Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,494
- Points
- 113
Companies tensed up: Should they stay on board the Titanic?
The UK government plans to oblige companies and researchers to report new security vulnerabilities and leave them uncorrected until the necessary edits are checked and approved. This practice already exists in China, but is criticized by numerous information security specialists.
Recent plans to review the Investigatory Powers Act 2016, which regulates surveillance of electronic communications in the United Kingdom, have attracted the attention of cybersecurity and Internet freedom experts.
The proposed amendments would effectively oblige companies to notify the government before making any technical changes to their systems. This means that any service planning to introduce important features or security fixes will first need to inform the UK Home Office.
And if this information is suddenly leaked to the public, which also happens, the security of all users of the service around the world may be at risk. Not to mention the fact that the longer the vulnerability remains open, the more likely cybercriminals are to stumble upon it and have time to use it in real attacks.
According to Ioannis Kouvakas, Senior Legal Adviser at Privacy International, these measures undermine end-to-end encryption and other security tools, and are unlikely to pass the necessity and proportionality test set out in article 8 of the European Convention on Human Rights.
John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto, called London's actions catastrophically short-term: "Any technical product that remains in the UK will be under suspicion in the global market. The sector will disappear. Goodbye to investing in technology and jobs," Scott-Railton said.
"You will not be able to compete on a global level when you will need the approval of a British bureaucrat to release any emergency updates that fix actively exploited vulnerabilities," the expert added.
However, this practice is already used by China — all vulnerabilities discovered by Chinese researchers are immediately reported to the government. Now the U.K. looks set to follow suit.
Thus, the UK's plans to introduce mandatory notification of new vulnerabilities in cybersecurity systems raise reasonable concerns among experts, undermine the trust of users and investors, and create real risks for cybersecurity on a global scale.
Instead of following the highly controversial example of China, governments in developed countries may need to engage in a close and necessarily constructive dialogue with the technical community and implement only those solutions that will benefit all users of a particular product.
The UK government plans to oblige companies and researchers to report new security vulnerabilities and leave them uncorrected until the necessary edits are checked and approved. This practice already exists in China, but is criticized by numerous information security specialists.
Recent plans to review the Investigatory Powers Act 2016, which regulates surveillance of electronic communications in the United Kingdom, have attracted the attention of cybersecurity and Internet freedom experts.
The proposed amendments would effectively oblige companies to notify the government before making any technical changes to their systems. This means that any service planning to introduce important features or security fixes will first need to inform the UK Home Office.
And if this information is suddenly leaked to the public, which also happens, the security of all users of the service around the world may be at risk. Not to mention the fact that the longer the vulnerability remains open, the more likely cybercriminals are to stumble upon it and have time to use it in real attacks.
According to Ioannis Kouvakas, Senior Legal Adviser at Privacy International, these measures undermine end-to-end encryption and other security tools, and are unlikely to pass the necessity and proportionality test set out in article 8 of the European Convention on Human Rights.
John Scott-Railton, senior researcher at the Citizen Lab at the University of Toronto, called London's actions catastrophically short-term: "Any technical product that remains in the UK will be under suspicion in the global market. The sector will disappear. Goodbye to investing in technology and jobs," Scott-Railton said.
"You will not be able to compete on a global level when you will need the approval of a British bureaucrat to release any emergency updates that fix actively exploited vulnerabilities," the expert added.
However, this practice is already used by China — all vulnerabilities discovered by Chinese researchers are immediately reported to the government. Now the U.K. looks set to follow suit.
Thus, the UK's plans to introduce mandatory notification of new vulnerabilities in cybersecurity systems raise reasonable concerns among experts, undermine the trust of users and investors, and create real risks for cybersecurity on a global scale.
Instead of following the highly controversial example of China, governments in developed countries may need to engage in a close and necessarily constructive dialogue with the technical community and implement only those solutions that will benefit all users of a particular product.
