EU’s proposed Cyber Resilience Act’s (CRA) vulnerability disclosure laws have been sparking serious concerns from cybersecurity experts around the world.
The law essentially outlines that companies will have 24 hours to disclose exploits in vulnerabilities to government agencies.
Dozens of global cybersecurity experts and leaders came together to write a brief but powerful open letter to the EU explaining that even though the bill has good intentions, it creates a slew of new problems.
The signers of the open letter include massive companies like Google, Trend Micro, Eset, Immuniweb, TomTom. More impressively, it’s been signed by important figures like Toomas Hendrik Ilves, the Former President of The Republic of Estonia, and Sergio Caltagirone, The President of the Threat Intelligence Academy.
The letter was addressed to Mr. Thierry Breton the Commissioner for Internal Market of the European Commission, Ms. Carme Artigas Brugal, Secretary of State for Digitisation and Artificial Intelligence and Mr. Nicola Danti, Rapporteur for Cybersecurity Resilience Act, European Parliament.
“While we appreciate the CRA’s aim to enhance cybersecurity in Europe and beyond,” the letter read. “We believe that the current provisions on vulnerability disclosure are counterproductive and will create new threats.”
There were three core problems highlighted about the vulnerability disclosure laws. The new laws are ripe for misuse by intelligence agencies and for surveillance purposes. Disclosing vulnerabilities within 24 hours also gives criminals an advantage.
“Even the knowledge of a vulnerability’s existence is sufficient for a skillful person to
reconstruct it,” they write.
It can also encourage companies to spend fewer resources on cybersecurity researchers, given that the companies would have to report every vulnerability found during testing. The writers worry that good-faith researchers will be heavily punished.
The writers add that they believe that no agencies should share vulnerability reports with intelligence agencies and require disclosure of mitigable vulnerabilities within 72 hours. They also believe that vulnerabilities found through good-faith research should not be subject to disclosure.