RSS FEED Report on the Vulnerabilities Equities Process

[BruceSchneier]

I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Bob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as we know it, with policy recommendations for improving it.

Basically, their recommendations are focused on improving the transparency, oversight, and accountability (three things I repeatedly recommend) of the process. In summary:

• The President should issue an Executive Order mandating government-wide compliance with the VEP.
• Make the general criteria used to decide whether or not to disclose a vulnerability public.
• Clearly define the VEP.
• Make sure any undisclosed vulnerabilities are reviewed periodically.
• Ensure that the government has the right to disclose any vulnerabilities it purchases.
• Transfer oversight of the VEP from the NSA to the DHS.
• Issue an annual report on the VEP.
• Expand Congressional oversight of the VEP.
• Mandate oversight by other independent bodies inside the Executive Branch.
• Expand funding for both offensive and defensive vulnerability research.

• 
  These all seem like good ideas to me. This is a complex issue, one I wrote about in Data and Goliath (pages 146-50), and one that's only going to get more important in the Internet of Things.
  
  News article.

Continue reading...