Report on the Vulnerabilities Equities Process

I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as we know it, with policy recommendations for improving it.

Basically, their recommendations are focused on improving the transparency, oversight, and accountability (three things I repeatedly recommend) of the process. In summary:

The President should issue an Executive Order mandating government-wide compliance with the VEP.

Make the general criteria used to decide whether or not to disclose a vulnerability public.

Clearly define the VEP.

Make sure any undisclosed vulnerabilities are reviewed periodically.

Ensure that the government has the right to disclose any vulnerabilities it purchases.

Transfer oversight of the VEP from the NSA to the DHS.

Issue an annual report on the VEP.

Expand Congressional oversight of the VEP.

Mandate oversight by other independent bodies inside the Executive Branch.

Expand funding for both offensive and defensive vulnerability research.

These all seem like good ideas to me. This is a complex issue, one I wrote about in Data and Goliath (pages 146-50), and one that’s only going to get more important in the Internet of Things.

News article.

Posted on July 11, 2016 at 12:15 PM • 25 Comments