To meaningfully change the software ecosystem, liability policies must also establish clear security standards, apply them to the whole supply chain and create incentives for organizations to apply patches quickly.
Trey Herr, PhD, is the Director of the Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security at the Atlantic Council. His team works on the role of the technology industry in geopolitics, cyber conflict, the security of the internet, cyber safety, and growing a more capable cybersecurity policy workforce. Previously, he was a Senior Security Strategist with Microsoft handling cloud computing and supply chain security policy as well as a fellow with the Belfer Cybersecurity Project at Harvard Kennedy School and a non-resident fellow with the Hoover Institution at Stanford University. He holds a PhD in Political Science and BS in Musical Theatre and Political Science.
Subscribe to this Lawfare contributor via RSS.
How to map a more effective security strategy for cloud computing.
We recently published a paper on the rediscovery of software vulnerabilities. This was the final version of a paper that had been in the works since September, peer-reviewed by the WEIS community during the winter, and then circulated for additional revision in early March. Since publication, two mistakes have come to light.
Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.
Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and professionals (though nothing yet from the White House).
Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).