WASHINGTON—The Information Technology and Innovation Foundation (ITIF), a leading science and tech policy think tank, today applauded a White House decision to increase transparency in the vulnerabilities equities process (VEP), the interagency process which determines when and how the federal government discloses the cybersecurity vulnerabilities it discovers. ITIF released the followed statement from Vice President Daniel Castro:
Every year, the federal government discovers countless vulnerabilities in software and hardware products used by millions of American businesses and individuals. The information put out today by the White House brings much needed clarity to when and how the federal government discloses vulnerabilities. Today’s announcement is a huge, positive step forward on transparency for the vulnerabilities equities process (VEP). The government’s overall cybersecurity policy, which prioritizes offensive capabilities over cyber defenses, is still flawed, but this new transparency in the VEP process is exactly the right policy.
The administration has clearly heard the requests for transparency and oversight from many stakeholders, and it has addressed those concerns head on. Now that we have a fully documented process and commitments to publish annual metrics, businesses, security experts, academics, and government officials can start to have a productive debate about how to assess and improve the disclosure process. It remains to be seen how receptive the administration will be to reassessing when to share information on vulnerabilities, but its decision today was the right move to build up goodwill among many stakeholders.