EU cyber agency will not create active vulnerability database, says chief cybersecurity officer
Hans de Vries, who joined the EU Agency for Cybersecurity (ENISA) as its chief cybersecurity and operational officer just a few weeks ago, has said his agency will not be creating a database of vulnerabilities as some feared had been proposed by new European cybersecurity legislation.
Such a database was one of the most controversial ideas raised by the Cyber Resilience Act as proposed in September 2022, which was intended — alongside a range of security standards for IoT products — to oblige manufacturers to report any actively exploited vulnerabilities affecting their products to ENISA.
Bart Groothuis, the European Parliament’s rapporteur for cybersecurity, previously told Recorded Future News that the proposal could make ENISA a target for hostile states and criminals: “It’s a risk in itself for the safety and security of the internet because other agencies might want to go for that.”
De Vries, who had previously spoken to Recorded Future News in his role as director of the Dutch National Cyber Security Center, largely agreed with that assessment and said the intention now was not to create a database but a notification platform.
“So if you’re talking about a huge database that can very much be hacked and have all the exploits in, I don’t think that’s the direction that ENISA is going, to in practice fulfill this obligation,” he said.
The major difference is the “fluidity of the information,” said de Vries. “We want to make sure that people are notified as soon as possible that something is happening, without building a huge database that can be hacked afterwards, and try to avoid that.”
Speaking during ENISA’s EU Cybersecurity Policy Conference in Brussels — marking the agency’s 20th birthday — de Vries reflected on his previous role: “I definitely know how to deal with vulnerabilities in essence, and the whole process of coordinating vulnerability disclosure, because we kind of invented the whole stuff together with [bug bounty platform] HackerOne. So I have quite some experience concerning that part.”
The ultimate legislative requirements on ENISA are not yet clear as the final negotiated text of the Cyber Resilience Act has yet to be published, although de Vries’ comments seem to support proposed amendments that instead require manufacturers to disclose vulnerabilities to the national Computer Security Incident Response Team (CSIRT) in the countries where they are based. The CSIRTs would then disseminate this warning using a new intelligence sharing platform that would be operated and maintained by ENISA.
The legislation is likely to include a provision that would allow member states to in special circumstances prevent these alerts from being shared more widely, although it is likely that this would be for security reasons rather than as a result of a vulnerability equities process — particularly as the warning system regards vulnerabilities that are already being actively exploited.
De Vries explained he had encountered cases in the Netherlands where, for various reasons, implementing a fix might take up to a year — and that announcing a limited active exploitation could cause an increase in hostile activity: “You have to make sure that the moment you communicate about that, the fix has to be ready and implementable.”
The reporting system is just one of several new roles that ENISA is set to adopt under a swathe of cybersecurity legislation being brought forward in the European Union, including the EU Cybersecurity Act which will empower the agency to create certification schemes for companies, products and services.
Under the Cyber Solidarity Act, ENISA could be called upon to formally analyze large-scale incidents on the request of the Commission or national authorities to identify lessons learned and make recommendations to improve cybersecurity across the Union. The role is meant to complement rather than replace the incident response functions provided by member states’ own CSIRTs.
ENISA is not the CSIRT for the European Union, said de Vries. “What we are trying to do is, with the knowledge and experience we have, is to help the member states understand what’s happening without taking over their roles. And I’ve done the other role, so I definitely know what not to tread on.”
The agency’s tasks going forward are addressing some of the challenges that everyone has in common, rather than replacing individual member states’ sovereign cyber capabilities.
“The bigger issue is the open vulnerabilities that are patchable and are not patches, or that SMEs provide services but have no update plan or patch mechanisms for their products,” said de Vries, stressing that those were the key focuses of ENISA’s new activities under the Cyber Resilience Act.
Alexander Martin
is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.