commitment for all signatories to adopt policies on vulnerability handling is a significant step forward in its own right while the group continues to contribute to enhancing cybersecurity awareness and promoting best practices globally.
As of today, over 80 of our signatories have a vulnerability disclosure policy in place, with an objective to see the rest of the group follow suit. These signatory policies, as well as relevant contacts, are now easily found in a dedicated section on our website, which will continue to be updated as we add new signatories and existing ones adopt policies of their own. We hope that this centralized resource not only demonstrates our commitment to this effort, but that it can also serve as an example to the industry more broadly, encouraging them to adopt their own vulnerability disclosure policies, as well as prove a useful tool for security researchers.
We believe that the OECD report has the potential to similarly enhance understanding and promote implementation of this important security practice, and are delighted to recognize that many of our original recommendations have been incorporated into the current draft. We nevertheless believe that the document could be further enhanced by the following:
- Recognizing the importance of risk management in vulnerability handling and prioritization. While the draft report highlights risk management overall, it does not outline how central that security guideline is to deciding which vulnerability will be addressed when. For example, vendors could have more than one vulnerability disclosed to them at the same time and limited resources available. In those situations it is critical to address the vulnerabilities that pose the most risk first.
- Correcting claim that vulnerabilities are likely exploited. This includes changing the stated position that “once a vulnerability has been discovered, it may be reasonable to assume that at least one threat actor may have already discovered and has been exploiting it in the wild for a certain time without being detected”. In fact, the vast majority of vulnerabilities do not get exploited.
- Outlining more clearly what should happen with vulnerabilities of open source products. In particular, this would also include those that are not necessarily associated with a particular company.
- Emphasizing government’s role in responsible vulnerability handling. We welcome the inclusion of the reference to government roles when it comes to vulnerability disclosure, in particular to their role in the grey and black markets. We would encourage the OECD to go further and proactively encourage governments to adopt vulnerability disclosure policies of their own, in line with the process adopted in the United States. In addition to these type of activities, the Cybersecurity Tech Accord signatories also welcome initiatives, such as the US vulnerability equities process, which puts forward a decision making framework for government when it comes to vulnerability retention, and have put forward a set of recommendations that builds on that initiative.
Enhancing the digital security of products
While clearly a substantial amount of work went into the draft report on Digital Security of Products, we strongly believe that more needs to be done to ensure that it can serve as a useful tool for policy makers and industry. The Cybersecurity Tech Accord signatories, by and large, support the conclusions and the recommendations of the draft report; however, we continue to struggle with the length of the report, the breath of topics it is trying to tackle, and a number of its core positions. Our particular concerns include:
- We continue to have concerns with the structure and selection of case studies. Presently, it is unclear why the current case studies have been selected and what they aim to demonstrate. We believe it would be helpful to include case studies that highlight different aspects of the digital security challenge. The current selection fails to do this effectively. For example, the computing and mobile ecosystems are quite distinct from one another and so risk mitigations in those environments diverge significantly as well. This includes in patching updates, which are readily available to consumers in a traditional desktop environment, but this is not so in a mobile one. Therefore, it seems counterproductive and likely to confuse the reader when these examples are conflated in the same case study.
- On the other hand, while open source technology is mentioned in the draft report, the latter does not talk about its specific characteristics, and the good practices put forward are equally not easily applicable to this environment. Open source technologies, including solutions not associated with or maintained by a particular company, are very prevalent in today’s digital environment and should form the basis of a helpful case study that merits inclusion.
- Another example that warrants more attention are user practices. While the efforts of technology providers are rightly highlighted, it is important that the draft report also highlights the roles users play in protecting their online environment more comprehensively. In particular, the draft report highlights vulnerabilities and misconfigurations as important vectors of attack, but completely omits the fact that the vast majority of attackers get into systems through tools and techniques reliant on user action, such as phishing.
- Similarly, an assumption is made that consumers lack information that developers have. However, information asymmetries also exist in the other direction, which is particularly important in the security environment. Often, a seller lacks insight into how a customer will use a product in the context of the buyer’s environment. Moreover, frequently customers use the products in environments that are specifically highlighted as not appropriate, for example using certain cloud services for critical environments.
- It is unclear why data portability is relevant to this report and why policy measures would be required to address it. Today, many users already use different cloud providers and migration is not a challenge.
- In the section dealing with consumer safety, the report focuses on the Internet of Things (IoT) and does not recognize software and cloud services. It would be important to be more comprehensive in this aspect of the analysis.
- Furthermore, the draft report draws comparisons between traditional product safety and potential regimes that could emerge for the security of technology products. It does not, however, consider one important point – traditional product safety regimes typically deal with flaws in product development alone and have not been designed or used in cases where these products are consistently under attack, including from sophisticated nation state actors. Unfortunately, this is the reality for technology products today, and we believe that this needs to be taken into account as part of a complete discussion of the issue.
- We also encourage the OECD to consider what would be helpful recommendations to ensure that companies that do not necessarily have (or indeed need) the IT resources of large software producers could do to improve cybersecurity. International standards are helpful, but even those might be a step too far for a lot of the players. Encouraging these organizations to invest, as a matter of priority, in risk management and protecting those assets that most need to be safeguarded would be a step in the right direction.
- The draft report also introduces possible solutions that seem impractical and which would substantially increase the cost of technology products and services. The idea of developing different update mechanisms for different users (general users vs. sophisticated users) stands out as particularly problematic in this regard. That said, we would recommend a differentiation in one of the case studies between a use case focused on the general consumer and one focused on enterprise customers.
- Similarly, the recommendations in the section on repairability seem impractical, given that they assume that companies would be willing to give up their intellectual property to a third party. It is important to remember that just because a particular product has reached its “end-of-life” does not mean that all of the code that was used in that product is suddenly obsolete and will not be repurposed in future versions or other products.
Responsible response: clarifying the scope of business action in response to attacks
Finally, the Cybersecurity Tech Accord signatories welcome the start of the important work on “hack back” and wish to express the desire to participate in and support that effort. While we understand that the focus of that workstream will be on private sector alone, we encourage the OECD to also consider government action in this space, as it presents similar challenges to the stability of our online environment.
We would like to once again thank you for the opportunity to provide comments on the work of the Working Party on Security in the Digital Economy. We believe the OECD has a critical role to play in enhancing cybersecurity not solely for the countries that are members of the organization, but for the world. We therefore look forward to subsequent opportunities to work together and provide further input and guidance on issues related to cybersecurity. Should you have any questions that emerge based on our input, please do not hesitate to contact the Cybersecurity Tech Accord through our Secretariat.