Government Hacking: Vulnerabilities Equities Process

November 16, 2016 4:00 pm to 6:00 pm

Suggested Reading: We've compiled background reading suggestions that might be of interest to you before you attend our event.

Join Mozilla and Stanford CIS for the second installment in a series of conversations about government hacking. Information from our first event, discussing the upcoming changes to Federal Rule of Criminal Procedure 41, is available at that event's page here.

How does government-as-hacker affect the larger computer security ecosystem? In this session, we will discuss vulnerability disclosure by the government. When the government learns about a vulnerability in a piece of software or hardware, it can either exploit that vulnerability for its own purposes or can disclose it to the relevant software or hardware maker. The government thus faces a tough choice between protecting its own capabilities and protecting a product’s users. When and how should the U.S. government voluntarily disclose such vulnerabilities?

The federal government currently uses a procedure called the Vulnerabilities Equities Process (VEP) to determine whether it should exploit or disclose a vulnerability. The VEP requires executive agencies to report vulnerabilities to a review board, which determines whether that vulnerability should be disclosed. When making that determination, the government considers a number of factors. Those factors include the vulnerability’s value to law enforcement and intelligence agencies, whether specific operations are dependent on that vulnerability, and the size of the population affected by the vulnerability.

Commentators disagree about the strategic value of the VEP, its current effectiveness, and elements of reform. Some argue it should be scrapped. Others argue it should be strengthened and codified. We will delve into this debate by examining high-level and specific questions about the VEP. When does government disclosure improve computer security and when does it endanger national security interests? Is the current process well-designed and effective? What else does the public need to know about the VEP to ensure that the government’s goal of being an effective attacker will not undermine the nation’s cybersecurity?

Presented by the Stanford Center for Internet and Society and Mozilla, the event will convene experts in cybersecurity, government surveillance technologies, and public policy to examine the legal, technical, and policy challenges associated with the VEP.

Confirmed speakers:

  • Moderator: Kim Zetter, Cybersecurity reporter and author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
  • Sandy Clark, Ph.D., Security Researcher, Computer and Information Science Department, University of Pennsylvania
  • Sinan Eren, Vice President, Avast Software
  • Mailyn Fidler, Fellow, Berkman Klein Center for Internet & Society
  • Michael McNerney, Co-Founder & CEO at Efflux Systems
  • Stephanie Pell, Assistant Professor and Cyber Ethics Fellow, Army Cyber Institute, West Point
  • Ari Schwartz, Managing Director of Cybersecurity Services, Venable LLP
  • Heather West, Senior Policy Manager, Americas Principal, Mozilla

In advance of the event, attendees may wish to familiarize themselves with the VEP through the following suggested background reading:

Primary Sources

  • Vulnerabilities Equities Process and Policy: This redacted document describes the government’s formal VEP process. Much of what is known and criticized about the VEP comes from this document, which was obtained by the Electronic Frontier Foundation (EFF) under the Freedom of Information Act.

Criticism of Reform Ideas

Photo by Harlan Quarrington

Room 290 - Stanford Law School
559 Nathan Abbott Way
Stanford, CA
Focus Area: 
Related Terms: 

Add new comment