White House Ups Hacking Vulnerability Data-Sharing Transparency

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller and Jimmy H. Koo

The U.S. government’s program to alert companies of hacking vulnerabilities will become more transparent under a charter document the White House released Nov. 15.

The administration issued the new Vulnerability Equities Process (VEP) charter in response to private-sector concerns that the VEP wasn’t transparent, and didn’t do enough to help companies address cybersecurity vulnerabilities.

The new charter details, for the first time, the various federal agencies in the VEP’s governing body, known as the Equities Review Board (ERB). Members of the ERB, which is spearheaded by the National Security Agency, include the Departments of Homeland Security, Energy, State, Treasury, Justice, Defense, and Commerce, as well as the CIA and the FBI. The charter also establishes a path for the government to publicly release some information about its vulnerability assessment work.

The VEP charter is a “really important step forward,” White House Cybersecurity Coordinator Rob Joyce said at an Aspen Institute event in Washington Nov. 15. Recent cyberattacks, such as WannaCry and Petya, have increased “interest and awareness in ensuring we conduct the VEP in a manner than can withstand a high degree of scrutiny and oversight from the citizens it serves,” Joyce said in a subsequent statement after the White House announcement.

Balancing Act

Sharing cybersecurity threat information is a balancing act between keeping the information private to further investigate the threat and disseminating the information to alert companies, Robin B. Campbell, co-leader of the data privacy and cybersecurity group at Squire Patton Boggs LLP in Washington, told Bloomberg Law Nov. 15. Publicly sharing the threat information may cause more harm than good, she said.

The VEP Executive Secretariat will release annual reports “at the lowest classification level permissible” with statistics on the process, according to the charter.

The annual report will provide “metrics about the process to further inform the public about the VEP and its outcomes,” Joyce said in the statement.

Internet and technology companies expressed support for the VEP charter.

“The VEP is in dire need of more transparency and oversight, and we believe today’s announcement makes significant progress towards these objectives,” Mozilla Corp. Senior Policy Manager Heather West said in a statement.

The charter is a “clear step forward in cybersecurity transparency,” Software & Information Industry Association Senior Vice President of Public Policy Mark MacCarthy said in a separate statement.

To contact the reporter on this story: Daniel R. Stoller in Washington at dstoller@bna.com; Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

The VEP charter is available at http://src.bna.com/ueR.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security