Category: Organisation Types

Organisation Types for membership

The satellite-enabled emergency response system that could make a life-saving difference

Agency News, Health & Social Care, Industry News

The COVID-19 pandemic has challenged ambulance services like never before. First RESPonse was created to help professionals respond to emergency calls more rapidly through enhanced technology. With support by ESA Space Solutions, the system developed in a Demonstration Project streamlined communication and information sharing throughout the chain of response and reduced call-to-hospital times for patients by up to 17%.

During the worst months of the COVID-19 pandemic, emergency call centres experienced extremely high rates of urgent medical calls. Coordination of the ambulance response was challenging and made more complex by the changing landscape of medical resources; hospitals were filling up, and temporary emergency facilities were opening.

The First RESPonse (First Rapid Emergency System against Pandemic) project launched in Italy in July 2020, with the aim to improve coordination of the entire process of a medical emergency request: from a patient’s distress call to the point of hospitalisation.

The project brought together two major players in European emergency service software and telecommunications: GINA Software and Beta 80. Forming a new consortium, the companies achieved complete integration of their products and – supported by ESA – incorporated space technology for enhanced geolocation accuracy and communication coverage.
Digital links for a faster chain

First RESPonse digitally connects each link in the emergency chain of response. It begins with an app on a citizen’s smartphone, through which they can call for help, see when help has been dispatched and when it is due to arrive. Ambulance dispatchers in the call centre have a constant digital connection to their crews via a workstation. They can keep them updated on the scene and patient’s condition, and the status of the nearest hospital facilities. First responders have a tablet through which they receive up-to-date information about the patient, automatic SatNav to their location and can video consult with a doctor from the field. They can also scan the patient’s ID card so that receiving hospitals know who is coming in, as well as seeing when they are expected.

The system was piloted by selected ambulance services in Italy and the Czech Republic and used in almost 9,000 incidents. In this pilot project, First RESPonse accelerated the pre-hospital chain by between 12 and 17%.

Arnaud Runge, Medical Engineer at ESA said: “In a medical emergency every minute counts. Cutting the time it takes an ambulance to reach a critically ill patient, and to get them to hospital, can make a life-saving difference. We’re proud to have enhanced First RESPonse with space technology.”
From pandemic to systemic

Following the successful completion of the pilot, First RESPonse is being promoted to emergency services more widely in Italy and the Czech Republic – where GINA and Beta 80 have most of their customers – and beyond.

Martin Ingr from GINA said: “The products and services that were created during the project are aimed to remain sustainable also after the pandemic is overcome. Our goal is that the problems solved through the First RESPonse project become part of the standard operation procedure. The system can be used again against this or other pandemics, during the response to disasters such as earthquakes, as well as improving daily operations of emergency services.”

[Source: ESA]
Leave a comment , , ,

Closer stakeholder cooperation essential for ransomware investigations to succeed

Agency News, Cyber Security CII sector, Industry News

The scale and impact of ransomware attacks have increased significantly over the past years, in part due to the COVID-19 pandemic. As such, the success of criminal investigations and prosecutions depends more than ever on close cross-border cooperation between public authorities, private companies and victims. Public-private cooperation is particularly valuable in such cases, as companies can preserve and provide the data and evidence investigators need to investigate crimes and identify criminals.

These are some of the main conclusions from the latest edition of the Cybercrime Judicial Monitor, featuring a special focus on ransomware investigations, published this month.

Cooperation between stakeholders in ransomware investigations is essential. This includes the reporting of ransomware attacks by victims, the preservation and possible analysis of digital evidence by private companies, and the investigation and prosecution by public authorities. The international dimension of investigations and the complexity of identifying criminals require early and close cross-border coordination between judicial and law enforcement authorities. Actions by each stakeholder group play a key role in the mitigation of damages, disruption of attacks and the identification and prosecution of perpetrators.

The report, based on practitioners’ input, highlights the challenges encountered in ransomware investigations. These include:

the loss of data and important e-evidence;
the criminal use of encryption and anonymisation techniques preventing the identification of suspects;
the complexity of investigations and the lack or delay of international coordination;
the absence of a harmonised data-retention legal framework; and
insufficient resources and expertise of law enforcement authorities.

Despite these obstacles, practitioners can learn from the many good practices showcased in the report. These include the swift notification of ransomware attacks to relevant authorities and the creation of technical reports by the victim or affected company. Continuous information exchange between the authorities and the victim/technical team has proved highly important. The provision of guidelines for public authorities on how to deal with ransomware attacks, as well as specialised training for police and judicial authorities, is also key.

The report underlines the successful use of joint investigation teams facilitated by Eurojust, which have led to the identification, arrest and prosecution of cybercriminals. The building of trust between public authorities and private companies by sharing information and regular communication is also essential. Although most countries do not have a specific legal framework for public-private cooperation, experience has shown that such frameworks have enabled ransomware investigations to succeed and that they are therefore much needed.

Leave a comment , , ,

Testing the Resilience of the European Healthcare Sector

Agency News, Health & Social Care

To ensure citizens’ trust in the medical services and infrastructure available to them, health services should function at all times. If health services and infrastructures in Europe were the object of a major cyber attack, how would we respond and coordinate at both national and EU level to mitigate the incidents and prevent an escalation?

This is the question Cyber Europe 2022 sought to answer using a fictitious scenario. Day one featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. On day two, the scenario escalated into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “The complexity of our challenges is now proportionate to the complexity of our connected world. This is why I strongly believe we need to gather all the intelligence we have in the EU to share our expertise and knowledge. Strengthening our cybersecurity resilience is the only way forward if we want to protect our health services and infrastructures and ultimately the health of all EU citizens.”

The pan-European exercise organised by ENISA rallied a total of 29 countries from both the European Union and the European Free Trade Association (EFTA), as well as the EU agencies and institutions, including ENISA, the European Commission, the CERT of EU Institutions, bodies and agencies (CERT-EU), Europol and the European Medicine Agency (EMA). More than 800 cybersecurity experts were in action to monitor the availability and integrity of the systems over the two days of this latest edition of Cyber Europe.

Can we strengthen the cyber resilience of the EU healthcare?

The participants who engaged in the complex exercise were satisfied with the way the incidents were dealt with and the response to fictitious attacks.

Now, the analysis of the process and of the outcomes of the different aspects of the exercises need to be performed in order to get a realistic understanding of potential gaps or weaknesses which may require mitigation measures. Dealing with such attacks requires different levels of competences and processes which include efficient and coordinated information exchange, the sharing of knowledge around specific incidents and how to monitor a situation which is about to escalate in case of a generalised attack. The role of the EU level CSIRTs network and the draft standard operation processes (SOPs) of the CyCLONe group also need to be looked into.

The deeper analysis will be published in the after-action report. The findings will serve as a basis for future guidance and further enhancements to reinforce the resilience of the healthcare sector against cyber attacks in the EU.

Leave a comment , , , ,

Experts Assess Implementation of International Conventions on Nuclear Emergency Response

Agency News, Industry News, Power/Energy/Oil & Gas sector

 

Countries need to work closely together in the event of a nuclear emergency, so sharing experience and improving emergency preparedness are key tasks stemming from the IAEA’s mandate. Those responsible for emergency preparedness at the national level – officially referred to as Competent Authorities – met in Vienna last week at the 11th Meeting of the Representatives of Competent Authorities identified under the Early Notification Convention and the Assistance Convention, and discussed ways to ensure that the necessary expertise, services and equipment are available promptly upon request by any government in the event of a nuclear or radiological emergency.

In his remarks, IAEA Director General Rafael Mariano Grossi referred to the role of the two conventions in relation to nuclear facilities in Ukraine. “Everything we have done to assist Ukraine in maintaining nuclear safety, security and an adequate level of safeguards; everything we have done to inform the wider world of the situation during this first military conflict fought in the direct proximity of a major nuclear power programme, we have done through the framework that many of you have built and improved in the years leading up to today…this framework is being tested like never before,” he said.

A strong and integrated international framework for notification and assistance in the event of a nuclear emergency is essential to protect people and the environment from the harmful effects of ionizing radiation, said the meeting’s Chair, Faizan Mansoor, Head of the Pakistan Nuclear Regulatory Authority. “This meeting is essential, since it gathers the world’s experts in nuclear emergency preparedness and response to determine if our arrangements remain effective when emergencies occur under increasingly complex conditions,” he said.

Competent Authorities are the entities designated by their governments to carry out specific duties with respect to issuing and receiving information relating to nuclear and radiological emergencies under these conventions. They meet every two years to evaluate and strengthen the implementation of the Early Notification Convention and the Assistance Convention. Both conventions were concluded in 1986, in the immediate aftermath of the accident at the Chornobyl Nuclear Power Plant, and establish the international framework for the exchange of information and the prompt provision of assistance in the event of a nuclear or radiological emergency, with the aim of minimising the consequences.

“Radiation does not recognize borders, and countries need to work together swiftly to prevent people from coming to harm in the wake of a transboundary radioactive release,” said Carlos Torres Vidal, Director of the IAEA’s Incident and Emergency Centre.
Preparing to Respond to a Rare Event

The IAEA has created a number of platforms and mechanisms, such as the Unified System for Information Exchange in Incidents and Emergencies (USIE), the International Radiation Monitoring Information System (IRMIS) and the Assessment and Prognosis Tools and the Response and Assistance Network to help countries work with each other, and with the IAEA and other international organizations, during a response. For example, USIE is a secure platform for information sharing that allows countries to fulfil their obligations under the Early Notification Convention; the same function is performed for the Assistance Convention by the Response and Assistance Network, or RANET, which allows countries to offer, and receive, assistance and expertise; and IRMIS collects and maps large quantities of environmental radiation monitoring data during nuclear or radiological emergencies.

The IAEA supports countries in setting up robust preparedness mechanisms, through the development of safety guides and publications, and the provision of trainings and other capacity-building initiatives.

Although most people associate nuclear emergencies with accidents at nuclear power plants, such as those at Chornobyl (1986) and Fukushima Daiichi (2011), such events are in fact very rare. At the same time, the Response and Assistance Network has been mobilized several times in the past decade to respond to countries dealing with the consequences of far more common radiological emergencies, such as workers becoming accidentally exposed to hazardous levels of radiation from contact with radiation sources used in industry or medicine.

“These past two years have demonstrated that emergencies come in diverse forms such as earthquakes, floods and fires, and that we need to pay more attention than ever before to our motto: Prepare. Respond. Improve,” said Lydie Evrard, Deputy Director General and Head of the Department of Nuclear Safety and Security.

Leave a comment , , , ,

New open-source software that decrypts social media messages to help manage risks and disasters

Agency News, Cyber Security CII sector, Industry News

The European Commission’s new algorithm developed by the Joint Research Centre (JRC) can segment social media messages to identify, verify and help manage disaster events -such as floods, fires or earthquakes- in real-time.

Suppose you are an emergency responder and you see a social media post showing an unusable road in a place not covered by traditional news. Suppose you see a similar message from several accounts. Wouldn’t you wonder if they were referring to the same event or whether that area was worth a more detailed analysis with a satellite image?

It was with this in mind that scientists from the JRC helped deal with the 2021 Haiti Earthquake by using social media data analysis to complement the assessment of impacts in the immediate aftermath of the earthquake.

This experience was the first real case usage of a software platform that can scan millions of social media texts and images per day for situational awareness and impact assessment. This information is collected, filtered and geocoded automatically and in real-time using machine learning (artificial intelligence) models.
A software that helps responders with flood risk management

The first goal of this platform was to provide an additional geospatial layer in the European Flood Awareness System (EFASSearch for available translations of the preceding linkEN•••) and the Global Flood Awareness System (GloFAS). These two online systems offer flood forecasts based on model simulations which are crucial to the Copernicus Emergency Management Services Managed by JRC.

The monitoring ability of these early warning systems is mostly anchored in satellite images and numerical models.The integration of this new social media for disaster risk management (SMDRM) software will allow them to assess the likelihood and impacts of a flood event with even greater accuracy.
An open-source tool available to all researchers and technicians

The new layer for EFASSearch for available translations of the preceding linkEN••• and GloFAS is the first product developed using the SMDRM software. Nonetheless, since the software has been released as open-source -free and open to all technicians linked to crisis response who want to leverage it- the scientists expect it to have a wider use and they remain available for collaboration.

The SMDRM software can be adapted for different scales and label relevant images for floods, storms, earthquakes and fires, resulting in valuable information for reports or descriptions of the situation on the ground or in the vicinity.

Technicians or researchers working on map development can use the code to find more data to improve or confirm their findings and complement information extracted from traditional sensors or earth observation sources.
Software that connects citizens to disaster risk management

The SMDRM software data help confirm whether an event is happening and where exactly the most affected locations are.

It is a clear example of how social media and active citizenship can contribute to disaster risk management as it help crisis responders improve their situational awareness in the immediate aftermath of an event.

Leave a comment , , ,

Enforcement Agencies Should Better Leverage Information to Target Efforts Involving U.S. Universities

Agency News, Industry News, University/Research/Academia sector

Over 2 million foreign students and scholars studied at U.S. universities in 2019, in many cases contributing to U.S. research. The U.S. government implements export controls to, among other things, mitigate the risk of foreign students' and scholars' obtaining controlled and sensitive information that could benefit foreign adversaries.

GAO was asked to review agencies' efforts to address risks associated with foreign students and scholars who may seek to evade export control regulations. This report examines the extent to which agencies are assessing universities' risk of unauthorized deemed exports to prioritize outreach.

GAO reviewed related laws and regulations; analyzed agency data; and interviewed agency officials in Washington, D.C., and 15 U.S. field offices. GAO based its selection of these offices on their proximity to research universities, their geographic dispersion, and other agencies' field office locations.

This is a public version of a sensitive report issued in March 2022 that included additional information on (1) challenges agencies face in efforts to enforce export control regulations, particularly for deemed exports at universities, and (2) the extent to which agencies coordinate their efforts and share information. Information that agencies deemed sensitive has been removed.

According to U.S. government agencies, foreign entities are targeting sensitive research conducted by U.S. universities and other institutions. Releases or other transfers of certain sensitive information to foreign persons in the United States are subject to U.S. export control regulations. Such releases or transfers, which are considered to be exports, are commonly referred to as deemed exports. A U.S. Assistant Secretary of State wrote in 2020 that greater attention needed to be paid to deemed exports. He noted that these transfers, including the “know how” of cutting-edge science and its applications, are what China's military–civil fusion strategy seeks in its attempts to mine and exploit U.S. academia's open knowledge system.

Agencies involved in enforcing export control regulations—the Departments of Commerce and Homeland Security (DHS) and the Federal Bureau of Investigation (FBI)—conduct outreach to universities to strengthen efforts to prevent sensitive technology transfers, including unauthorized deemed exports. According to officials, outreach increases awareness of threats to research security and builds stronger two-way relationships with university officials. The agencies identified this outreach as a key enforcement mechanism.

However, additional information about universities' risks could enhance the agencies' outreach efforts. For example, Commerce does not base its outreach on analysis of universities' risk levels and has not identified any risk factors to guide its outreach priorities. DHS has ranked roughly 150 U.S. universities for outreach, and FBI provides information to all of its field offices to guide their outreach priorities; however, both agencies base these efforts on only one risk factor. Identifying and analyzing any additional relevant risk factors could provide a more complete understanding of universities' risk levels and could further inform Commerce's, DHS's, and FBI's efforts to target limited resources for outreach to at-risk universities.

Leave a comment , ,

DOE Should Address Lessons Learned from Previous Disasters to Enhance Resilience

Agency News, Industry News, Power/Energy/Oil & Gas sector

Natural disasters, such as cyclones, earthquakes, hurricanes, wildfires, and severe storms—and the power outages resulting from these disasters—have affected millions of customers and cost billions of dollars. The growing severity of wildfires and extreme weather events in recent years has been a principal contributor to an increase in the frequency and duration of power outages in the U.S. Federal agencies, such as DOE and the Federal Emergency Management Agency, play a significant role in disaster response, recovery, and resilience.

This report (1) identifies lessons learned from federal, state, and other entities' responses to selected disasters that affected the electricity grid from 2017 to 2021; and (2) examines federal agency actions to address those lessons learned. GAO selected a nongeneralizable sample of 15 of 35 disasters that affected the grid from 2017 to 2021. The 15 selected were among the most severe events across a range of types, locations, and years. GAO also examined agency and industry responses; reviewed relevant reports, policies, and documents; and interviewed federal, state, and local officials, as well as selected industry stakeholders.

Power outages caused by natural disasters have affected millions of customers and cost billions of dollars. The Department of Energy plays a key role in disaster response and long-term electricity grid recovery.

DOE has taken some steps to improve its workforce and training, tools and technology, and local capacity to respond to disasters. But, DOE doesn't have a comprehensive plan for coordinating response and recovery responsibilities within the agency. In addition, DOE hasn't used lessons learned from previous disasters to prioritize recovery efforts.

In responding to selected disasters occurring between 2017 and 2021, federal, state, and other stakeholders identified lessons learned in the areas of planning and coordination, workforce and training, tools and technology, and local capacity. In the area of planning and coordination, agency officials and reports highlighted that disaster responses were more effective when strong working relationships existed between federal, industry, and local stakeholders. Regarding workforce and training, a Department of Energy (DOE) report emphasized the importance of having a dedicated pool of responders with expertise in grid reconstruction and recovery, especially when responding to multiple, concurrent or successive disasters.

Federal agencies have taken steps to address lessons learned by improving workforce and training, tools and technology, and local capacity. For example, to address workforce lessons, DOE began deploying a Catastrophic Incident Response Team to quickly bring responders with subject-matter expertise to affected areas. However, DOE does not have a comprehensive approach for coordinating its broader grid support mission that includes disaster response, grid recovery, and technical assistance efforts. Specifically, roles and responsibilities within DOE for transitioning from response to recovery are unclear, as are how lessons learned from previous disasters are used to prioritize recovery and technical assistance efforts. GAO's Disaster Resilience Framework states that bringing together the disparate missions and resources that support disaster risk reduction can help build resilience to natural hazards. By establishing a comprehensive approach that clearly defines roles and responsibilities, and acting on lessons learned across DOE, the department could better target resources and technical assistance. This approach, in turn, can lead to enhanced grid resilience and reduced disaster risk.

 

Leave a comment , , , ,

NSA, CISA, and FBI Expose PRC State-Sponsored Exploitation of Network Providers, Devices

Agency News, Cyber Security CII sector

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) today, “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.” The advisory highlights how People’s Republic of China (PRC) actors have targeted and compromised major telecommunications companies and network service providers primarily by exploiting publicly known vulnerabilities. Networks affected have ranged from small office/home office (SOHO) routers to medium and large enterprise networks.

The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns. Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public and private sector targets.

General mitigations outlined in the advisory include: applying patches as soon as possible, disabling unnecessary ports and protocols, and replacing end-of-life network infrastructure. NSA, CISA, and FBI also recommend segmenting networks and enabling robust logging of internet-facing services and network infrastructure accesses.

The advisory is broken down into three sections: an explanation of common vulnerabilities exploited by PRC state-sponsored cyber actors, an introduction of how telecommunications and network service provider targeting occurred through open source and custom tools, and an overview of recommended mitigations.

Leave a comment , , ,

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

Agency News, Cyber Security CII sector, Industry News

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Leave a comment , , ,

Coordinated Vulnerability Disclosure policies in the EU

Agency News, Cyber Security CII sector, Industry News

Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.

Security researchers and ethical hackers constantly scrutinise ICT systems - both open source and commercial closed source software - to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.

Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners.

CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.

What are national CVD policies?

National CVD policies are national frameworks of rules and agreements designed to ensure:

researchers contact the right parties to disclose the vulnerability;
vendors can develop a fix or a patch in a timely manner;
researchers get recognition from their work and are protected from prosecution.

What is the situation in the EU?

The report published today maps the national CVD policies in place across the EU, compares the different approaches and, highlights good practices.

The analysis allows a wide disparity to be observed among Member States in relation to their level of CVD policy achievement. At the time the data used in the report was collected, only four Member States had already implemented such a CVD policy, while another four of them were about to do so. The remaining Member States are split into two groups: those currently discussing how to move forward and those who have not yet reached that stage.

What are ENISA’s recommendations to promote CVD?

The main recommendations from the analysis of nineteen EU Member States include:

Amendments to criminal laws and to the Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery;
the definition of specific criteria for a clear-cut distinction between “ethical hacking” and “black hats” activities prior to establishing any legal protection for security researchers;
incentives to be developed for security researchers to actively participate in CVD research, either through national or European bug bounty programmes, or through promoting and conducting cybersecurity training.

Apart from the above, additional recommendations are issued in relation to the economic and polical challenges and also address operational and crisis management activities.

Next steps

The Commission’s proposal for the revision of the Network and Information Security Directive or NIS2 proposal, provides for EU countries to implement a national CVD policy. ENISA will be supporting the EU Member States with the implementation of this provision and will be developing a guideline to help EU Member States establish their national CVD policies.

In addition, ENISA will need to develop and maintain an EU Vulnerability database (EUVDB). The work will complement the already existing international vulnerability databases. ENISA will start discussing the implementation of the database with the European Commission and the EU Member States after the adoption of the NIS2 proposal.

Background material

The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in 2016, and the economic impact of vulnerabilites was explored in detail in 2018. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2018/2019 State of Vulnerabilities report.

Leave a comment ,
1 20 21 22 23 24 54