Authors of the 2017 Cisco cybersecurity report encouraged governments to communicate better with the private sector, disclosing the vulnerabilities they discover rather than holding that information in reserve.
“Many governments collect information about zero-day exploits and vulnerabilities that they discover in vendor software; however, they are not always transparent with vendors about the information they possess, or sharing it in a timely manner,” the report said.
The report, which covered threats, trends, and cybersecurity solutions for all sectors, argued that the sharing of vulnerability information can only lead to a more secure environment overall.
“Even though governments may have good reason to hold some of this intelligence close, there is also a need for greater transparency and trust in the global cybersecurity landscape,” the report said. “Governments therefore should conduct a frank assessment of their current policies regarding the hoarding of zero-day exploits.”
However, Ed Cabrera, chief cybersecurity officer at Trend Micro, noted that the U.S. government does not directly seek to identify vulnerabilities on its own, unless it is within the scope of an agency’s roles and responsibilities.
“Governments, specifically the U.S. government, take vulnerability disclosure and transparency very seriously,” said Cabrera. “[Department of Homeland Security], under the ICS-CERT program, manages the vulnerability disclosure within industrial control systems. In fact, DHS and ICS-CERT effectively manage vulnerability disclosures between security vendors and software providers.”
The report also predicted that encryption would prove a primary area of contention between industry and government.
“We believe that encryption will continue to permeate, perhaps even dominate, the cybersecurity debate for the foreseeable future,” the report said. “Governments in the post-Snowden era have been increasingly strident in their desire to regulate digital communications and to access data when needed. However, users have been just as ardent in their demand for privacy. Events such as the recent head-butting between Apple and the FBI over an iPhone belonging to a terrorist have done nothing to assuage users’ worries about privacy.”
The report characterized these conflicting stances on encryption as a “fundamental shift in the cybersecurity landscape,” adding that “while this shift is taking place, more governments are giving themselves the legal right—often on a broad basis—to bypass or break encryption or technical protection measures, often without the knowledge of the manufacturer, communication provider, or the user. This is creating tension not only between authorities and technology firms but also between governments, who are not necessarily keen to see their citizens’ data accessed by third-country authorities.”
“Encryption is a bedrock for privacy and security,” said Cabrera. “Therefore, the discussion over encryption best practices and uses will continue to permeate throughout government and private industry.”
The report predicted that, though most encryption keys are currently held by the companies that create them, developers are likely to begin handing those keys over to users to resolve consumer privacy concerns.