ANSSI reinforces the responsibility of private actors alongside OECD

GTSEN, the working group on security in the digital economy, chaired by Yves Verhoeven, Head of Strategy Department at ANSSI, has just published two reports aimed at better defining the responsibility of private actors in cyberspace (Paris Call for Trust and Security and Cyberspace), in order to strengthen its stability.

The two reports complete the work of the OECD (Organisation for Economic Co-operation and Development) on security in information and communication technologies, especially its 2015 recommendation on digital risk management. Indeed, the reports aim at strengthening the security of products and services as well as to improve the responsible management of vulnerabilities.

Strengthening the security of digital products and services

The report on the digital security of products and services covers the market for “smart products”, which is considered to be at risk. One of the key recommendations is the adoption of high-level ex-ante regulatory measures to raise the overall security of these products. This topic will be addressed within the European Union, as announced by the European Commission in its December 2020 cyber security strategy, following discussions with member states on the security of the Internet of Things.

Responsible management of vulnerabilities

The second report attempts to identify ways to restrict the window of exposure of a vulnerability, from discovery to remediation. As such,GTSEN clarified the distinct notions of responsible management and disclosure of vulnerabilities. The working group also underlined that “bug bounty” policies should be accompanied by appropriate organizational measures and capabilities to manage the escalation of vulnerabilities. This area of improvement has also been identified by the European Commission, which has proposed several measures in its draft revision of the NIS Directive presented at the end of 2020.

One year after its creation, GTSEN continues to advance: a third workstream, on the “responsible response”, was initiated in December 2020 with the creation of a group of experts who will meet in the upcoming months.