The following op-ed was co-authored by Michelle Richardson, deputy director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project.


At a series of events earlier in October, White House Cybersecurity Coordinator Rob Joyce announced that he is preparing to release more information about the Vulnerabilities Equities Process (VEP). 

As we’ve discussed before, the VEP is a complicated yet important process that determines whether the government will notify a digital-technology company about a cybersecurity flaw in its product or service, or choose not to disclose the flaw and use it for later hacking or intelligence-gathering purposes. We argued that a legislative solution—not just a less formal interagency review—is needed to govern this high-stakes process, which will have repercussions for cybersecurity, privacy, access to information, and our economic competitiveness. We’ve also argued that much more information about this process should be released to the public. 

Joyce’s announcement of the White House’s planned voluntary release of information is a welcome development, and Joyce has said in the past that he is generally pleased with how the current interagency process works. He indicated in his statements earlier this month that the public should expect at least a “charter” (which we take to be a more formal statement of the principles that underlie the process), as well as some basic statistics about how the VEP has been applied up to now to disclose (or delay disclosing) vulnerabilities. 

Since the point of the release is to demonstrate the legitimacy and success of the program, we’ve compiled a “punch list” of the types of information we believe the White House should commit to share:  

Most of the disclosures suggested above should be mandated by law going forward. But the administration should also use this opportunity to take and share remedial steps to address some of the apparent problems with past VEP determinations. Here, we recommend the administration provide more answers about what may have gone wrong with the VEP process, given that, for example, Microsoft has said it wasn’t warned about certain NSA exploits before the “Shadow Brokers” disclosed them. We know from an April 2014 blog post by then-Obama Cybersecurity Advisor Michael Daniel that the VEP was reinvigorated in 2014 after sitting dormant for several years. Were these hacking tools disclosed by the “Brokers” compiled before the VEP restarted? If they were compiled after the VEP’s reboot, did they go through the process? How were the decisions to withhold these made? For example, there were many exploits – were they considered individually?

And finally—and we concede this may be a sensitive subject—the administration should address what steps will be taken to ensure that the tools are safe from leaks and hacks. The forthcoming release of VEP information has been pitched as a way to reassure the public, technology companies and Congress about the legitimacy of the process. We believe legitimate questions are being asked about the administration’s ability to protect these tools after they are obtained or developed. Addressing the widely known security incidents—even if admitting to a mistake in the process—will go a long way toward demonstrating that while the process may not be infallible, at least it aims to be responsible.


Image by Champ008

Featured Publications