UN Cyber Norm J | Report ICT vulnerabilities
States should encourage responsible reporting of ICT vulnerabilities and share associated information onavailable remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure.
What is it about?
Norm (j) emphasises the importance of the responsible reporting of IC vulnerabilities and the sharing of information about available remedies. The primary goals are to limit and potentially eliminate threats to ICT systems and ICT-dependent infrastructure.
Why is it relevant?
This norm is relevant because it addresses critical cybersecurity challenges, enhances trust in digital technologies, supports economic prosperity, and strengthens national and international security. By promoting responsible reporting and sharing of ICT vulnerabilities, states can mitigate risks, foster innovation, and build a safer digital environment for all stakeholders.
How is it implemented?
In accordance with the clarification provided in the UN GGE 2021 report, to effectively implement the norm, reasonable steps include:
- Establishing vulnerability disclosure policies and programs: Vulnerability disclosure policies and programmes, as well as related international cooperation, aim to provide a reliable and consistent process to routinise such disclosures. A coordinated vulnerability disclosure process can minimise the harm to society posed by vulnerable products and systematise the reporting of ICT vulnerabilities and requests for assistance between countries and emergency response teams. Such processes should be consistent with domestic legislation.
- Establishing and implementing impartial legal frameworks: At the national, regional and international level, states could consider putting in place impartial legal frameworks, policies and programmes to guide decision – making on the handling of ICT vulnerabilities and curb their commercial distribution as a means to protect against any misuse that may pose a risk to international peace and security or human rights and fundamental freedoms. States could also consider putting in place legal protections for researchers and penetration testers.
- Consulting with relevant industry and other actors to develop guidance and incentives for responsible ICT vulnerability disclosure: In addition, and in consultation with relevant industry and other ICT security actors, states can develop guidance and incentives, consistent with relevant international technical standards, on the responsible reporting and management of vulnerabilities and the respective roles and responsibilities of different stakeholders in reporting processes; the types of technical information to be disclosed or publicly shared, including the sharing of technical information on ICT incidents that are severe; and how to handle sensitive data and ensure the security and confidentiality of information.
- Using existing multilateral, regional and sub-regional bodies and other relevant channels to develop a shared understanding: This includes developing a shared understanding of the mechanisms and processes that States can put in place for responsible vulnerability disclosure. States can consider using existing multilateral, regional and sub-regional bodies and other relevant channels and platforms involving different stakeholders to this end.
For further information on non-state actors’ implementation of this norm, please check the Geneva Manual on Responsible Behaviour in Cyberspace.
Who are the main actors?
Despite the fact that norm address responsible state behaviour and targets UN Member States, there are additional actors who could play a role in the implementation of the norm:
- International and regional organisations (e.g., OSCE, ASEAN, African Union etc.) and in particular OSCE CBMs include a CBM on coordinated vulnerability disclosure to encourage cooperation between states. International and regional organisations can help coordinate efforts and policies on cybersecurity and vulnerability disclosure, as well as help facilitate information sharing between member states.
- International standards organisations, in particular, International Organisation for Standardisation (ISO) is an example where stakeholders agreed on international standards for information security and vulnerability management (e.g., ISO/IEC 29147 for vulnerability disclosure).
- Non-state stakeholders, such as the private sector who manufacturers and supplies ICTs and are directly responsible for their security.
- Non-state stakeholders, such as cybersecurity firms who provide expertise and tools for vulnerability detection and management, as well as offer support and services for coordinated vulnerability disclosure.
- Non-state stakeholders, such as security researchers and so-called ethical hackers can also help operationalise the norm by discovering and reporting vulnerabilities in ICT products and systems, as well as working with vendors to ensure vulnerabilities are addressed responsibly.
- Non-state stakeholders, such as civil society organisations who can help advocate for consumer protection and privacy, provide input on policy development, and raise awareness about cybersecurity issues.
Where is it discussed?
The UN Open-ended working group (OEWG) remains the one and only process where all UN Member States discuss the implementation of the agreed norms, including this norm, on a regular basis.
States implement these norms domestically, including through adopting acts and policies at a national level, and may also engage in regional cooperation to enhance cybersecurity. Coordination between states at the level of their competent national authorities can also help operationalise the norm, i.e. by developing a shared understanding of the mechanisms and processes that states can put in place for responsible vulnerability disclosure.
Discussions within international standardisation bodies such as International Organization for Standardization (ISO) or Institute of Electrical and Electronics Engineers (IEEE) also help implement the norms since they bring various stakeholders from different countries to develop international standards for information security management, including vulnerability management and disclosure.
Public-private partnerships at a national or regional level also serve an important platform for a dialogue between state and relevant non-state stakeholders to discuss the operationalisation of this norm and promote best practices and promote guidelines and good practices for responsible vulnerability disclosure.
Various multistakeholder and international initiatives (e.g. such as the Geneva Dialogue on Responsible Behaviour in Cyberspace and GFCE) serve as additional platforms for discussing the practical aspects of the norm implementation.