Report on the Vulnerabilities Equities Process
I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as we know it, with policy recommendations for improving it.
Basically, their recommendations are focused on improving the transparency, oversight, and accountability (three things I repeatedly recommend) of the process. In summary:
- The President should issue an Executive Order mandating government-wide compliance with the VEP.
- Make the general criteria used to decide whether or not to disclose a vulnerability public.
- Clearly define the VEP.
- Make sure any undisclosed vulnerabilities are reviewed periodically.
- Ensure that the government has the right to disclose any vulnerabilities it purchases.
- Transfer oversight of the VEP from the NSA to the DHS.
- Issue an annual report on the VEP.
- Expand Congressional oversight of the VEP.
- Mandate oversight by other independent bodies inside the Executive Branch.
- Expand funding for both offensive and defensive vulnerability research.
These all seem like good ideas to me. This is a complex issue, one I wrote about in Data and Goliath (pages 146-50), and one that’s only going to get more important in the Internet of Things.