NCSC will report proposed zero days ‘as a rule’ to software makers
The National Cyber Security Center reports unknown vulnerabilities that it receives from ethical hackers or other parties to the relevant software manufacturer, Minister Grapperhaus of Justice and Security reports, but there are exceptions.
As an exception, the minister mentions the situation in which the interest of national security stands in the way of reporting the zero-day vulnerability to the maker. He also points out that such a report does not have to follow ‘if the maker has bad intentions’. He also says that the NCSC will act in close consultation with the reporter. These are zero days that are reported. Intelligence services and the police are allowed to conceal unknown vulnerabilities if they are part of, for example, purchased hacking tools that they use.
Grapperhaus is responding to questions from members of the PvdA and SP groups, who wanted confirmation that information about unknown vulnerabilities reported to the NCSC by researchers, ethical hackers or others is always passed on to the maker of the software. where the unknown vulnerability was found.
The questions are part of the Response Memorandum to the proposal for the Security of Network and Information Systems Act, formerly the Cyber Security Act, which the minister sends to the Senate. The House of Representatives approved the proposal at the end of May.
With the Security of Network and Information Systems Act, the government implements the Network and Information Security Directive, or the NIS Directive of the European Union. That directive should ensure that Member States better secure their critical infrastructure and cooperate in the field of ICT security. The directive should have been implemented by 9 May 2018 at the latest.
The Network and Information Systems Security Act obliges providers of essential services and digital service providers to keep their security in order and to report serious ICT incidents to the authorities. For example, online marketplaces, search engines and cloud services must report such incidents to the Minister of Economic Affairs. The government does not yet see healthcare providers as providers of essential services, but this could change in the future, according to Grapperhaus. Drinking water companies, banks and managers of gas and electricity pipelines are covered.