Uldis Ķinis: Towards State-regulated Responsible Vulnerability Disclosure Procedure

Kategorija: Informācijas atklātība + Juridiskie aspekti + Kibernoziegumi + Kritiskā Infrastruktūra + VP ENAP Kibernoziegumu nodaļa

 

Latvia decided to draft Regulation on responsible disclosure procedure. In March 2016, the Ministry of Defence created a working group. The goal of the drafters was: 1) to prepare amendment to Law on the Security of Information Systems to create legislative framework for responsible vulnerability disclosure process; 2) to draft an amendment to Section 241 (3) of Criminal Law to create a guaranty against prosecution (waiver) for persons who act in accordance with responsible disclosure process. The paper provides an insight into this process, difficulties faced by drafters and presents provisional results of the legislative draft and lessons to be learnt.

Acīmredzot autors pirms publikācijas ar savu darbu nav iepazīstinājis nozares ekspertus. Rakstā netrūkst diezgan uzkrītošu kļūdu, piemēram, CERT atšifrējot kā “Central Emergency Response Team” un norādot atsauces uz autora datorā esošiem failiem. Autors arī nevairās diezgan nievājoši izteikties par darba grupas dalībnieku juridiskajām zināšanām:

Most experts – members of the working group, who represented IT personnel as well as military and national security agencies, have some previous experience in working with vulnerability disclosure. They know principles, phases, and other technical and managerial characteristics of RDP. Unfortunately, none of them has any legal experience; nobody understands the difference between a policy and a regulation.

Par motivāciju:

RVDP would allow engaging into cybersecurity matters independent security researchers, who are sometimes balancing between legal and illegal activities. This would be of great advantage to our cybersecurity architecture, because we do not have enough cybersecurity experts, who are working for the government.

Līdzīgi kā ar kiberzemessardzi, visa šī epopeja ir balstīta pieņēmumā, ka kaut kur ir tie nesavtīgie pētnieki, kuru pienesumu pašlaik ierobežo atbildīgas drošības nepilnību atklāšanas procesa neesamība. Šāds pieņēmums nav pamatots.

Draft of Section 6-1, paragraph fifth states: ‘if a person, who submitted responsible disclosure report prior to CERT information about vulnerability elimination results, publishes information about vulnerability and thereby endangers integrity, accessibility or confidentiality of information technologies or networks, he shall be liable according to legislation.’ Namely, if a researcher publishes information about vulnerability prior to CERT’s response, or discloses ‘instructional speech’ then the State’s guaranty not to prosecute will not be applicable. It means that a researcher will act at his own risk.

Lai autors nosauc Krimināllikuma pantu, kuru varētu piemērot pētniekam, kas publicējis informāciju par ievainojamību (aicinājums uz terorismu?).
Tas, par ko pētnieku varētu tiesāt, ir patvaļīga piekļuve automatizētai datu apstrādes sistēmai, ja tāda ir veikta ievainojamības atklāšanas procesā. Taču Krimināllikumā ir prasība pēc būtiska kaitējuma vai smagām sekām, kas diez vai attieksies uz gadījumu, ja piekļuve tiks veikta pētnieciskā nolūkā (tas gan neattiecas uz sistēmām, kas saistītas ar valsts drošību).

Noderīgāk būtu, ja tā vietā CERT ar ministriju parediģētu stratēģiskās nozīmes preču sarakstu, izņemot ārā drošības testēšanas iekārtas un programmatūru, kas kā Dāmokla zobens pašlaik karājas virs ievainojamību testētāju galvām.

Par to, kāpēc likumprojekts netika pieņemts:

During preliminary exchange of opinions between different Ministries and State institutions MOD received several objections. Some of them were purely of technical nature, but some of them advanced by the State Police and the Ministry for the Interior were substantive in nature. The Police and the Ministry raised the following concerns: ‘1) Drafters did not present sufficient and grounded risk analysis necessary for adoption of RVDP; 2) it may lead to unexpected and unpredicted consequences; 3) RVDP did not foresee creating a researchers register, police objected that, according to this process, the State will allow acting anonymously’. These institutions declared that RVDP could be supported only, ‘if the State were to ensure a controlled and transparent registration process for independent researchers’, who wanted to act according to RVDP. The draft was reviewed and conceptually adopted on 18 October 2016 by the Cabinet.’ However, due to the concerns mentioned above, the Cabinet instructed the Ministry of Defence to continue discussion and reach consensus on the disputed questions. Unfortunately, the model proposed by the State Police and the Ministry was not acceptable for MOD and other experts. For the given reason, this project was revoked. The last attempt to revive RVDP project took place on 29 March 2017. MOD organized a round table for all stakeholders, but, unfortunately, parties were unable to find a compromise and an acceptable solution regarding the principles for developing RVDP.

Avoti:
Uldis Ķinis: https://sci-hub.tw/https://www.sciencedirect.com/science/article/pii/S0267364917303606

Follow defenselv

2018-04-09  »  edgars