NTIA's Vulnerability Research Disclosure Multistakeholder Process Should Focus on Adoption, Stakeholders Say
Cybersecurity interests urged NTIA to focus its multistakeholder process on vulnerability research disclosure more on increasing vendors' use of third-party researchers as a way of detecting software vulnerabilities than on developing new best practices on research disclosure. The vulnerability research disclosure multistakeholder process is the first in a planned series of NTIA initiatives aimed at cross-sector cybersecurity issues (see 1508280036). Although most at a Tuesday meeting focused on incentivizing vulnerability research disclosures, a few attendees said NTIA isn't empowered to fix legislative issues that create roadblocks to vulnerability disclosures.
Department of Commerce Deputy Assistant Secretary-NTIA Angela Simpson said the agency is trying to “engage the right voices” in the vulnerability research disclosure proceeding and wants to act as a neutral convener. “It's not our job to tell you what to do,” she said. The goal isn't to develop new best practices on disclosure or arbitrate existing ones so much as to foster awareness and adoption of those best practices, Simpson said.
Stakeholders pointed NTIA to multiple sets of best practices that already outline effective ways for vendors to coordinate with researchers on vulnerability disclosures. HackerOne's Vulnerability Coordination Maturity Model emphasizes specific levels of adoption for companies depending on their level of experience in cybersecurity, although all emphasize communicating with researchers and providing incentives rather than threatening legal action, said Chief Policy Officer Katie Moussouris. Incentives for firms with basic cybersecurity plans can include public displays of gratitude, while more advanced firms should consider monetary incentives like bug bounties, Moussouris said.
NTIA's vulnerability research disclosure multistakeholder project won't be meaningful “unless we talk about how to drive adoption,” said Rapid7 Communications Program Manager Jen Ellis. HackerOne's model and other best practices cite well-established International Organization for Standardization standards, so it's clear that the “question of how we drive adoption has to be fundamental to this process,” Ellis said. Discussions about adoption should include driving adoption for small and medium-sized businesses because they're the vast majority of software-dependent businesses and don't have the same resources to deal with vulnerabilities that global companies like Google do, said National Science Foundation Lead Program Director-Secure and Trustworthy Cyberspace Jeremy Epstein.
Stanford Center for Internet and Society Director-Civil Liberties Jennifer Granick sharply questioned NTIA's ability to facilitate fixes to pressing legal issues that security researchers face. NTIA doesn't have the power to change laws like the Digital Millennium Copyright Act's Section 1201, which prohibits circumvention of access control technologies, or U.S. rules for implementing the 41-nation Wassenaar Arrangement export treaty that would control the export of intrusion software and IP network surveillance systems, she said. The NTIA process also ignores the “power inequity” between vendors and researchers, with researchers having a “real disadvantage” because vendors can afford to hire lobbyists to make their case in Congress and federal agencies, Granick said.