Government Vulnerability Management: Promoting Transparency, Accountability, and Cybersecurity
Countries around the world are struggling with questions surrounding governments’ acquisition, assessment, use, and management of software and hardware vulnerabilities. When may governments retain a vulnerability for exploitation by law enforcement or intelligence agencies instead of disclosing it for repair?
One year ago, in November 2017, the White House finally released an unclassified version of the U.S. Vulnerabilities Equities Process (VEP) Charter—a document that outlines how the administration weighs the cybersecurity need to disclose vulnerabilities for repair against the equities of law enforcement and intelligence agencies who seek to exploit these vulnerabilities. However, the Charter is only policy, not law, and does not provide robust accountability measures. This past August, the German think tank Stiftung Neue Verantwortung (SNV), as part of the Transatlantic Cyber Forum, released a paper urging the adoption of publicly disclosed policies for vulnerability handling and disclosure in the German and EU debates, while continuing to identify and advocate for further improvements to the existing process in the United States. The paper urges that “The focus of these policies should be on ‘when’ and ‘how’ disclosure should occur rather than ‘whether’ and ‘if.’”
An in-depth conversation about where we stand in the United States and internationally one year after publication of the U.S. VEP Charter.
Katherine Charlet, @KateCharlet
Director, Technology & International Affairs Program, Carnegie Endowment for International Peace; Former Deputy Assistant Secretary of Defense (Acting) for Cyber Policy (DOD representative in VEP process, 2016-2017)
Dr. Sven Herpig, @z_edian
Project Director, Transatlantic Cyber Forum, Stiftung Neue Verantwortung;
Former Deputy Team Leader at Germany’s Federal Office for Information Security
Daniel Mossbrucker, @damossb
Internet Freedom Desk Officer, Reporters Without Borders Germany
Heather West , @heatherwest
Senior Policy Manager, Americas Principal, Mozilla
Sharon Bradford Franklin
Director of Surveillance & Cybersecurity Policy, New America’s Open Technology Institute
Mozilla will sponsor a reception following the event.