Seeking a coordinated and legally regulated involvement of cybersecurity community into the process of enhancing national cybersecurity maturity level, the Ministry of National Defence has drafted an amendment to the Law on Cyber Security of the Republic of Lithuania. If approved, the amendment will provide a legal basis for responsible disclosure of vulnerabilities in communications and information systems (CIS) that otherwise could be exploited for a cyber-incident.
The draft Law on Cyber Security of the Republic of Lithuania lays out terms and conditions for a lawful search for flaws in CIS. Persons who find and disclose such vulnerabilities according to the conditions set out in the law will not only be able to know that they have contributed to a more secure private or/and public sector but also that they are secure legally.
The Ministry of National Defence will hold a forum-debate “Regulation of Responsible Disclosure of Cybersecurity Vulnerabilities in Lithuania” on September 30 to facilitate involvement of interested institutions, such as law enforcement, in the debate on the proposed legal regulation.
The event is organised in cooperation with NRD Cyber Security.
Participants of the forum will be informed about the proposed legal regulation, potential legal challenges the new practice may bring will be looked at, and insights from the participants will be heard, so as to troubleshoot potential vagueness or misinterpretation.
How does responsible disclosure work?
Sad but true, all CIS have gaps, bugs, or other flaws of some extent, and malicious actors are looking for them. However, the good news is that not only hackers with malign intentions but also other CIS (cybersecurity) specialists, scientists, and other IT geeks are interested in such flaws and try to find them. The latter are known as the white hat or ethical hackers and have ethical goals – to decrease cybersecurity risks in CIS. Therefore, there is a growing trend in different states to regulate and use the responsible disclosure practices in CIS by inviting the cybersecurity community to responsibly identify and disclose vulnerabilities. It is considered a responsible action only when the information about the security gaps is pre-eminently given to the owner of the CIS or another IT product in which it was detected, and/or the authority for coordination of vulnerability disclosures.
Operating according to a set and publicly available procedure of responsible vulnerability disclosure, the organisation provides clear terms and conditions for CIS vulnerability detection and disclosure, establishes the rights and responsibilities of participants of the disclosure process, defines methods and means that can be used without the risk to be considered a malicious action. It also prescribes the period of time that has to pass before information about the detected flaws can be spread so as the flaws can be removed or otherwise managed.
There has not been a state-wide regulation for responsible disclosure of CIS vulnerabilities in Lithuania so far, however, it has not prevented some organisations from initiating, completing, and applying responsible disclosure policies. An excellent example of that is Vilnius City Council: the institution invited cybersecurity experts and enthusiasts to contribute through a responsible vulnerability disclosure programme “Hack me if you can” in the beginning of this year.
What will the regulation for responsible disclosure change?
The legal framework for the responsible CIS vulnerability disclosure is expected to bring in clarity on the conditions of responsibility distribution and vulnerability reporting. Removal of detected vulnerabilities through a coordinated process will improve cybersecurity situation in Lithuania.
“Every organisation seeks to strengthen its cyber resilience by means of different software and hardware solutions, or other, such as regulation and application of the responsible CIS vulnerability disclosure process,” Jonas Skardinskas, head of the Cybersecurity and IT Policy Group at the Ministry of National Defence, says.
The cybersecurity community will be encouraged to engage in the efforts of strengthening national cyberspace in a more active way: everyone with skills and knowledge and willing will be able to report CIS vulnerabilities they find without any fear of prosecution. The piece of legislation will apply to all entities of cybersecurity, such as state institutions, actors of the private sector that provide critical services for the state (e.g., water, power supply, health, financial services, etc.), providers of the Internet connection, cloud computing services, and persons that are engaged in scale electronic commerce.
It is also an effort to build up the motivation of cybersecurity objects to take care of their CIS and close the known security gaps ahead of time. However, even when the law will allow for the white hat hackers to look for CIS vulnerabilities without getting into legal trouble, their activity will still have to comply with the terms defined by the law. It is also likely that the attention for responsible vulnerability disclosure will increase: discussions in the general public and the cybersecurity community will ultimately shape into best practices of such activity.
“It is natural that in the flow of life holes occur in our environment, planks, pavement tiles crack, etc. Most often we can inform the city council. But there were still many unknowns in the context of cyberspace on that matter, i.e., one can not feel safe if he or she won’t be prosecuted, or perhaps it will not be even heard. There will be significantly less of such doubts when the responsible CIS vulnerability disclosure regulation is introduced, roles, responsibilities and their limits of different sides will be clarified. Such regulation is also a sign of maturity, these efforts will strengthen Lithuania’s image in the international cybersecurity community and different ratings,” head of NRD Cyber Security Vilius Benetis says.
According to the best practices of the responsible CIS vulnerability disclosure, it is necessary to set and delegate to a corresponding institution well-defined vulnerability disclosure coordination functions. This role is planned to be given to the National Cyber Security Centre under the Ministry of National Defence.
“The National Cyber Security Centre promotes application of responsible disclosure principles in cybersecurity: if you have found a vulnerability in some CIS, do not announce it publicly but inform the CIS administrator so that they can fix the problem. If a vulnerability is disclosed publicly before it is removed, a malicious actor may you it for a cyberattack. If you prefer disclosing trough a mediator, you can fill in the report form on the National Cyber Security Centre website www.nksc.lt. We are ready to assess the situation and take action to make the CIS administrator aware about the detected vulnerability, they will also be informed that the security gap was found through responsible disclosure practices. When the legal provisions are in force, the process of vulnerability disclosure management, as well as the role of the National Cyber Security Centre in it, will become even clearer,” Dr. Rytis Rainys, Director of the National Cyber Security Centre under the Ministry of National Defence, says.
Related photo, MoD archive
