Responding to Cyber Vulnerability Announcements

While there have been many discussions regarding vulnerabilities within the cybersecurity domain over the past year, the rise of autonomous shipping (or unmanned shipping) raises another important issue. This involves how vulnerabilities are made public and whether (or not) there should be a legally-accepted standard of care clearly defined with respect to that disclosure.

Three major challenges have traditionally presented themselves in discussions surrounding this question. First, if the company is advised that they have a significant vulnerability, are they obliged to act? This question best lies with those that understand the legal implications of negligence, legal liability and vicarious liability. Second, at what tipping point does a company’s apparent lack of action become justification to discuss the vulnerability information more widely (or even publicly)? One argument that researchers have previously put forward is that it sometimes takes the threat of public exposure to galvanize an organization into action. Third, however, is the concept of actionable intelligence and how that information needs to be controlled.

One approach to this issue involves the establishment of a clear standard of care that links with the values and ethics promoted by various IT Security organizations, associations associated with ethical hacking or others. This approach would indicate that (1) vulnerability information must first be disclosed privately to the supplier and the client involved in a manner that allows them time to remedy the situation, and (2) that organizations need to understand their own responsibilities to correct issues with respect to their products leaving individuals and organizations at risk of harm.

The release of the vulnerability information would then be considered more appropriate (or less inappropriate) after the supplier had indicated that patches or fixes had been distributed, after the company identified in the report had indicated that a fix had been put in place, and (3) after the regulators directly involved confirmed that they were aware of the issue and taking steps to correct it. This approach more clearly addresses the actionable information issue.

Does the lack of action become a tipping point? This is also not clear cut. All companies and organizations are bound by various standards of care, and rushing a product to market before certain checks have been made, or issues corrected, for competitive advantage is a tenuous position to take. While the threat of public shaming may appear to work in generating action, the impacts of the released information must be weighed and examined carefully.

For the executive, this means paying close attention to whether the company is responding quickly and effectively to this kind of release information. A failure to act could leave the organization vulnerable to some form of attack at one end of the scale, or result in damage to brand and reputation at the other. This may also mean taking a stronger stance with IT suppliers and researchers, should the issue arise, and making it clear that while a lack of action is unacceptable, so are disclosures that may put persons or property at risk.

Allan McDougall BA BMASc PCIP CMAS CISSP CPP PSP CMSP is the chief learning officer of the IAMSP and an executive vice president of Knowledge Advancement Solutions based in Ottawa, Canada. In addition to his military experience, he has served as a security advisor with Canada’s Coast Guard, Department of Fisheries and Oceans and Canada Border Services Agency. He was also previously a senior inspector with Transport Canada’s Marine Security Operations and has coauthored several works associated with infrastructure protection and emergency preparedness.