WASHINGTON ― The White House is planning to better disclose the decision making process of whether or not to publicly reveal the federal government’s digital vulnerabilities.
“Obtaining and maintaining the necessary cyber capabilities to protect the nation creates a tension between the government’s need to sustain the means to pursue rogue actors in cyberspace and its obligation to share its knowledge of flaws in software and hardware with responsible parties who can ensure digital infrastructure is upgraded,” White House Cybersecurity Coordinator Rob Joyce stated in a blog post Nov. 15.
To somewhat ease the aforementioned tension, Joyce plans on increasing the transparency of the Vulnerabilities Equities Process (VEP) program. VEP is charged with standardizing the decision-making process for disclosing vulnerability information to vendors expecting patches or temporarily restricting said information in order for it to be used for national security purposes.
Joyce cites four major groups of equities involved in the VEP governing body: defensive, intelligence/law enforcement/operational, commercial and international partnership. VEP transparency would make the various departments and agencies involved public knowledge, thus ensuring greater accountability from the major actors.
Making the process more transparent would ideally ensure that the interests of all stakeholders would be fairly represented and, as Joyce puts it, to demonstrate “to the American people that the federal government is carefully weighing the risks and benefits as we carry out this important mission” when strengthening the federal digital infrastructure.