Tuesday, 12 October 2021 10:53

iTWireTV Interview: CyAN VP Peter Coroneos explains why laws are needed to protect ethical zero-day cyber research

By

The formation of a global partnership to ensure legal protections for good faith (bona fide) zero day researchers has been enacted by the Paris-based not-for-profit Cybersecurity Advisor Network (CyAN), with such research illegal in some jurisdictions, putting modern life at serious risk. We speak to Peter Coroneos, CyAN VP, to find out more.

As CyAN International Vice President and Zero Day Legislative Project leader, Peter Coroneos explained: "Zero day vulnerabilities are flaws in software or systems code that leaves end users open to attack.

"They are called 'zero day' because they are either unknown to the vendor who produced the product, or are known but no patch has yet been made available.

"The period between when the zero day is first discovered by an attacker and when the patch is installed by the end user is the attack window in which a compromise can occur. The consequences can be vast and most serious attacks these days involve zero day exploits."

Coroneos continued: "The first famous zero day attack was Stuxnet in 2009 against the Iranian uranium enrichment program. More recent attacks include WannaCry, NotPeyta, SolarWinds, MS Exchange Server hacks of 2021 and the infamous Colonial Pipeline ransomware attack."

In the video, embedded below, Peter Coroneos opens with why the issue has come up again and the passion with which CyAN and its partners are pursuing international legal reform. The article continues thereafter, so please watch and read on!

So, why is the Zero Day Legislative Project needed?

Coroneos continued: “At a time of unprecedented scale and seriousness of cyber attacks threatening our personal information, the continuity of our businesses and the systems and infrastructure that support our societies, we find the very people we rely on to protect us remain under threat.

"'White hat’ zero day researchers form a critical piece in the remediation of exploitable connected systems. They uncover the existence of unpatched vulnerabilities and report them to vendors of the relevant products they can be fixed. Regrettably, they face legal threats from some vendors sensitive to the discovery of flaws in their products.

“The threats usually involve copyright and/or criminal laws that govern access or interference with computer systems. Outdated laws have not kept up with cyber challenges, stifling research efforts and reporting at a time when researchers should be supported.

“That is why we are building an international coalition to advocate for changes to laws to ensure that zero day researchers will no longer fear heavy handed legal responses from companies whose products they are seeking to secure," added Coroneos.

CyAN notes the OECD's recognition (PDF link) of "the need for action" in its 2021 guidance for policy makers observing:

"In many countries, researchers face significant legal risk when reporting vulnerabilities to vulnerability owners. Vulnerability owners can threaten researchers with legal proceedings
instead of welcoming their vulnerability reports. This legal risk, aggravated when stakeholders are located across borders, creates powerful disincentives [for responsible
disclosure].

A number of high profile cyber leaders have expressed support for the initiative:

“Security researchers are the public safety whistleblowers for technology that the world increasingly depends upon. It’s high time the world’s laws provided these good faith hackers safer ways to perform their vital research essential to securing the modern world,” said Katie Moussouris, Founder & CEO Luta Security; Founder, Microsoft Vulnerability Research (MSVR); Co-author & co-editor of International standards ISO 29147

Vulnerability disclosure and ISO 30111 Vulnerability handling processes: “Ethical cybersecurity research which help us clean up the digital environment deserves and needs proper legal protection” according to Ciaran Martin, CB former CEO, National Cyber Security Centre UK.

Chris Painter, former top US cyber diplomat added: “It’s important to separate malicious actors from responsible, ethical, researchers who conduct their research within settled best practices. Supporting the latter, while condemning the former, is a worthy cause.”

“If good-faith security research is the Internet's Immune System, then modernising legislation to recognise hacking as a dual-use and morally agnostic activity, as well as creating carve-outs for today's Internet's ‘digital locksmiths’, is the equivalent of resolving the Internet's auto-immune problem.” Casey Ellis, Founder/Chairman/CTO of Bugcrowd
and Co-Founder of The disclose.io Project.

Stéphane Duguin, CEO on behalf of The CyberPeace Institute, agreed saying “Because of complexity and distributed nature of vulnerabilities, we need to empower and not penalise those who are working in good faith in the interest of public safety. Secure ICTs are key to creating a safe and stable cyberspace where we can unlock the potential of technology and empower individuals. Cybersecurity researchers are key to this mission.”

Also supporting the program is: Vice-amiral d’escadre (Ret) Arnaud Coustilliere, former FR COMCYBER.


Subscribe to ITWIRE UPDATE Newsletter here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Alex Zaharov-Reutt

Alex Zaharov-Reutt is iTWire's Technology Editor is one of Australia’s best-known technology journalists and consumer tech experts, Alex has appeared in his capacity as technology expert on all of Australia’s free-to-air and pay TV networks on all the major news and current affairs programs, on commercial and public radio, and technology, lifestyle and reality TV shows. Visit Alex at Twitter here.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments