security professionals, Companies antivirus and civil rights advocates are sounding the alarm over the European Cyber Resilience Act (CRA). The theme their; Article 11.
This particular article states that software vendors must report 0day vulnerabilities to government agencies within 24 hours of their discovery. Influential industry experts warn that this article could be used for abuse, to track or even compromise cybersecurity efforts.
Ο CRA it naturally aims to enhance the security of software and hardware. Although the law includes important guidelines, Article 11 spoils them all.
This provision sets a 24-hour deadline for reporting 0day — the errors usable and unpatched software. The lawmakers' idea is to create a comprehensive database to help defend against cyber threats.
Experts have voiced their concerns via of an open letter (PDF). The letter is supported by tech giants such as Google and organizations such as the Electronic Frontier Foundation and Trend Micro.
The letter outlines several potential risks associated with Article 11:
Government abuse. Experts worry that the data could be misused by governments for surveillance activities and collectionof information.
A honey pot for attackers. The database of unpatched vulnerabilities could be targeted by cybercriminals looking for weak spots to exploit.
Termination of Researcher-Seller relationships. Experts argue that forcing companies to disclose vulnerabilities so quickly could damage relations between software vendors and security researchers. The new law may make researchers reluctant to report errors.
The open letter not only highlights the problems, but also suggests solutions.
It states that Article 11 should either be removed or revised with the following changes:
- Block government agencies from using the data for surveillance or any other form of offensive activity.
- Require reporting only when updates are ready to go live.
- Exemption of bona fide safety investigation from mandatory reporting.
The letter is signed by experts from a wide range of companies and institutions, including ESET, Rapid7, Bitdefender, Google, Citizen Lab, TomTom, HackerOne, Panasonic, KU Leuven, Black Hat, DEF CON and Stanford University's Center for Government Policy.
The CRA is still in the draft stage, so there is room for change.
How the European Union responds to this concerted protest will be indicative of the balance of power between government surveillance and individual privacy.