Governance & Risk Management , Patch Management

Cybersecurity 'Doom Loop' at Crossroads

Silicon Valley giant Google called on tech companies to be more robust in their approach to patching vulnerabilities in an afternoon marked by a slew of announcements designed to boost vulnerability research.

See Also: Stop Putting Off Patching

Google money is going to two new initiatives dedicated to escaping what it terms the "doom loop" of vulnerabilities fixed by patches followed by new vulnerabilities. The Hacking Policy Council will urge governments to embrace security-friendly policies on vulnerability disclosures, while the Security Research Legal Defense Fund will provide legal support for those being prosecuted for white hat hacking.

The council is being run by the Center for Cybersecurity Policy and Law, an industry association housed within white-shoe law firm Venable. Intel is also backing the council, as are a handful of bug bounty companies. The defense fund is applying for incorporation as a tax-deductible nonprofit.

The announcements come as cybersecurity policymakers have pressured the tech industry to proactively adopt measures to make products more secure (see: CISA, Others Unveil Guide for Secure Software Manufacturing).

"While the notoriety of zero-day vulnerabilities typically makes headlines, risks remain even after they’re known and fixed, which is the real story," Google wrote in a blog post.

The company says funding efforts to bolster vulnerability disclosure advocacy and ensuring that good faith research activity isn't treated punitively will help ensure vulnerabilities are identified before attackers can exploit them.

The Hacking Policy Council will lobby against efforts such as governments imposing requirements on security researchers to first disclose vulnerabilities to authorities. "It's not a productive way to get vulnerabilities fixed in as low-risk a way as possible," said Katie Moussouris, founder and CEO of Luta Security and a member of the council advisory committee, during a press conference. A Google white paper says bug bounty programs should be open to all comers, including researchers with criminal records.

The fund will look for defendants such as the St. Louis Post-Dispatch reporter accused by the governor of Missouri of hacking a state website listing teachers' names and certification statuses after the reporter revealed the site exposed Social Security numbers. The Biden administration announced in May 2022 it would refrain from prosecuting "good-faith security research."

Google also pledged greater corporate transparency on disclosing when a vulnerability is being actively exploited.

The company's white paper acknowledges that the much-repeated advice to users about keeping up to date on patches ignores the friction patches causes in operations. "Industry should invest in making testing and applying patches easier for customers," it says.

It also calls for patches to address root problems. Tech companies perpetually face tradeoffs in issuing patches over whether to issue a targeted, reliable fix that patches an immediate problem or to develop a more comprehensive fix that takes longer to develop. An analysis by Google's Project Zero of 40 zero-days exploited in the wild in 2022 found that more than one-third were variants of previously known bugs.