Suggested Reading: We've compiled background reading suggestions that might be of interest to you before you attend our event.
Join Mozilla and Stanford CIS for the second installment in a series of conversations about government hacking. Information from our first event, discussing the upcoming changes to Federal Rule of Criminal Procedure 41, is available at that event's page here.
How does government-as-hacker affect the larger computer security ecosystem? In this session, we will discuss vulnerability disclosure by the government. When the government learns about a vulnerability in a piece of software or hardware, it can either exploit that vulnerability for its own purposes or can disclose it to the relevant software or hardware maker. The government thus faces a tough choice between protecting its own capabilities and protecting a product’s users. When and how should the U.S. government voluntarily disclose such vulnerabilities?
The federal government currently uses a procedure called the Vulnerabilities Equities Process (VEP) to determine whether it should exploit or disclose a vulnerability. The VEP requires executive agencies to report vulnerabilities to a review board, which determines whether that vulnerability should be disclosed. When making that determination, the government considers a number of factors. Those factors include the vulnerability’s value to law enforcement and intelligence agencies, whether specific operations are dependent on that vulnerability, and the size of the population affected by the vulnerability.
Commentators disagree about the strategic value of the VEP, its current effectiveness, and elements of reform. Some argue it should be scrapped. Others argue it should be strengthened and codified. We will delve into this debate by examining high-level and specific questions about the VEP. When does government disclosure improve computer security and when does it endanger national security interests? Is the current process well-designed and effective? What else does the public need to know about the VEP to ensure that the government’s goal of being an effective attacker will not undermine the nation’s cybersecurity?
Presented by the Stanford Center for Internet and Society and Mozilla, the event will convene experts in cybersecurity, government surveillance technologies, and public policy to examine the legal, technical, and policy challenges associated with the VEP.
- Moderator: Kim Zetter, Cybersecurity reporter and author of Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon
- Sandy Clark, Ph.D., Security Researcher, Computer and Information Science Department, University of Pennsylvania
- Sinan Eren, Vice President, Avast Software
- Mailyn Fidler, Fellow, Berkman Klein Center for Internet & Society
- Michael McNerney, Co-Founder & CEO at Efflux Systems
- Stephanie Pell, Assistant Professor and Cyber Ethics Fellow, Army Cyber Institute, West Point
- Ari Schwartz, Managing Director of Cybersecurity Services, Venable LLP
- Heather West, Senior Policy Manager, Americas Principal, Mozilla
In advance of the event, attendees may wish to familiarize themselves with the VEP through the following suggested background reading:
- Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process: This document, from former White House cybersecurity directors Ari Schwartz and Rob Knake, describes the history of the VEP and provides several recommendations for reforms.
- Heartbleed: Understanding When We Disclose Cyber Vulnerabilities: In this blog post, White House Cybersecurity Coordinator Michael Daniel describes broadly the current administration’s policy regarding vulnerability disclosure.
- Vulnerabilities Equities Process and Policy: This redacted document describes the government’s formal VEP process. Much of what is known and criticized about the VEP comes from this document, which was obtained by the Electronic Frontier Foundation (EFF) under the Freedom of Information Act.
Criticism of Reform Ideas
- Vulnerabilities Equities Reform That Makes Everyone (And No One) Happy: Former NSA lawyer Susan Hennessey critiques the reform proposals from Schwartz and Knake.
- Everything You Know About the Vulnerability Equities Process Is Wrong: In this Lawfare blog post and an accompanying podcast, Aitel and computer security expert Matt Tait (formerly of GCHQ) provide what may be the best articulation of strategic opposition to VEP reform.