Hardware Component Coordinated Vulnerability Disclosure

John Banghart Senior Director for Technology Risk Management [email protected] Who am I?

. 27 years in information technology and security – 2 years with the White House National Security Council as Director for Federal Cybersecurity under President Barack Obama. – 4 years with the National Institute of Standards and Technology Cybersecurity Division • Focus on CVE, NVD, and security automation standards. – 5 years with the Center for Internet Security – 1 year with Azure. – Other years with Miscellaneous . Over 3 years with Venable, helping clients face a wide variety of proactive and reactive cybersecurity policy and technology issues. Report

. This presentation is based on a paper entitled Improving Hardware Component Vulnerability Disclosure written and published by the Center for Cybersecurity Policy and Law. . It is available for free download at:

://centerforcybersecuritypolicy.org What is Coordinated Vulnerability Disclosure?

. Coordinated Vulnerability Disclosure (CVD) is a standardized, multi-step process through which stakeholders identify, develop, validate, distribute, and deploy mitigations for security vulnerabilities

. CVD has historically focused on software vulnerabilities, but the rapid growth and variety of connected devices has increased interest in hardware component vulnerabilities The Challenge

. Over the last decade, industry has made great strides on both software and hardware vulnerability reporting, and in building trust between companies and researchers

. However, due to fewer major hardware vulnerabilities, there has been less focus on some of the unique aspects of hardware vulnerability disclosure and how to improve it Example of Software and Hardware Component Vulnerability . Heartbleed – Found in OpenSSL, an open-source cryptographic library used extensively to provide encrypted communications for website, email, and other Internet protocols – The process to mitigate was relatively straightforward: update the vulnerable libraries and make them available for users to integrate in their software products . Spectre & Meltdown – Both took advantage of a feature called speculative execution common to most modern processor architectures – Spectre and Meltdown affected vendors took different approaches based on their respective architecture, and the variant of the vulnerability – The increased complexity of the situation and required unprecedented collaboration across the industry to develop, test, and deploy mitigations What Makes Hardware Component Vulnerabilities Different?

. Hardware vulnerabilities often require multiparty coordination at multiple system layers

. Mitigation testing can be complex and time consuming

. Hardware vendors often rely on others for mitigation distribution Multiparty Coordination

. Hardware component vulnerabilities commonly require the active participation of multiple stakeholders, including: –Hardware Vendors –Original Equipment Manufacturers (OEMs) –Operating Systems/Firmware Vendors –Virtualization Vendors –Cloud Service Providers (CSPs) Mitigation Testing

. Testing of mitigations for hardware vulnerabilities is complex and time consuming

. Involved organizations are likely to have different internal processes that take different forms and varying lengths of time

. The nature of a mitigation may depend on how the hardware component at issue has been integrated with other systems, the environment in which it has been deployed, and the operating systems and applications running on it

Mitigation Testing Process Hardware Component Vendors Often Rely on Others for Mitigation Distribution

. A hardware component manufacturer’s ability to deploy a or other mitigation depends on how the product is integrated into assembled products

. A component vendor may not have a direct path to end users, meaning that a mitigation will need to involve the OEM at a minimum Hardware Component CVD Complexity Other Parties with Potential CVD Involvement

. Standards Development Organizations – ISO 29147 Information technology – Security techniques – Vulnerability disclosure – Forum of Incident Response and Security Teams (FIRST) Multiparty Vulnerability Coordination guide . Governments – National security or commercial objectives may cause governments to take advantage of vulnerabilities that have not yet been mitigated – Governments may have significant research capabilities—they may discover vulnerabilities and share proofs of concept with a vendor and serve as the Finder in the CVD process Six Hardware Component Vulnerability Recommendations

1) The primary goal of CVD - whether describing vulnerabilities in software or hardware - is reducing end user risk and enhancing end user security. That primary goal is best accomplished when stakeholders work together to mitigate vulnerabilities in a responsible and coordinated manner.

2) CVD should limit involvement to persons necessary to develop, validate and deploy a mitigation. Six Hardware Component Vulnerability Recommendations

3) Hardware vendors should work with partners on effective enforcement of disclosure embargos and other measures to protect the agreed-upon process.

4) Hardware and software vendors should collaborate and iterate to streamline the deployment of patches and other mitigations as quickly as possible. Six Hardware Component Vulnerability Recommendations

5) Hardware vendors should develop educational tools and conduct outreach to policymakers to inform their understanding of hardware vulnerabilities and CVD processes

6) Hardware vendors should work on initiatives to increase the adoption rate of mitigations for known hardware vulnerabilities Thank You

© 2019 Venable LLP. This document is published by the law firm Venable LLP. It is not intended to provide legal advice or opinion. Such advice may only be given when related to specific fact situations that Venable has accepted an engagement as counsel to address.