After Meltdown and Spectre, we need better vulnerability disclosure and a stronger U.S. cyber framework

Late last week, Access Now submitted comments to a U.S. government agency to argue for a stronger cybersecurity framework that will better protect users and our vital systems and infrastructure. In this post, we explain what the agency is doing and how we think the U.S. can improve its approach to cybersecurity.

The agency, the U.S. National Institute of Standards and Technology (NIST), is tasked with establishing standards through documents such as the Cybersecurity Framework, which guides industry and government in managing cybersecurity risk. In the absence of binding federal rules, the framework serves is a primary resource for companies, state agencies, and institutions like hospitals.

Our comments for NIST proposed changes to the latest draft version of the framework, including the adoption of provisions that address vulnerability disclosure and multi-factor authentication. We also comment on the Framework Roadmap that NIST has released to identify topics that may be included in the future.

Vulnerability disclosure

We propose that NIST include in the Framework Core, which identifies activities that private and public organizations ought to implement to manage cybersecurity risk, guidance on coordinated vulnerability disclosure, or CVD programs. CVD is the process by which corporations, federal agencies, and other organizations get information about and address newly discovered vulnerabilities in their technology or systems. Part of that process can include so-called bug bounty programs that reward those who find and report vulnerabilities.

Now is an opportune time for NIST to promote CVD programs. Over the past few weeks, chip makers and software companies have been scrambling to address two major technical flaws — Meltdown and Spectre — that could be abused to access sensitive data from personal devices or cloud infrastructure. Because the vulnerability is in the chips that underlie much of consumer technology and cloud servers, responding has required considerable resources and coordination between companies and other organizations. In our comments, Access Now supported inclusion of language on CVD programs in the updated framework, but we also cautioned against misuse and poor implementation.

Multi-factor authentication

We also propose that the framework reference authentication, including multi-factor authentication, or MFA, to protect users against attacks that can have broad impacts not only for individuals but the systems they are entrusted with. Access Now has promoted the use of MFA for individuals, and we argue that technology companies should make such authentication the default, and organizations should implement it as a best practice.

Looking ahead: the Roadmap

Finally, we address the Roadmap of topics for discussion in the future.

In other regions across the globe, lawmakers have imposed binding rules to address cybersecurity and data protection, which creates greater pressure on U.S. companies to consider the consequences of their designs. In the Roadmap, NIST discusses how international efforts can use the framework to implement common standards. The General Data Protection Directive and NIS Directive in the EU go well beyond the NIST Framework. In our comment, we offered support for promoting security standards internationally, and warned that the U.S. framework should work with, not detract from, implementation of those rules.

Meltdown and Spectre made headlines around the world, but we see new stories daily exposing the now-normal devastating breaches of customer data. As we wrote in our comments, the Roadmap is right to raise privacy engineering as a subject for future exploration. We urge NIST to continue that conversation. We recently evaluated one method for protecting data through our blog series on differential privacy. However, for the use of biometrics as a method of authentication, we called for further exploration of the benefits and risks before inclusion into the framework.

The U.S. government has incrementally been making changes in its approach to cybersecurity. We believe that recommending that companies implement CVD programs and utilize MFA is important. But in the absence of binding rules, companies will continue to make insecure products or fail to protect user data properly, with no real consequences. Moving forward, we urge NIST not only to make the changes we propose but also to take a more holistic approach to protecting user data, using a variety of resources and pushing ahead to tackle privacy engineering.

You can find Access Now’s full comments here on our website.

Access Now also signed joint comments with Rapid 7 and other representatives of civil society that call for the inclusion of the CVD language in the framework. You can find those comments here.