The Cipher Brief Cyber Advisory Board’s Bob Gourley commented on the Trump administration’s new process for disclosing software vulnerabilities it has detected – the first time a U.S. administration has revealed its internal rules, aka the Vulnerability Equities Process.
This is a significant improvement and clarification of the existing process because it expands the number of stakeholders from government while ensuring there is an expedient method for review.
The vision is clear, there must be a decision-making body that takes multiple considerations into account and can take action.
There is room for additional inputs into the decision-making process. Three that come to mind are input from the commercial sector, input from academia and input from privacy advocates. The commercial sector input will be hard to formalize, but clearly there is room to improve the dialog between the U.S. technology sector and the executive branch regarding vulnerabilities and the current charter focused only on the tactical aspects of vulnerability disclosure.
Strategically, how can our IT industry provide inputs into how the process should work? That is missing from the charter. Academia may play an important role in helping the government understand the lessons of history and the canon of knowledge around cyber conflict that should inform these decisions. The privacy community can provide inputs into smart ways to ensure complex issues over the expectations of privacy our citizens can be protected.
So, a concept for the future: charter a strategic review board made up of industry tech titans, charter an input board made up of seasoned strategic thinkers from academia, and empower an oversight board of leaders from the privacy community.
Crucial Point experts know cybersecurity and the details required to keep your enterprise working well in the face of dynamic threats. Contact us today for more on how we can help via our CTO-as-a-Service offerings.