Vladimir Radunović, DiploFoundation
Anastasiya Kazakova, DiploFoundation
Serge Droz, Swiss Department of Foreign Affairs (FDFA) and FIRST
Exploiting vulnerabilities in digital products and services is an — if not the — essential component of sophisticated cyberattacks. Well-resourced threat actors, including state-related actors, increasingly seek to exploit vulnerabilities in operating systems and applications for economic, political, or military gain, causing destabilisation in cyberspace. The Sony hack, NotPetya ransomware, ICRC cyberattack, 2021 breaches exploiting vulnerabilities in the Microsoft Exchange Server … this list will most likely expand in the coming years amidst growing militarisation and geopolitical tensions in cyberspace.
Hence, the increasing security risks exploitable vulnerabilities pose seem to be everyone’s common pain since, in cyberspace, a vulnerability which is kept secret and then exploited for malicious purposes, can easily strike back like a boomerang, undermining everyone’s security. What’s more, the exploitation of vulnerabilities undermines the very concept of a digital society, on which we now rely more than ever. Today, going digital is increasingly not an option but an obligation for many organisations and individuals to continue their work and be part of the global society. However, going digital also means becoming cyber vulnerable. This also means, other entities connected to them become cyber vulnerable as well, due to the interdependent nature of the digital sphere.
One of the gravest concerns is the exploitation of ‘zero-day’ vulnerabilities – those that even the vendors are not aware of at the time of exploitation – and thus have ‘zero days’ to prevent exploitation with a fix. In spite of being ‘sold’ with hefty price tags, that go up to millions of dollars or more per piece, buyers on dark and grey markets span from organised criminal groups, to companies and state-proxies. Evidence of zero-day exploitation is everywhere: from the Stuxnet malware against the Iranian nuclear facility, discovered in 2010, to the use in the Pegasus commercial spyware of the NSO group deployed in the interest of politics that was recently publicly revealed.
However, zero-day vulnerabilities are not the only concern. Known Exploited Vulnerabilities Catalogue, maintained regularly by the US Cybersecurity & Infrastructure Security Agency (CISA), contains over 600 known vulnerabilities – some discovered as early as 2002 – that are still being exploited to damage critical infrastructure and cause significant damage of national concern. The fact that, for many of those on the list, vendors have rolled out patches, fixes, and updates – often within days or weeks – is not much of a comfort. They remain, for a number of reasons, unpatched in various parts of the supply chain, reasons ranging from: (a) non-applicability, such is the case in complex industrial or hospital systems, (b) lack of client resources, (c) vendor unwillingness to roll out patches, (d) client unawareness of risks, and (e) lack of responsibility and liability of various parties.
Ideally, the world would be a much safer place if everyone just agreed not to exploit any vulnerabilities. Unfortunately, that is not how the world operates. Criminals are unlikely to give up lucrative cyber businesses. Moreover, commercial exploitation seems to be developing into a legitimate business model (with the NSO Group being just one such example). More worryingly, states do not show signs of turning to ‘cyber disarmament’ any time soon. On the contrary, many countries are involved in developing sophisticated offensive cyber capabilities (see the GIP DW Observatory’s map of cyber armament), much of those based on stockpiling and exploiting some vulnerabilities instead of disclosing all of them.So below are some critical questions all cyber actors need to ponder upon.
How can we increase costs of exploitation of vulnerabilities, enhance predictability, and reduce (disproportional) risks and damage?
Can we limit –better yet outlaw – commercial exploitation of vulnerabilities?
Would greater transparency by states – about their procedures for disclosure versus exploitation of vulnerabilities, as well as about terms and conditions for their exploitation, and the status of their ‘cyber arsenal’ – contribute to those ends?
Would greater transparency by non-state actors also improve security?
Here, we propose steps for both state and non-state actors to increase transparency in vulnerability treatment and decrease security risks in cyberspace. While discussing such steps, we rely on the normative basis, i.e. the international framework of responsible state behaviour in cyberspace, based on reports produced by states in the UN Group of Governmental Experts (GGE), and reaffirmed in the final report by the UN Open-Ended Working Group (OEWG). Thus, in this article we provide concrete suggestions – both normative and in terms of policy – for a wider discussion in the international community.
Vulnerability treatment includes discovery, handling, management, and disclosure of vulnerabilities. Aiming for greater transparency in vulnerability treatment, it should also be clarified that, in reality, the international community might only be able to achieve translucency. It is well noted that states, in particular, are being rational in keeping the treatment of certain vulnerabilities non-transparent for strategic competition in cyberspace, and this approach is unlikely to change in the near future. Nonetheless, the ultimate aim to reduce risks of exploitable vulnerabilities through enhancing transparency in vulnerability treatment is intended to significantly increase the costs of cyberattacks, as well as reduce their volume.
How can we increase transparency in vulnerability treatment?
While both inter-state processes in the UN – the OEWG,in particular, in its final report, and the GGE, in its 2021 report, have warned about increasing cyber armament, neither report had detailed and explicit language about the danger of exploitation, or have condemned it. What we, as the international community, have is the UN GGE agreement stating: (a) ‘ensuring that vulnerabilities in operational technology and in the interconnected computing devices, platforms, machines or objects that constitute the Internet of Things are not exploited for malicious purposes has become a serious challenge’ (para 11), and (b) measures ‘could be considered’ by states to limit commercial exploitation of vulnerabilities (para 58c and 62).
The final UN OEWG report only points to states’ reaffirmation to encourage the implementation of the previously agreed non-binding cyber norm on ‘responsible reporting of vulnerabilities’ (para 28), nothing further is provided. Even this norm, despite the provided further elaboration by states in the 2021 GGE report, remains insufficiently specific. In particular, the use of the term ‘responsible’ in the norm raises questions about responsibility to whom and by whom. Being aware of complexities in diplomatic negotiations, we tend to conclude that this language remains too vague to provide greater security and stability in cyberspace.
Meanwhile, at least four suggestions can be made for normative international discussions in order to translate them into practical implementation steps.
- The international community needs explicit acknowledgement of the dangers that exploitable vulnerabilities bear for everyone’s cybersecurity. For the current 2021-2025 UN OEWG in particular, it is important to (a) clearly recognise that vulnerability exploitation is among the most significant cyber risks, and (b) condemn exploitation of vulnerabilities for criminal, commercial, and political purposes.
- The tendency by some states to establish national rules to report and disclose vulnerabilities to a government first and not to a vendor, contradicts long established industry best practices. This also creates risks of non-compliance for security researchers, security risks for software manufacturers (in cases where vulnerability information concerning their software is leaked or exploited before patching), and inevitably creates increased security risks for users.
In this regard, the existing non-binding norm on responsible reporting of ICT vulnerabilities should be further elaborated to address risks of fragmented national approaches to vulnerability disclosure. For the current 2021-2025 UN OEWG, in particular, it is important to encourage states to develop policies where vulnerability finders are invited to report vulnerabilities to relevant vendors first. Where it is not possible vulnerabilities should be reported to relevant CERTs.
- There should be a clear and straightforward call to prevent commercial exploitation of vulnerabilities. The exception would be made for a limited number of cases, such as exploiting a known vulnerability with an available fix, against a target which has provided its clear consent, and in the context of penetration testing and increasing security performances of the tested system. The UN OEWG should develop clear language along these lines to further elaborate on existing voluntary GGE norm 13(i), par. 58c and 62, for states and relevant stakeholders to limit commercial exploitation of vulnerabilities. Similar wording should be repeated in the form of a confidence building measure and capacity building, to increase trust and confidence among states.
- A norm which would call on countries not to exploit vulnerabilities is needed. However, this is not realistic, at least for the time being. As discussed, states will not stop stockpiling and exploiting vulnerabilities. In addition, as mentioned above, comprehensive transparency in vulnerability treatment is hardly achievable. What’s more, monitoring stockpiles and use of cyber weapons is significantly different from conventional arms: unlike ‘counting warheads’, spotting a stockpile and ‘counting vulnerability exploits’, which are just variable pieces of code, is rather complex. The same vulnerability can be reused multiple times; a vulnerability may suddenly become ineffective due to a patch widely available; and attribution of who exploits it – is difficult at best, and impossible at worst. Yet states could and should be more transparent and responsible in collecting and exploiting vulnerabilities, in order to reduce risks to the entire digital environment, which includes themselves.
Therefore, as part of the mentioned norm implementation, for the current 2021-2025 UN OEWG, it is important to invite states, as well as other relevant stakeholders (e.g. the private sector, including manufacturers of ICTs), to increase transparency in vulnerability treatment and outline examples of the best practice implementation. In particular, this would require states to cooperate with each other, as well as with industry, the technical community, and civil society to implement the agreed norm on responsible reporting of vulnerabilities.
So, more specifically, what can be done?
Without reinventing the wheel, the international community can use the recommendations developed by the OECD to ‘increase stakeholders’ trust in the government; for example by separating offensive functions from digital security agencies and CERTs, and establishing transparent processes regarding how the government processes vulnerability information. Indeed, states can be more transparent on how their vulnerabilities equities processes (VEP) or government disclosure decision processes are operating, and where such do not exist yet, they should be developed to define, among other things:
- Which agencies/ministries/departments participate and are required to submit vulnerabilities? Is this process mandatory or voluntary? Where is this process established and formally articulated? What principles guide decision-making in responsible vulnerability handling and disclosure? And, finally, how is ‘responsible vulnerability handling and disclosure’ defined?
- Under what circumstances, and for how long, can vulnerabilities be retained? If vulnerabilities are to be disclosed, how should they be disclosed? Which policies guide states to inform relevant non-State actors – those in industry and civil society? Which policies guide states to inform other states in mitigating cross-border security impacts?
Following on from concerns related to states developing ICT capabilities for offensive purposes, where retention of vulnerabilities is among the means for that, it could be also essential, as a mitigation measure to reduce the likelihood of future conflicts between states, to provide greater transparency about the types of such capabilities. Although hardly achievable these days thanks to increasing geopolitical tensions, it remains important to continue to consistently call for greater transparency in state military doctrines and decision-making, where vulnerabilities are retained. This would, in particular, entail greater transparency and articulation by states on:
- The application of international law and legal considerations on the development and use of ICT capabilities for military purposes
- These purposes as well as possible targets and non-targets (i.e. those which are off limits)
- The conditions defined for such use of ICT capabilities for military purposes
- The institutions/departments with the power to authorise the use of ICT capabilities for military purposes
With regards to greater transparency by relevant non-state actors, this can and should be provided through the adoption and formulation of clear vulnerability disclosure policies explaining the behaviour of non-state actors in vulnerability treatment. Examples include: (a) the Tech Accord’s vulnerability disclosure policies, (b) Hacking Policy Council’s facilitation of best practices for vulnerability disclosure and management, (c) launched by Google, Intel and several bug bounty companies, Trellix’s Vulnerability Reasonable Disclosure Policy, (d) Rapid7’s Vulnerability Disclosure Policy, (e) Kaspersky’s Ethical Principles for Responsible Vulnerability Disclosure, (d) examples coming from ‘traditional critical’ sectors such as Bayer’s Coordinated Vulnerability Disclosure Statement.
The role of the private sector in particular can be further enhanced through strengthening the security of digital products and thus reducing vulnerabilities within them. In messages from the event ‘Security of digital products and the regulatory environment’, the Geneva Dialogue calls states and industry, along with standardisation and technical communities, to cooperate more when developing relevant national regulatory frameworks to prevent the emergence and exploitation of vulnerabilities.
The 2021-2025 OEWG could be a space and process where more universal and global input is provided from states to international community to avoid fragmentation in the implementation of the discussed norm 13j as well as other norms such as 13g ’to ensure safety and security of ICT products throughout their lifecycle’’ and 13i ’ensure supply chain security including through development of national regulatory frameworks and adopting cooperative measures’.
What’s the way forward?
We’re certain that greater transparency can reduce exploiting everything for anything, and make cyberspace more predictable and secure for all of us. We do understand that most measures above require a huge amount of trust between states and non-state actors – but essentially between states – which the current global geopolitical climate makes more challenging than ever. Still, there is no other choice than to remain hopeful of this eventually happening, and that within the current UN OEWG the international dialogue will advance further, including on the three areas identified in this article.
Otherwise, stakes may suddenly become much higher – not least with the exponential pace of further integration of AI we increasingly depend on.
This approach is based on the 2021 OECD analytical report ‘Encouraging vulnerability treatment’ https://doi.org/10.1787/0e2615ba-en
as well as on the Output document: Good practices produced by the Geneva Dialogue on Responsible Behaviour in Cyberspace https://genevadialogue.ch/goodpractices/
According to the same report of the Geneva Dialogue, responsible vulnerability disclosure ‘implies that there is an ethical part of the process’, but also that the term is ’emotionally loaded, and can be interpreted differently by various parties involved’: ‘for producers, ‘responsible’ means not disclosing without a patch available; for researchers, it may mean that the company issues a patch; some may see it as the responsibility of customers to apply the patches.’ (page 18),
For instance, where a vendor does not cooperate, does not respond, or does not identify at all possible means to report vulnerabilities and find relevant contacts.
As expressed both by the UN GGE and OEWG in their final reports in 2021.
As also stated by the UN GGE in the 2021 report (para 7) https://front.un-arm.org/wp-content/uploads/2021/06/final-report-2019-2021-gge-1-advance-copy.pdf