London: New updates to Article 11 of the EU’s Cyber Resilience Act (CRA) have raised concerns as dozens of global cybersecurity experts warn it could create unnecessary risks for consumers and businesses.
The CRA aims to set out cybersecurity requirements for products with digital elements, bolstering cybersecurity rules for software and hardware to protect businesses and consumers from inadequate security features.
However, in an open letter signed by senior figures at over 50 organisations, including Google, the Electronic Frontier Foundation, and the CyberPeace Institute, experts said that aspects of the article are “counterproductive and will create new threats that undermine the security of digital products and the individuals who use them”.
Article 11 will require software publishers to disclose any unpatched vulnerabilities to the EU Agency for Cybersecurity (ENISA) within 24 hours of exploitation.
Information on vulnerabilities would then be passed on to various government agencies responsible for member state security, making software providers feed their known vulnerabilities into a “real-time database” containing information on unpatched flaws to provide agencies with an overview of ongoing or potential security issues.
This comes as part of an effort from EU lawmakers to ensure greater transparency and accountability, speed up vulnerability disclosures, and ultimately protect consumers.
Achi Lewis, Area VP EMEA for Absolute Software, added: “Timely and accurate reporting of vulnerabilities is crucial for organisations, not only to protect their own organisation, but others along the supply chain, as well as alerting software providers to potential issues.”
“The current patching landscape is messy, and our Resilience Index research found that there are 14 different versions of Windows 10, for example, being used by enterprise businesses, with over 800 different patches. This is made worse by one in six devices working on an old patch, increasing the cybersecurity risks to the device, and subsequently the organisation.”
“IT managers already have a difficult job managing a work-from-anywhere device fleet so ensuring patching is up to date is an important step to bolstering security, and new vulnerability reporting rules as part of the Cyber Resilience Act will support organisations to stop vulnerabilities spreading. These actions will better prepare organisations to prevent cyber incidents, as well as improve response protocols when attacks occur.”
Within the open letter, the critics argue that by having a repository of unmitigated vulnerabilities that could be targeted by threat actors, organisations are placed at heightened risk.
They believe the action merely presents a prompt to a trend of “rushing the disclosure process”, placing greater strain on security teams and software providers, and could result in botched patches.
In response, the open letter suggest a recommendation that mandatory reporting requirements should be changed to within 72 hours of “effective mitigation” to prevent the risk of exploitation.