Beyond Spectre: Confronting New Technical and Policy Challenges Proceedings of a Workshop (2019) / Chapter Skim
Currently Skimming:
4 International Implications, National Security, and Vulnerability Disclosure
4 International Implications, National Security, and Vulnerability Disclosure
Pages 39-54
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 39... ...
Spectre Beyond Spectre 39
|
From page 40... ...
This process was particularly complex with Spectre, Schwartz noted, because there were multiple variants requiring multiple patches, and there is still the possibility of discovering more. There is not consensus with regard to what role governments should play in the disclosure process, Schwartz explained, and there are multiple issues to consider in this respect.
|
From page 41... ...
(ISO) International Organization for Standardization Start FIGURE 4.1 Ari Schwartz, Center for Cybersecurity Policy and Law, Venable LLP, "Coordinated Vulnerability Disclosure in Hardware Systems," presentation to the workshop.
|
From page 42... ...
Additionally, Schwartz emphasized that to develop smart laws in this space, the field must do a better job of detailing vulnerabilities and mitigations to policy makers, who cannot be expected to be cybersecurity experts. 42 Forum on Cyber Resilience
|
From page 43... ...
Bug bounties can also create complicated trust dynamics between companies and bug hunters. They are typically run as competitions and often require bug hunters to sign NDAs.
|
From page 44... ...
However, it takes more than engineering to resolve bugs that emerge through bug bounties; it is also necessary to engage with the hacker community and follow proper disclosure practices. If a company does not have the resources to address the bug reports, bug hunters will feel ignored and may lose their motivation to participate.
|
From page 45... ...
Noting that companies have mixed motivations for starting bug bounty programs, she emphasized that they should not be used to find "low-hanging fruit" -- when that happens, it is an indication that a company has failed to do its own due diligence. Bug bounties, she argued, ideally should find only the more complicated or severe bugs.
|
From page 46... ...
Plonk agreed with Schwartz: disclosure looks like the last step, but in many ways it is also the first step in a much larger process. Plonk noted that every time Intel goes through this process, it is further refined both to work better and to stay up to date with standard industry practices and vulnerability Intel enhanced disclosure guidelines.
|
From page 47... ...
Most of the time, Waller said, the best course of action for users is to simply wait for the patch and implement it when available. From a government perspective, he said, the global marketplace adds further complications because variation between countries impedes global scaling of vulnerability disclosure processes and solutions.
|
From page 48... ...
One important development Waller discussed is the recently drafted Code of Practice for Consumer IoT Security, a set of 14 voluntary guidelines that Internet of Things (IoT) device developers can follow to improve device safety.1 The code of practice recommends, for example, eliminating default passwords, clearly and publicly describing responsive vulnerability reporting procedures, and communicating a timeline for how long a product will be supported so that consumers can make informed choices.
|
From page 49... ...
It is also valuable to encourage transparency throughout these processes to drive better security behavior, he argued. DISCUSSION The panel concluded with a wide-ranging discussion of how to enforce a vulnerability disclosure plan, the role of governments and other authorities, the complexities of collaboration, the need to work with non-experts, and other facets of the workshop's themes.
|
From page 50... ...
Waller pointed to the current ISO/IEC standards 29147 and 30111, which have influenced industry behavior with regard to coordinated vulnerability disclosure. One example of a good practice is that the vulnerability must be first disclosed to the vendor; NCSC, he said, does not collect disclosures unless they pertain to government agencies' web services or unless a vendor has been notified but has not responded.
|
From page 51... ...
Participants agreed that if governments want to get involved in companies' vulnerability disclosure processes, they will need to be able to demonstrate that they can bring value. Expectations Versus Reality in Vendor Response Paul Kocher, independent researcher, noted that reporting problems to the vendor first is not necessarily the best move in every case.
|
From page 52... ...
They may have a process to resolve bugs that they think is adequate, but she said that many are not anywhere near the level of sophistication required to do complex multiparty vulnerability coordination with this sort of vulnerability. When Embargoes Are Broken Participants next delved into the responsibilities of parties that become involved in an embargo and what happens when embargoes are broken.
|
From page 53... ...
Plonk agreed that evidence of an active exploitation usually means that a company will publicly disclose the vulnerability before full mitigation is possible, because there could be temporary fixes that would better protect customers in the meantime. On the other hand, Moussouris noted that customers sometimes ignore initial mitigation measures in favor of waiting for patches to be fully ready, which can save costs but leave them vulnerable.
|
From page 54... ...
Plonk agreed and said that security experts could do more to disseminate basic information about the computing ecosystem. Certain companies or researchers are involved because of the technical necessities the process requires.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.