When it comes to cybersecurity, managing vulnerabilities is of great importance. For this, it is essential that experts can constantly examine ICT systems to find vulnerabilities and fix them before they can be exploited. In this regard, the ENISA, European Union Agency for Cybersecurity, presented the report Coordinated vulnerability disclosure policies in the EU which gives an overview of the EU CVD state of play. Let’s find out more.
What does Coordinated Vulnerability Disclosure (CVD) policy means?
A Coordinated Vulnerability Disclosure (CVD) policy is a set of measures that allows for the early identification, assessment, and notification of vulnerabilities in ICT systems. The aim is to protect users and organizations from possible cyber-attacks.
Different EU countries are implementing CVD policies in different ways. Some have established national cybersecurity frameworks, while others are still in the process of doing so.
The coordinated disclosure schemes vary in scope and nature. For example, some schemes only cover specific types of vulnerabilities, while others have a wider scope.
However, all coordinated disclosure frameworks have one thing in common: they aim to improve the security of ICT systems by enabling experts to find and fix vulnerabilities as soon as possible.
For this, it is essential that all EU countries have a coordinated disclosure policy in place to ensure the security of ICT systems.
Why is important for countries to invest in cybersecurity?
There are many reasons why countries should invest in cybersecurity.
One of the most important is that it protects citizens and businesses from cyber-risks and cyber-attacks. But cyber-attacks can have a devastating effect also on critical infrastructure, including power plants, hospitals, and financial institutions. These systems must be protected to avoid a major impact on the country.
Another reason is that cybersecurity frameworks help to build trust in the digital world. When people know that their personal data is safe, they are more likely to use online services and make purchases online. This, in turn, boosts the economy and digitalization.
Finally, investing in cybersecurity helps to create jobs. The demand for skilled cybersecurity professionals is constantly increasing, and there are not enough people with the necessary skills to fill these roles.
In conclusion, investing in cybersecurity is essential for all countries, regardless of their size or economic status. It is an investment that will pay off in the long run.
What are the different types of cybersecurity?
There are many different types of cybersecurity, but some of the most common are:
- Network security: This type of security protects networks from attacks. It includes measures such as firewalls and intrusion detection systems.
- Application security: This type of security protects applications from attacks. It includes measures such as authentication and authorization controls.
- Data security: This type of security protects data from unauthorized access or modification. It includes measures such as encryption and access control lists.
- Endpoint security: This type of security protects devices from attacks. It includes measures such as antivirus software and firewalls.
State of play Coordinated Vulnerability Disclosure (CVD) policies in the EU
At the national level, the ENISA report shows that, although differently, several EU states are making progress in developing national CVD policies.
Currently, only Belgium, France, Lithuania, and the Netherlands are undertaking coordinated vulnerability disclosure policy work and have implemented the policy requirements. Yet the political initiatives of these 4 countries differ.
4 other states have a proposed policy under consideration or in the testing phase. Instead, 10 states are considering implementing one or are on the verge of doing so.
Finally, another group of 9 member States has no coordinated vulnerability disclosure policy and the process of establishing one has not yet begun. However, most EU States without a coordinated vulnerability disclosure policy are going to establish one in the future, especially in the context of the national transposition of the NIS2 Directive.
Very few States are not going to do so and the reason are, for example:
- Countries already have cybersecurity rules and procedures that do not require coordinated vulnerability disclosure policies;
- Legal barriers;
- Lack of cooperation amongst stakeholders;
- Government ambiguity concerning vulnerability exploitation;
- Limited incentives for security researchers;
- Lack of financial and human resources.
CVD Policies: good practices
Here are some good practices that ENISA suggests to countries wishing to implement a Coordinated vulnerability disclosure policy:
- The policy must be implemented by individuals or bodies that can validly represent the responsible organization;
- It should be adequately advertised;
- The CVD policy should be applicable to the vendors’ various IT systems and to their contractual commitments;
- The policy should contain a description of the mutual obligations of the involved parties;
- A CVD policy must clearly state what information the participant must provide when reporting a vulnerability;
- A coordinated disclosure policy must respect the principle of confidentiality;
- Clear deadlines shall be set in the policy for each stage of the procedure;
- Offering a reward or public recognition could make the CVD policy more attractive for the security researchers.
The relevance of cybersecurity for the Eu
The CDV report is an example of how much the European Union has long been committed to strengthening cybersecurity.
Already in 2018, the European Commission supported the creation of a network of cybersecurity centers to support cybersecurity R&D in the European Union. It also made more than € 2 billion available for cybersecurity projects through the Digital Europe and Horizon2020 programs.
Then, in 2019, the EU Parliament adopted the Cybersecurity Act. This law aimed to strengthen the role of the European Network and Information Security Agency (ENISA). Furthermore, it has introduced a cybersecurity framework for the certification of all ICT products: hardware, software, and services.