Practically exploitable security gaps threaten the IT security of private and state infrastructures. Therefore, eliminating the gaps is desirable for all stakeholders. Nevertheless, appropriate vulnerability management is often lacking. The authors outline the status quo and present possible solutions to disentangle the conflicting interests and legal positions.
The most important facts in brief
IT security vulnerabilities in hardware and software affect private, corporate and state systems. As soon as it is technically possible to exploit the gaps, they threaten the IT security of all parties involved. Specifically affected are citizens and companies as users, manufacturers of software and hardware, as well as governmental (critical) IT infrastructure. It is, therefore, in the interest of society as a whole to keep the number of exploitable security vulnerabilities as low as possible.
Success in this regard requires defensive state measures to eliminate IT security vulnerabilities. Only such an orientation recognises the beneficial aspect of IT security research, which, by reporting discovered security vulnerabilities, also contributes to their effective and rapid elimination. According to the predominant view of IT security research, keeping security vulnerabilities secret, on the other hand, worsens the IT security situation because a parallel discovery or the outflow of corresponding knowledge and, thus, uncontrollable misuse appears possible at any time.
One building block in the defensive orientation is the process of Coordinated Vulnerability Disclosure (CVD). However, this is hardly practised in the affected sectors, presumably also because such a process is not anchored in the legal framework. As a result, conflicts repeatedly arise between manufacturers of products with IT vulnerabilities and proactive security researchers or ethical hackers. This noticeably impedes the elimination of the gaps.
With the implementation of a reporting and coordination body for CVD processes, this bidt policy brief illustrates a solution to involve IT security researchers and other finders of IT security vulnerabilities in eliminating security vulnerabilities for the benefit of the common good.
Two parallel approaches are needed to adapt the legal framework and install a neutral reporting and coordination body among the stakeholders to make the IT security landscape more resilient and defensive.
The problem of the fragile situation due to numerous IT security vulnerabilities in software and hardware can only be solved by a defensive and research-friendly orientation of the IT security landscape and policy. The basic prerequisite for this is an open attitude on the part of all those involved — i.e. IT security researchers as reporters, manufacturers and other agencies responsible for products and state actors. There must be process-oriented but transparent communication between all parties to make the IT security of all devices and applications more resilient. This is the only way to close IT security gaps effectively and sustainably.
Solution approach 1: Legal impetus for a legal framework
Reshaping the legal framework creates the basis for this. By taking into account the groundbreaking constitutional court rulings in criminal law, data protection law and IT security law, IT security researchers will be noticeably relieved. At the same time, reporting IT security vulnerabilities is declared a means of strengthening IT security and no longer exclusively a (feared) first step towards exploiting security vulnerabilities. In the future, attention should also be paid to maintaining or even strengthening this value in other, more recent areas of law — for example, European data law, which is currently being developed.
Solution 2: Establishment of a reporting and coordination body
The proposed reporting and coordination authority serves as a vehicle to promote the development of this value in the social order. Secure and confidential communication channels in the reporting process between IT security researchers and manufacturers or agencies responsible for products reduce inhibitions. The monitoring and standardisation of the CVD process create clarity and trust between the participants and the public. In addition, the body’s independence increases confidence in the state as a protective body, in the product managers, and above all, in its own system.