The public release of the Vulnerability Equities Process (VEP) charter by the White House in late 2017 went a long way toward satisfying the public’s curiosity about the secretive, high-profile and contentious process by which the U.S. government decides whether to temporarily withhold or publicly disclose zero-day software vulnerabilities—that is, vulnerabilities for which no patches exist. Just recently, the U.K.
Sasha Romanosky, PhD, is a policy researcher at the RAND Corporation where he researches topics on the economics of security and privacy, national security, applied microeconomics, and law & economics. He is a former Cyber Policy Advisor at the Department of Defense, and co-author of the Common Vulnerability Scoring System, an international standard for scoring computer vulnerabilities.
Subscribe to this Lawfare contributor via RSS.
Attribution of cyber incidents is a reoccurring concern. Russian involvement in the 2016 U.S. presidential election remains a contentious issue, and on Tuesday, the White House publicly linked North Korea to the WannaCry ransomware attacks from earlier this year. This kind of public attribution by the U.S.
In the world of kinetic military operations, collateral damage is typically straightforward to assess because of well-established definitions, well-understood weapon characteristics, and reasonably well-defined legal and policy frameworks. In traditional warfare, collateral damage occurs when a hostile action causes unintended physical damage to civilian persons or objects.