With the rapid emergence of new technologies and IT products, businesses, governments, and consumers are increasingly relying on these technologies for their everyday life and operations. This trend is reinforced by the propagation of the Internet of Things (IoT). On the consumer side, IoT will make traditional goods increasingly “smart”. Wearable products, home applications, toys and children equipment, cars, embedded with hardware and software will have the ability to connect. On the business side, IoT techniques will support a broad range of business innovations, that will allow companies to integrate sensing, analytics and automated control into business models, reducing costs, improving productivity, customer services and overall performance.
In this context, software become more and more embedded in every device connected to the internet – our smartphones, our cars, our offices, and our homes. Many of these devices are expected to be operational for many years or even decades with a minimum of human intervention. They also make extensive use of third-party component libraries in integrated products; making security harder to verify. This means that most software and software-based products bear the risk to be exposed to vulnerabilities.
A vulnerability can be defined as “a set of conditions that allows the violation of an explicit or implicit security policy. Vulnerabilities can be caused by software defects, configuration or design decisions, unexpected interactions between systems or environmental changes. Vulnerabilities can arise in information processing systems as early as the design phase and as late as system deployment.”(1) In other terms, vulnerability refers to a flaw in the software code that allows an attacker access to a network or system.
Software vulnerabilities and their exploitation are increasing. The US-CERT Vulnerability Database and other EU vulnerability registries keep track of new vulnerabilities codes as they are discovered. The total number of vulnerabilities recorded in 2020 (a combination of high, medium, and low severity vulnerabilities) was 18,335, of which 4,380 were categorized as high severity(2). This is the largest number of high severity vulnerabilities recorded in any year tracked.
The role of the Study team
The European Union Agency for Cybersecurity (ENISA) commissioned Wavestone and CEPS(3) to conduct a study on “Coordinated Vulnerability Disclosure (CVD) and Vulnerability databases”. Concluded in November 2021, the objective of this study was to provide ENISA with an exhaustive state-of-play of national policy practices in the EU as well as an overview of initiatives related to vulnerability management and vulnerability databases.
Methodology of the study
During eight months Wavestone and CEPS collected inputs from a broad range of stakeholders to inform the development of the final report which was later disseminated by ENISA to collect extensive feedback from all EU Member States. A four-step methodology was applied:
1
Develop an in-depth understanding of coordinated vulnerability disclosure per se, its context and latest trends, by conducting desk research and seeking for publicly available information of worldwide practices
2
Organise primary data collection by conducting interviews with National Competent Authorities/CERTs, experts and security researchers, product and service providers, organisations in charge of national databases or vulnerability registries, academics and representatives of bug bounty programmes
3
Analyse the collected information from different sources in order to extract trends, good practices, challenges and draw recommendations for ENISA on CVD practices and potential initiatives applicable in the EU
4
Produce the final report to present a state-of-play at the EU level of CVD, main findings and recommendations on CVD policies and database management as well as suggestions on the potential role of ENISA
Achievements and outcomes of the study
Published by ENISA on 13 April 2022, the report “Coordinated Vulnerability Disclosure Policies in the EU” summarises information collected with a focus on Coordinated Vulnerability Disclosure (CVD) policies at the national level within the EU.
CVD policy state-of-play in the EU
At the national level, the research shows that in spite of a fragmented EU environment, multiple EU countries are making steps forward in the development of national CVD policies. Currently, Belgium, France, Lithuania and the Netherlands are undertaking CVD policy work and have implemented policy requirements. Among these four countries, policy initiatives strongly differ. In parallel, four other countries are preparing to implement a policy. In these cases, the proposal is either being examined at the level of policymakers or is being tested in pilot projects. Ten other EU countries are considering implementing a national CVD policy or are on the point of doing so. However, failure to reach consensus at the political or legislative level has hampered this process. Finally, the nine remaining countries have not implemented a CVD policy and have not signalled their intention to do so.
This heterogeneity across the EU could be explained by various challenges faced by national governments when considering CVD initiatives. These challenges include legal, economical and political aspects which are further addressed in the report. Additionally, the lack of alignment of CVD practices, terminology, understanding and assessment of a CVD process is perceived as a hindrance to the implementation of national CVD policies and intra-EU cooperation.
CVD database management – ENISA internal
Wavestone also provided information related to vulnerability database management. Interviewed experts pointed out the importance of aligning CVD terminology used by different CVD actors, defining roles and responsibilities, ensuring accountability and establishing an exhaustive vulnerability disclosure policy supporting any registry.
Experts who contributed to this study outlined a minimum level of information that should be included in database entries, including details on vulnerabilities. Additional good practices for database management and vulnerability prioritisation were mentioned, these include cross-referencing capabilities across databases, standardised scoring matrix, vulnerability information formats and real-time updates, as well as high-risk vulnerabilities handling and innovative data sourcing (i.e., using Artificial Intelligence).
While the main conclusion of this study is that CVD practices in terms of policies and databases vary considerably among EU countries, it was observed a positive general opinion and willingness to enhance policy and technical initiatives, worldwide cooperation and set CVD initiatives in order to reach mutual objectives and general safety.
What’s next?
The European Union Agency for Cybersecurity (ENISA) recently launched a study on Developing National Vulnerability Programs and Initiatives. Its main objective is to support the Member States in the development and implementation of National Coordinated Vulnerability Disclosure (CVD) Policies. Wavestone and CEPS will continue supporting ENISA to research, identify and capture initiatives, good practices and case studies that can support the development of national vulnerability programs. This study should be completed by September 2022, followed by a two-month review and feedback from the EU countries to ENISA prior to the official publication.
(1) Householder A. (2019), The CERT Guide to Coordinated Vulnerability Disclosure, CERT, December. Available at: https://vuls.cert.org/confluence/display/CVD
(2) Chiu T. (2021), 2020’s Record Numbers of Vulnerabilities, K2 Cyber security, January. Available at: https://www.k2io.com/2020s-record-numbers-of-vulnerabilities/
(3) https://www.ceps.eu/
Authors: Gérôme BILLOIS, Thiago BARBIZAN, Solène DRUGEOT & Cristian Michael TRACCI