5

iTWireTV Interview: CyAN VP Peter Coroneos explains why laws are needed to prote...

 2 years ago
source link: https://itwire.com/guest-articles/guest-interviews/itwiretv-interview-cyan-vp-peter-coroneos-explains-why-laws-are-needed-to-protect-ethical-zero-day-cyber-research.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Tuesday, 12 October 2021 10:53

iTWireTV Interview: CyAN VP Peter Coroneos explains why laws are needed to protect ethical zero-day cyber research

By Alex Zaharov-Reutt

The formation of a global partnership to ensure legal protections for good faith (bona fide) zero day researchers has been enacted by the Paris-based not-for-profit Cybersecurity Advisor Network (CyAN), with such research illegal in some jurisdictions, putting modern life at serious risk. We speak to Peter Coroneos, CyAN VP, to find out more.

As CyAN International Vice President and Zero Day Legislative Project leader, Peter Coroneos explained: "Zero day vulnerabilities are flaws in software or systems code that leaves end users open to attack.

"They are called 'zero day' because they are either unknown to the vendor who produced the product, or are known but no patch has yet been made available.

"The period between when the zero day is first discovered by an attacker and when the patch is installed by the end user is the attack window in which a compromise can occur. The consequences can be vast and most serious attacks these days involve zero day exploits."

Coroneos continued: "The first famous zero day attack was Stuxnet in 2009 against the Iranian uranium enrichment program. More recent attacks include WannaCry, NotPeyta, SolarWinds, MS Exchange Server hacks of 2021 and the infamous Colonial Pipeline ransomware attack."

In the video, embedded below, Peter Coroneos opens with why the issue has come up again and the passion with which CyAN and its partners are pursuing international legal reform. The article continues thereafter, so please watch and read on!

So, why is the Zero Day Legislative Project needed?

Coroneos continued: “At a time of unprecedented scale and seriousness of cyber attacks threatening our personal information, the continuity of our businesses and the systems and infrastructure that support our societies, we find the very people we rely on to protect us remain under threat.

"'White hat’ zero day researchers form a critical piece in the remediation of exploitable connected systems. They uncover the existence of unpatched vulnerabilities and report them to vendors of the relevant products they can be fixed. Regrettably, they face legal threats from some vendors sensitive to the discovery of flaws in their products.

“The threats usually involve copyright and/or criminal laws that govern access or interference with computer systems. Outdated laws have not kept up with cyber challenges, stifling research efforts and reporting at a time when researchers should be supported.

“That is why we are building an international coalition to advocate for changes to laws to ensure that zero day researchers will no longer fear heavy handed legal responses from companies whose products they are seeking to secure," added Coroneos.

CyAN notes the OECD's recognition (PDF link) of "the need for action" in its 2021 guidance for policy makers observing:

"In many countries, researchers face significant legal risk when reporting vulnerabilities to vulnerability owners. Vulnerability owners can threaten researchers with legal proceedings
instead of welcoming their vulnerability reports. This legal risk, aggravated when stakeholders are located across borders, creates powerful disincentives [for responsible
disclosure].

A number of high profile cyber leaders have expressed support for the initiative:

“Security researchers are the public safety whistleblowers for technology that the world increasingly depends upon. It’s high time the world’s laws provided these good faith hackers safer ways to perform their vital research essential to securing the modern world,” said Katie Moussouris, Founder & CEO Luta Security; Founder, Microsoft Vulnerability Research (MSVR); Co-author & co-editor of International standards ISO 29147

Vulnerability disclosure and ISO 30111 Vulnerability handling processes: “Ethical cybersecurity research which help us clean up the digital environment deserves and needs proper legal protection” according to Ciaran Martin, CB former CEO, National Cyber Security Centre UK.

Chris Painter, former top US cyber diplomat added: “It’s important to separate malicious actors from responsible, ethical, researchers who conduct their research within settled best practices. Supporting the latter, while condemning the former, is a worthy cause.”

“If good-faith security research is the Internet's Immune System, then modernising legislation to recognise hacking as a dual-use and morally agnostic activity, as well as creating carve-outs for today's Internet's ‘digital locksmiths’, is the equivalent of resolving the Internet's auto-immune problem.” Casey Ellis, Founder/Chairman/CTO of Bugcrowd
and Co-Founder of The disclose.io Project.

Stéphane Duguin, CEO on behalf of The CyberPeace Institute, agreed saying “Because of complexity and distributed nature of vulnerabilities, we need to empower and not penalise those who are working in good faith in the interest of public safety. Secure ICTs are key to creating a safe and stable cyberspace where we can unlock the potential of technology and empower individuals. Cybersecurity researchers are key to this mission.”

Also supporting the program is: Vice-amiral d’escadre (Ret) Arnaud Coustilliere, former FR COMCYBER.

Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK