Can government guide industry to better cyber info-sharing?
The NTIA is hoping to nudge industry to improve collaboration on disclosing cyber vulnerabilities.
Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.
The National Telecommunications and Information Administration is working to finalize consensus best practices to close the gap between government and industry interests when it comes to disclosing technical vulnerabilities that could impact public safety.
NTIA, a component of the Department of Commerce, doesn't regulate industry. Instead it convenes groups of stakeholders with an eye to forge consensus on best practices. At a Nov. 7 meeting, three working groups presented their progress in three main areas: safety and disclosure, multi-vendor disclosure, as well as adoption and awareness.
The first working group submitted a short, sample template for how safety-critical industries should address writing policy for vulnerability disclosures.
Cyber Statecraft Initiative Director Josh Corman said the template is aimed at manufacturers who may not be used to working with security researchers, and "it happens to be pretty useful for people in a non-safety-critical industry."
The sample includes which products the policy covers, a legal posture clearly stipulating fair vulnerability disclosures, how to report a discovered vulnerability and the company's procedure after receiving the report.
The legal posture bit is important, said Cyber Statecraft Initiative Deputy Director Beau Woods, because in most cases, vulnerability research is conducted in good faith, so the parties involved "should almost never" be fearful of legal recourse.
The second working group submitted a draft guidance for how stakeholders can collaboratively handle product vulnerabilities.
The guidance includes definitions and various real-world use cases of vulnerability reporting "that have been observed to happen in nature in this field," said Art Manion, a senior member of the vulnerability analysis team in the CERT program at Carnegie Mellon University.
Manion said that while following all of the steps of the document will not prevent all security concerns, quick and collaborative action without fear of legal recourse will produce the best results.
The third working group conducted an online survey of security researchers and vendors to compile recommendations on how to drive greater awareness and adoption of disclosure practices.
Jen Ellis, vice-president of community and public affairs at the internet security company Rapid7, acknowledged the survey was an imperfect measurement, but said the most surprising findings were researchers' responses that bug bounty programs will not "open the floodgates" to scrutinize vulnerabilities, and that far more respondents desired communication in addressing the vulnerabilities than a monetary reward.
While exemptions protecting security researchers exist, Ellis said she was "saddened, but not surprised" that concerns about legal repercussions -- against both vendors and researchers -- has stymied collaboration on vulnerability patching.
Ellis added that her working group expects to further analyze the results and send out a guidance sometime in late December or January, in hopes of finalizing a guidance by Feb. 1, 2017.