In the fight against cyber attackers one of the contentious issues is how much information should defenders disclose and to who. Ethical researchers, for example, will tell a vendor of a vulnerability and give it time to create a patch before publicly releasing news of their finding. This is called responsible disclosure.
On the other hand, some argue that full disclosure to the public of a bug or serious flaw is the best way to pressure vendors not only to fix problems fast, but also to improve their product development to avoid embarrassing security disclosures.
The problem, of course, is that full disclosure also gives attackers notice of holes to go after, so they quickly modify their malware.
The debate has come to the fore again with the release last month by Microsoft of a report on proposed cybersecurity norms for building trust in ICT systems.
These suggested norms include obligations of countries to not allow anyone to author malicious cyber activity within their borders, that countries shouldn’t target critical infrastructures of others in times of peace, limiting nation-state activity against commercial, mass-market ICT systems; responsible handling of ICT vulnerabilities and cyber weapons; appropriate conduct of offensive operations in cyberspace; and support for private sector management of cyber events. The report suggests a model for creating these norms that would include the ICT industry, which Microsoft suggests has often been left out.
But Kevin Townsend notes in a story for SecurityWeek.com that part of the Microsoft report is controversial because the company suggests what it calls ‘co-ordinated disclosure’ be the norm for researchers who want to disclose bugs. Co-ordinated disclosure allows these warnings to be revealed to computer emergency readiness teams (CERTs), usually official organizations created or backed by governments. Still, the suggestion is disclosure not be fully public.
To CISOs who have to deal with zero-day threats the debate may seem quite clear: Giving the enemy any advantage is wrong, so full disclosure is out of the question. Townsend quotes researchers at a security vendor who favours responsible disclosure but has some doubts effective international norms can be imposed on criminals or cyber intelligence agencies of certain countries looking for ICT vulnerabilities.
Then there’s also the problem after a norm has been agreed upon of laying the blame for an attack at a country given the multiple ways attackers can hide their attacks. Microsoft suggests a committee of experts to rule on the source of severe attacks.
As for the international development of cybersecurity norms, note that at last week’s North American leaders’ summit, Canada, the U.S. and Mexico pledged “to promoting stability in cyberspace based on the applicability of international law, voluntary norms of responsible state behaviour during peacetime, and practical confidence-building measures between states.
“The leaders affirmed that no country conduct or knowingly support online activity that intentionally damages critical infrastructure or otherwise impairs the use of it to provide services to the public; that no country should conduct or knowingly support activity intended to prevent national computer security incident response teams from responding to cyber incidents, or use its own teams to enable online activity that is intended to do harm; that every country should cooperate, consistent with its domestic laws and international obligations, with requests for assistance from other states in mitigating malicious cyber activity emanating from its territory; and that no country should conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to its companies or commercial sectors.”
Also, at the G7 summit in May the countries — including Canada — promised to promote “a strategic framework of international cyber stability consisting of the applicability of existing international law to state behavior in cyberspace, the promotion of voluntary norms of responsible state behavior during peacetime, and the development and the implementation of practical cyber confidence building measures between states.”
What do you think: Full or limited disclosure? Let us know in the comments section below.