CarderPlanet
Professional
The CRA is criticized from every iron, but whether lawmakers will listen is still unclear.
Leading cybersecurity experts have warned of the potential misuse of the EU's Cyber Resilience Act (CRA), which we first reported on at the end of May, for intelligence or surveillance purposes.
An open letter signed by 50 prominent cybersecurity experts calls on the European Union to review article 11 of the Act, which deals with vulnerability disclosure requirements. According to this article, software publishers must report non-recoverable vulnerabilities within 24 hours of starting to exploit them.
Experts fear that this requirement will allow many government agencies to have access to a real database of software with unresolved vulnerabilities. Such information can be used to gather intelligence or spy on organizations and individuals, and if such a database is leaked, it will simply put millions of users of a particular software at risk of compromise.
The letter was signed by celebrities such as Kieran Martin, former head of the UK's National Cyber Security Center, Toomas Hendrik Ilves, former President of Estonia, and Vint Cerf, Vice President of Google.
The CRA was introduced by the European Commission in September 2022 with the aim of setting minimum standards for cybersecurity, but it seems to many that if adopted, it will create more risks than it will bring benefits. For example, rapid disclosure of vulnerabilities can reduce the sensitivity of manufacturers to disclosure or discourage researchers from reporting identified vulnerabilities.
50 experts suggested that the EU review its approach to Article 11 and make the following changes:
In April of this year, an open letter was sent to the EU warning that CRA could have a "deterrent effect" on software development. Whether the European Commission will listen to or ignore the warnings of so many experts, we will find out later.
Leading cybersecurity experts have warned of the potential misuse of the EU's Cyber Resilience Act (CRA), which we first reported on at the end of May, for intelligence or surveillance purposes.
An open letter signed by 50 prominent cybersecurity experts calls on the European Union to review article 11 of the Act, which deals with vulnerability disclosure requirements. According to this article, software publishers must report non-recoverable vulnerabilities within 24 hours of starting to exploit them.
Experts fear that this requirement will allow many government agencies to have access to a real database of software with unresolved vulnerabilities. Such information can be used to gather intelligence or spy on organizations and individuals, and if such a database is leaked, it will simply put millions of users of a particular software at risk of compromise.
The letter was signed by celebrities such as Kieran Martin, former head of the UK's National Cyber Security Center, Toomas Hendrik Ilves, former President of Estonia, and Vint Cerf, Vice President of Google.
The CRA was introduced by the European Commission in September 2022 with the aim of setting minimum standards for cybersecurity, but it seems to many that if adopted, it will create more risks than it will bring benefits. For example, rapid disclosure of vulnerabilities can reduce the sensitivity of manufacturers to disclosure or discourage researchers from reporting identified vulnerabilities.
50 experts suggested that the EU review its approach to Article 11 and make the following changes:
- Explicitly prohibit agencies from exploiting or sharing vulnerabilities for intelligence or offensive purposes.
- Require reporting only vulnerabilities that can be fixed within 72 hours of publicly available remediation tools becoming available.
- Do not require reporting vulnerabilities identified in the course of good-faith security studies performed by independent researchers.
In April of this year, an open letter was sent to the EU warning that CRA could have a "deterrent effect" on software development. Whether the European Commission will listen to or ignore the warnings of so many experts, we will find out later.
