Here’s What the White House Needs to Disclose about its Vulnerabilities Process This Month

Originally posted on New York University School of Law’s Just Security

At a series of events earlier this month, White House Cybersecurity Coordinator Rob Joyce announced that he is preparing to release more information about the Vulnerabilities Equities Process (VEP). Happy Cybersecurity Awareness Month, everybody!

As we’ve discussed before, the VEP is a complicated yet important process that determines whether the government will notify a digital-technology company about a cybersecurity flaw in its product or service, or choose not to disclose the flaw and use it for later hacking or intelligence-gathering purposes. We argued that a legislative solution—not just a less formal interagency review—is needed to govern this high-stakes process, which will have repercussions for cybersecurity, privacy, access to information, and our economic competitiveness. We’ve also argued that much more information about this process should be released to the public.

Joyce’s announcement of the White House’s planned voluntary release of information is a welcome development, and Joyce has said in the past that he is generally pleased with how the current interagency process works. He indicated in his statements earlier this month that the public should expect at least a “charter” (which we take to be a more formal statement of the principles that underlie the process), as well as some basic statistics about how the VEP has been applied up to now to disclose (or delay disclosing) vulnerabilities.

Since the point of the release is to demonstrate the legitimacy and success of the program, we’ve compiled a “punch list” of the types of information we believe the White House should commit to share:

• Who participates in the VEP: An interagency memo released …

[Read more of Michelle & Mike’s post on Just Security.]