The EU’s Cyber Resilience Act (CRA) could be misused by governments for intelligence or surveillance purposes, a group of industry experts have claimed.
The open letter, signed by 50 prominent cybersecurity professionals across industry and academia, has urged the EU to reconsider the provisions set out in Article 11 of the CRA, relating to vulnerability disclosure requirements.
Currently, Article 11 requires software publishers to disclose unpatched vulnerabilities to government agencies within 24 hours of exploitation. The letter argues that this requirement will allow dozens of government agencies access to a real-time database of software with unmitigated vulnerabilities, which could potentially be exploited to gather intelligence or monitor organizations and individuals.
“The absence of restrictions on offensive uses of vulnerabilities disclosed through the CRA and the absence of transparent oversight mechanism in almost all EU Member States open the doors to potential misuse,” the letter read. Signatories include former head of the UK National Cyber Security Centre (NCSC), Ciaran Martin, Former President of Republic of Estonia, Toomas Hendrik Ilves, and Google’s VP and chief internet evangelist, Vint Cerf.
The CRA was unveiled in September 2022 by the EU Commission, and is designed to establish minimum cybersecurity standards for connected devices. Agreement for the proposals was reached with the European Council in July 2023, and the Commission is now holding negotiations with the European Parliament on the final version of the proposed legislation.
Open Letter Highlights Security Concerns with Article 11
The open letter highlighted further security concerns with Article 11, one of which is the danger of breaches of government held vulnerability data, leaving organizations exposed to attacks. “While the CRA does not require a full technical assessment to be disclosed, even the knowledge of a vulnerability's existence is sufficient for a skilful person to reconstruct it,” it read.
In addition, the experts warned that the rapid disclosure of vulnerabilities would have a “chilling effect” on good faith researchers, “who often need more time to verify, test and patch vulnerabilities before making them public.”
The letter added that the 24-hour requirement may both reduce the receptivity of manufacturers to security disclosures from security researchers and discourage researchers from reporting vulnerabilities.
Should Article 11 be Revised?
The 50 experts have asked the EU to reconsider its approach to Article 11, advocating a risk-based approach to vulnerability disclosure “to avoid unintentionally exposing consumers and organizations in Europe and beyond to new cybersecurity risks.”
The letter set out the following suggested revisions for the EU to consider.
- Agencies should explicitly be prohibited from using or sharing vulnerabilities disclosed through the CRA for intelligence, surveillance or offensive purposes.
- Require reporting to agencies of mitigatable vulnerabilities only, within 72 hours of effective mitigations (e.g., a patch) becoming publicly available. Details could include the initial discovery date by the manufacturer.
- The CRA should not require reporting of vulnerabilities that are exploited through good faith security research. In contrast to malicious exploitation of a vulnerability, good faith security research does not pose a security threat.
- Reference ISO/IEC 29147 in Article 11-1 and use it as the baseline for all EU vulnerability reporting.
In April 2023, an open letter to the EU was penned by open-source industry bodies, warning that the CRA will have a “chilling effect” on software development.