The increased adoption of Coordinated Vulnerability Disclosure (CVD) policies demonstrates the ongoing commitment to our first principle
Our societies are becoming increasingly digital, as illustrated by the COVID-19 pandemic. We have not only turned to technology for communications and streamlining our processes but relied on it to fuel our medical research and keep our economies turning whilst socially distancing. Though its benefits are countless, technology also comes with increased risk. In 2020, cyberattacks achieved new heights, both in terms of frequency and sophistication.
The Cybersecurity Tech Accord’s first principle commits its signatories to design, develop, and deliver products and services that prioritize security, privacy, integrity, and reliability. In keeping with this principle, one of the first actions we took in 2018 was to call on the technology industry to adopt coordinated vulnerability disclosure (CVD) policies and highlight the work of the Global Forum on Cybersecurity Expertise (GFCE) to provide helpful guidance in this regard. In 2019, we went a step further and committed to having every Cybersecurity Tech Accord signatory work toward implementing their own vulnerability disclosure policy to protect their users and customers.
Today we are proud to announce that two-thirds of our signatories – 100 companies – now have a vulnerability disclosure policy in place, and our remaining signatories are on the path toward developing one. As the Cybersecurity Tech Accord has grown over the past three years, more and more companies have recognized and agreed that CVD policies are essential to building cyber resiliency. As our signatories continue to make progress with implementing disclosure policies, we will publish them on our website as a resource for anyone seeking to enact their own guidelines.
It is important to recognize that while CVD policies represent good practices on their own, they constitute a gesture of good faith partnership to other stakeholders as well – especially governments. As companies across the technology industry develop and implement these policies for expeditiously remediating known vulnerabilities to keep users and customers safe, governments should appreciate their responsibility to disclose any vulnerabilities they discover to the appropriate vendors so that they can be fixed. There could be no clearer example of how governments might invest in improving cyber defenses as opposed to simply building up their offensive capabilities. This is how we help keep everyone safe online.
A broader commitment to vulnerability handling
The individual commitments of our signatories are not the only actions we have facilitated in this space. We want to ensure that it is not just the technology industry but a broader set of companies that endorse this approach. With that in mind, we have actively participated, both as an organization, and as individual companies, in two processes that identify good practices, encourage bolstering the security of our digital products and services, and reduce their vulnerabilities.
At the end of 2020, the Geneva Dialogue on Responsible Behaviour in Cyberspace published its set of recommendations. These were a product of numerous discussions between Cybersecurity Tech Accord signatories and other technology players from around the world. The recommendations outline a series of definitions, highlight best practices, and identify organizational and planning resources needed.
In addition, we were proud to take part in the informal expert advisory group of the OECD Working Party on Security in the Digital Economy (SDE) by contributing to their important work on the report “Encouraging Vulnerability Treatment”. We were very encouraged by the OECD efforts to clarify the debate on vulnerability treatment, CVD and ethical hacking and look forward to future collaboration opportunities to continue this critical effort.
It is a fact of life that both software and hardware products and services include vulnerabilities, and these can be attack vectors. Vendors, operators and system integrators can do a lot to increase the security of their products and services, particularly by implementing “secure by design” policies and practices. However, our online environment’s increasing complexity means that no ICT product or service can ever be 100 percent secure.
Thus, vulnerability disclosure policies are vital as they are at the core of a collaborative approach to cybersecurity. No organization can solve its cybersecurity challenges alone, so sharing and accepting information is critical to improving our cybersecurity postures. Vulnerability disclosure policies create a path that allows organizations or individuals to report any weaknesses to the relevant entity. Even more importantly, this disclosure starts a process that ensures the vulnerability is addressed, and any risk or potential harm to users can be efficiently mitigated – irrespective of how many entities are involved.