A group of 50 cybersecurity experts from both industry and academia have expressed concerns that the European Union's (EU) Cyber Resilience Act (CRA) could be exploited by governments for intelligence and surveillance purposes. The experts have collectively signed an open letter urging the EU to reconsider the provisions outlined in Article 11 of the CRA, which pertain to vulnerability disclosure requirements.
Currently, Article 11 mandates that software publishers must report unpatched vulnerabilities to government agencies within 24 hours of their exploitation. The signatories argue that this requirement could inadvertently provide multiple government agencies with access to a real-time database of software vulnerabilities, potentially enabling them to gather intelligence or monitor organizations and individuals.
The open letter pointed out that the lack of restrictions on the offensive use of disclosed vulnerabilities under the CRA, combined with a lack of transparent oversight mechanisms in most EU Member States, creates opportunities for potential misuse. Prominent signatories include Ciaran Martin, the former head of the UK National Cyber Security Centre (NCSC), Toomas Hendrik Ilves, the former President of the Republic of Estonia, and Vint Cerf, Google's VP and chief internet evangelist.
Security Concerns Highlighted in Article 11
The open letter emphasized several security concerns associated with Article 11, including the risk of breaches involving government-held vulnerability data, potentially leaving organizations vulnerable to cyberattacks. It also highlighted the potential "chilling effect" on security researchers who might require additional time to verify and patch vulnerabilities before making them public.
The experts called for a reconsideration of Article 11 and advocated for a risk-based approach to vulnerability disclosure to mitigate unintentional cybersecurity risks. Their suggested revisions included explicit prohibitions on government agencies using or sharing disclosed vulnerabilities for intelligence, surveillance, or offensive purposes, reporting mitigatable vulnerabilities only when effective mitigations are publicly available, and exempting vulnerabilities discovered through good faith security research from reporting requirements.
George McGregor, VP of Approov Mobile Security, emphasized the global implications of these vulnerability requirements, stating, "These vulnerability requirements, if enforced, will be of critical importance to US companies which operate in the EU. The EU Cyber Resilience Act makes no distinction about where vulnerabilities are discovered, so the obligation will be worldwide in scope. This is clearly understood by the number of US-based individuals who have signed the request to modify the CRA in order to remove the requirement to report unpatched vulnerabilities within 24 hours. The letter also requests that vulnerabilities uncovered during testing should not be included in the reporting requirement. With this level of industry reaction, the CRA requirements should certainly be relaxed."