- This recently published report provides a model for governments to receive information on their digital security vulnerabilities and coordinate an effective response.
- The report analyzes how different countries in the world ensures the security of digital spaces through coordinated response mechanisms when people report vulnerabilities in systems that massively use personal data.
- A digital vulnerability is a flaw or error in the design or development of a system, or a weakness in a computer, program, service, or technology that can be exploited to compromise the information or security of such a system.
Bogotá, February 11, 2020.
The most recent OECD report sheds light on the debate for vulnerability management and disclosure, ethical hacking, coordination routes, and digital security in general.
From this perspective, to ensure that the Colombian Government’s position on digital security evolves from a view of national security and defense and cyberwar to the construction of trust among multiple stakeholders and the recognition of the economic and social function of digital security to enhance the well-being of individuals and of societies as a whole is a huge challenge.
As part of the civil society group (CSISAC) of this institution, Karisma was able to contribute her previous experience during the construction of this document that should serve in the design and implementation of public policies throughout member states.
In the first public policy guideline for cybersecurity and cyber defense (CONPES 3701 of 2011), a coordinating institution was created, the Group for Response to Cyber Emergencies of Colombia (colCERT), which, like the digital incident response centers of the state, responded to the Ministry of National Defense and maintained a “cyberwar” perspective and approach.
Although, “This vision is changing little by little in the country, in particular, from the 2016 National Digital Security Policy, and the emergence of other stakeholders – such as the Ministry of Information Technologies (MinTic) or the Delegation of Data Protection-, which are playing an increasingly important role ”, Karisma Foundation has been providing our analysis and comments to the drafts of the versions of the CONPES and policies of 2011, 2016 and 2020 on these issues.
For our analysis of the CONPES of 2011, 2016, and 2020 see “A National policy of digital security: how to do it mediocrely and with little reflection”.
For more information on our comments to CONPES in 2016 see Comments to CONPES on Digital Security from civil society
We have advocated for vulnerabilities to be effectively addressed and for the state to recognize a more inclusive view of digital security
Since 2016, with the non-intrusive analyzes of platforms and applications of public interest that we have carried out as part of the digital security and privacy laboratory of Karisma Foundation, K + LAB, we have found and reported vulnerabilities, security incidents, and data leaks to different State entities. In 2019 we went beyond these reports and studied the need to create a model for the responsible disclosure of digital security vulnerabilities that would facilitate a coordinated and rapid response once the cases have been reported. We have come a long way in this regard.
It is precisely the scope of this work that the Organization for Economic Cooperation and Development -OECD- recognizes in its latest report: Encouraging Vulnerability Treatment: How policy makers can help address digital security vulnerabilities.
The exchange that the Foundation has maintained for several years with the Ministry of Information Technologies and Communications MinTic is reflected in the current Digital Trust and Security Policy (CONPES 3995 DE 2020); This includes a series of actions recommended by Karisma to create a national model for “periodic disclosure of vulnerabilities”, responsible, coordinated and effective, and the development and implementation of adapted disclosure strategies.
For much of 2020, Carolina Botero, director of Karisma Foundation, as a participant in the Steering Committee of the Civil Society Information Society Advisory (CSISAC) – the group of civil society organizations that is part of the OECD-, collaborated actively in the development of this report:
From there, we promoted one of the good practices that the Colombian government has included in the country’s current security and digital trust policy through the national model of“ periodic disclosure of vulnerabilities ”, We achieved that, although the responsibility for the development of this model rests with the Ministry of Defense, multiple stakeholders were involved and international experiences could be taken into account. Thus, the coordination work for the disclosure of vulnerabilities that we have been carrying out with MinTic has been recognized as a good practice ”. Carolina adds.
This report and its recognition of Karisma’s experience are an input for public policy discussions in other countries
Economic and social challenges sometimes prevent stakeholders from adopting good practices, including lack of awareness and cooperation, limited market incentives, legal barriers, limited trust in the government, and lack of resources and skills.
We hope that this OECD report will be taken into account for the efforts currently underway in Colombia and that the Ministry of Defense, ColCert and the ICT Ministry will use it when implementing the new CONPES and that Karisma’s experience will help civil society and governments in Latin America to make their way to the implementation of international standards in this area and to protect people who report vulnerabilities.
We also hope on the part of the Colombian government that in order to build trust and help the recording of incidents and vulnerabilities that involve civil society organizations, journalists, activists, and people who exercise social leadership in their territories, actions will be taken to implement another of the recommendations of this OECD report and the reporting of incidents and the coordination of responses is left in civilian hands that can guarantee compliance with human rights standards and that facilitate the understanding and solution of the risks and digital security problems that we face in a world increasingly mediated by digital technologies.
In the same way, work must be done to establish safe ports that facilitate the technical community to report vulnerabilities without generating pressure with threats of legal proceedings when their actions are aimed at reporting and strengthening the digital security of systems and platforms of the State.
This report is an opportunity to recognize the path we have traveled and to think of ways to fulfill the promise of trust-building to strengthen the digital security of the Nation.
We invite you to read more about the treatment of vulnerabilities in the new OECD report:
If you want to arrange an interview or have some content in mind to develop, write to us at: alejandra.martinez@karisma.org.co or mpsaenz@karisma.org.co.