Cybersecurity Vulnerability Disclosure in Trade Agreements
Cybersecurity has now become a feature of modernized US trade agreements, with new cybersecurity provisions in the US-Mexico-Canada Agreement and the US-Japan Digital Trade Agreement. The United States has begun the process of negotiating several additional trade agreements – including with China (Phase II), the European Union, Japan (Phase II), Kenya, and the United Kingdom.
The parties to these agreements should take the opportunity to expand on the cybersecurity section to better reflect its importance to global trade. One important way to do this would be to incorporate vulnerability disclosure into trade agreements. Below are Rapid7’s thoughts on how to do that and why.
[For an update on trade agreements as of Jan. 2020, please check out this blog post. For more information on Rapid7’s efforts to include cybersecurity risk management principles in USMCA, please check out this blog post.]
Integrating vuln disclosure in trade negotiations
“Vulnerability disclosure” is a voluntary process for communicating information about specific cybersecurity vulnerabilities, including processes for disclosure and receipt, for the purpose of encouraging voluntary mitigation of the vulnerability. Vulnerability disclosure has been written about extensively by cybersecurity risk management experts and is the focus of two international standards (ISO/IEC 29147 and ISO/IEC 30111). The US government has taken significant steps to promote vulnerability disclosure – such as by requiring federal civilian agencies to adopt certain vulnerability disclosure processes, and integrating vulnerability disclosure processes into the NIST Cybersecurity Framework.
Recognizing that cybersecurity vulnerabilities affect stakeholders across borders, as well as the benefits to US trade (more on that below), the US should seek to extend this leadership on coordinated disclosure to digital trade negotiations. Vulnerability disclosure should be incorporated into modernized trade agreements by requiring the governments that are party to the agreements to:
- Build the capabilities of national entities responsible for coordinated vulnerability disclosure. These entities assist in coordinating disclosures between affected organizations, improving awareness and the likelihood of voluntary mitigation. In the US government, these entities include the Department of Homeland Security’s National Cybersecurity Communications and Integration Center (NCCIC). Additional capabilities and resources will support their ability to effectively coordinate an increasing volume of disclosures.
- Establish processes for disclosure of “zero day” vulnerabilities from the government to the private sector. In the US government, these processes are called the “vulnerability equities process.” Under these formal processes, government bodies disclose previously unknown vulnerabilities to affected parties, if the government determines it is appropriate to do so, for the purpose of improving awareness and the likelihood of mitigation.
- Use, and encourage the private sector to use, voluntary processes for coordinated vulnerability disclosure aligned with international standards. Enterprises and government bodies would be encouraged to adopt processes aligned with international standards to coordinate vulnerability disclosures. This would be a voluntary process in this context, without requiring a specific timeline for mitigation. However, broader adoption of standards-based vulnerability disclosure would not necessarily preclude government bodies from having other processes as well (for example, regulatory agencies from separately requiring mitigation of security vulnerabilities within a certain timeframe).
Each of these concepts could be incorporated into the cybersecurity article of US trade agreements. See, for example, Article 19.15 in the Digital Trade Chapter of the US-Mexico-Canada Agreement.
Why vulnerability disclosure matters to trade
Vulnerability disclosure is one of several cybersecurity practices that – when done right and in alignment with international standards and best practices – can help advance trade for businesses in the US and internationally.
- Businesses depend on cybersecurity for trade. Both individual businesses and the international trade system at large rely on computer security to operate. Coordinated vulnerability disclosure processes are increasingly standard in organizational cybersecurity programs to account for the significant number of cybersecurity vulnerabilities and breaches found by third parties and accidental discoverers.
- Vulnerability disclosure processes strengthen product resilience and trust. Facilitating communication and receipt of vulnerability information improves the likelihood that the vulnerability will be mitigated and risks will be avoided. This makes products more resilient against cyberattack and accidental breach.
- Aligned vulnerability disclosure norms can help address trade barriers. Promoting norms for vulnerability disclosure based on standards would foster consistency and provide clear alternatives to less helpful practices. For example, Chinese government agencies have floated multiple draft regulations on vulnerability disclosure and threat intel sharing that depart from generally accepted international standards and best practices. Other nations have no clear policy for vulnerability disclosure. Greater alignment on process would encourage international partnerships for coordinated disclosure that strengthen product cybersecurity.
- Broader adoption of vulnerability disclosure processes can reduce illicit and gray markets for exploits. Adoption of vulnerability disclosure processes can increase the likelihood of mitigation of vulnerabilities and encourages the use of a designated channel for vulnerability disclosures. This can counter incentives to purchase or disclose exploitable vulnerabilities through unauthorized channels, including illicit and gray markets, which are less likely to result in mitigation of vulnerabilities.
Continuing leadership on vulnerability disclosure
This post was written at a time when much of the world is on lockdown due to the COVID-19 pandemic. One of the clear trends emerging from the pandemic is the degree to which people and businesses globally continue to rely on digital products and services, even during homebound isolation. These services have made entertainment, remote education, and commerce accessible in ways that would not otherwise be possible. Sound cybersecurity is essential to keeping these services resilient.
While the pandemic has impacted international trade negotiations (and international trade itself!), the worthy effort to modernize old trade agreements and establish agreements with new partners will undoubtedly accelerate once more. With the eventual resumption of activity, we urge the US to build on its leadership in advancing vulnerability disclosure processes through trade agreement negotiations.