A prominent cybersecurity executive is calling on the U.S. government to resist the urge to match China’s reported mandates around early vulnerability disclosure, warning that such a move would “meaningfully and dramatically increase the risk” of zero-day flaws landing in the wrong hands.
The caution, from Luta Security chief executive Katie Moussouris, follows the delivery of the first-ever CSRB (Cyber Safety Review Board) report into the Log4j security crisis, a document that calls out China’s “troubling” mandates around the disclosure of software security flaws.
“The requirement for network product providers to report vulnerabilities in their products to MIIT within two days of discovery could give the [Chinese] government early knowledge of vulnerabilities before vendor fixes are made available to the community,” according to the CSRB report (.pdf).
The CSRB said it was worried this would give China’s government “a window in which to exploit vulnerabilities before network defenders can patch them” and warned that this is a “disturbing prospect given the PRC government’s known track record of intellectual property theft, intelligence collection, surveillance of human rights activists and dissidents, and military cyber operations.”
The two-day mandate, the CSRB argues, could prolong the period in which the Chinese government can act on the vulnerability for its own purposes before network defenders can be made aware of a risk.
The CSRB report stopped short of making recommendations on this topic, but at least one member of the board has come forward to caution against mirroring the Chinese move.
Moussouris, a vulnerability disclosure expert who worked on the CSRB’s Log4j review, said any attempt to mandate the reporting of software flaws directly to the U.S. government will “fundamentally break the principles of least privilege” when it comes to Coordinated Vulnerability Disclosure.
In a note posted on the Luta Security blog, Moussouris said only the organizations that are responsible for creating a fix should know about a vulnerability before a patch is available. “Adding government entities to the embargo during vulnerability coordination and disclosure will not meaningfully add to our safety, but it does meaningfully and dramatically increase the risk of a leak before a patch is ready,” she added.
Moussouris, a pioneer in the use of bug bounties and creator of the first multiparty supply chain vulnerability coordination process at a major software vendor, said such a move would create a new high-value target: “a government-run treasure trove of unpatched vulnerabilities.”
The Luta Security chief executive argued that aggregating vulnerabilities from multiple software vendors in one place would raise the risk of a catastrophic security event if that database of bugs was compromised.
“As Congress considers the vulnerability landscape, contemplating requirements for reporting vulnerabilities to the U.S. government before they are patched, I hope they will listen to those of us who have considerable experience in weighing the risks of adding parties to vulnerability disclosure,” Moussouris said.
“We will not see an increase in our cyber resilience by fashioning laws to artificially bring the government into Coordinated Vulnerability Disclosure as an observing party to unpatched vulnerabilities. What we do need are more organizations around the world who are prepared with asset lists, SBOMs, and well-oiled vulnerability response capabilities that are ready, able, and willing to help collectively defend the Internet that we all share,” she added.
The initial CSRB report calls for industry adoption of tools procedures for digital asset inventory and vulnerability management, documented vulnerability response programs, improved SBOM tooling and increased investments in open source software security.