The Court of Appeals for the Ninth Circuit affirmed, with prejudice, the dismissal of all claims in a case that risked setting a precedent requiring premature vulnerability disclosure, In re Intel Corp. CPU Marketing. The Cybersecurity Coalition led a joint amicus brief in the case, targeted at educating the district court on the principles and timing of coordinated vulnerability disclosure (CVD).
The amicus brief was submitted in collaboration with the Cyber Threat Alliance, Information Technology Industry Council, and the Business Software Alliance, and was recognized in the District Court’s oral arguments and final ruling. The amicus brief served as an integral resource in the Court dismissing the Plaintiff’s claims that it was an unfair business practice to not publicly reveal an unpatched security vulnerability that was still being mitigated.
The “Spectre” and “Meltdown” security vulnerabilities affected widely used computer processors. Though relatively difficult to exploit, the hardware-based vulnerabilities also required a longer period of time to mitigate than traditional software vulnerabilities. As detailed in a white paper from the Center for Cybersecurity Policy and Law, these hardware vulnerabilities demonstrated the complexity of multi-party coordination to deploy mitigations for different vulnerability variants across multiple technology vendors. In short, the affected vendors were working to fix the problem, but it takes time to fix.
After the vulnerabilities were mitigated and publicly announced, a class action lawsuit was filed against Intel Corp. alleging that it was an unfair business practice to market computers without disclosing that the processors were affected. Instead, the lawsuit contended that the vulnerability should have been disclosed publicly 90 days after discovery, arguing that this was a standard timeline for vulnerability disclosure.
The Cybersecurity Coalition and its allies intervened with an amicus brief because of our concern that the case could create a precedent that all vulnerability disclosures should follow a rigid 90-day deadline. While public disclosure of unpatched vulnerabilities can be necessary in some circumstances, premature disclosure can also create a greater risk that attackers will exploit the vulnerability. Our amicus brief stated that a universal disclosure deadline would be against established standards and best practices, and that it would be a negative outcome for cybersecurity. Here is a summary of the brief’s arguments:
- The Opinion Could be Read to Create a New Legal Presumption that Requires Disclosure of Security Vulnerabilities within 90 days
If the Court accepted the Plaintiff’s allegations that the “normal” embargo period is 90 days and concluded that there was no “countervailing business interest other than profit for delaying disclosure,” this could be interpreted as creating a new legal presumption that required the disclosure of security vulnerabilities within 90 days. This opinion would significantly differ from current standards in the cybersecurity community and could have adverse impacts on the remediation of future vulnerabilities.
- Coordinated Vulnerability Disclosure Background
Understanding the Plaintiff’s claims required an understanding of CVD processes, why they exist and the considerations governing how they are implemented. The Coalition’s position is that establishing a CVD process and publicly communicating the existence and scope of that policy helps organizations identify and respond to vulnerabilities. Additionally, that CVD protects users by increasing the likelihood that vulnerability information becomes public at the same time as patches or mitigations that enable users to safeguard themselves.
- A Universal and Legally Enshrined Embargo Period Is Inconsistent with Current Established Standards and Best Practices and Risks Degrading Cybersecurity
Cybersecurity standards and guidance do not set a rigid disclosure timeline. Instead, they universally recognize that any disclosure timeframe must respond to the facts of a situation, the complexity of the vulnerability, and the number of parties that must be coordinated. For example, Cybersecurity Infrastructure and Security Agency’s (CISA) Binding Operation Directive 20-01 explains that meaningful communication with vulnerability reporters is more important than strict adherence to target timelines. In addition, the data showing the circumstances of a vulnerability should drive resolution, not conformance with a fixed timeline.
- Certain Vulnerabilities Will Require Longer Disclosure Timelines
Vulnerabilities are diverse. Addressing and resolving certain hardware and software issues can be intricate, potentially warranting an extended non-disclosure period, particularly when patches need to interface with legacy infrastructure components.
- A Legal Presumption Built on a Rigid Universal Timeframe Would Have Adverse Consequences for Industry and Consumers
The Coalition agreed that vulnerabilities should be mitigated and disclosed without delay. However, the timelines should reflect the circumstances and enable flexibility rather than prescribe mandatory deadlines. A new legal presumption built on a rigid universal timeframe for reporting security vulnerabilities would exacerbate the difficulties associated with resolving cybersecurity vulnerabilities. It would also place pressure on parties to disclose vulnerabilities prematurely - potentially enabling attackers to exploit the vulnerability prior to patching, putting consumers at risk.
With additional context from our amicus brief, the District Court dismissed the case. In its dismissal, the Court emphasized that its rulings were not intended to declare a specific default embargo period applicable in all circumstances. The Ninth Circuit unanimously affirmed the dismissal, confirming that the sequence of vulnerability discovery and disclosure in the case did not constitute an unfair business practice.
The ruling offers potential relief to technology makers and operators that utilize embargoes to address security vulnerabilities prior to broader disclosure. We are glad to see impact from the amicus brief, and we applaud the Courts’ recognition of the complex balancing of interests associated with vulnerability disclosure timelines.
Hacking Policy Council Comments to New York State Department of Health on Proposed Hospital Cybersecurity Requirements
The Hacking Policy Council (“HPC”) submits the following comments in response to the New York Department of Health’s proposed addition to Section 405.46 to Title 10 NYCRR (“Hospital Cybersecurity Requirements).
Vulnerability Management Under The Cyber Resilience Act
Companies should begin preparing now for the EU’s Cyber Resilience Act, a significant development in product security regulation and will apply to software and connected device manufacturers in and outside EU borders.
Cybersecurity Predictions for 2024
The Center for Cybersecurity Policy & Law staff offer their predictions on what's to come in 2024 and the season finale of the Distilling Cyber Policy podcast offers some additional commentary on what's ahead.