The GCHQ’s disclosure of the “BlueKeep” vulnerability offers an opportunity for the U.S. to learn from how the British handle the question of vulnerabilities equities.
Latest in Vulnerability Equities Process (VEP)
If the U.S., the U.K. or any other government sought to create an objective framework for decision making, what might that look like?
Recent actions by the U.K. and Germany set a new bar for how nations can and should use a vulnerabilities equities process.
With newly released details on the Vulnerabilities Equities Process (VEP), it’s time for legislation on government hacking and vulnerabilities disclosure.
More nations need to be talking about how they manage zero day vulnerabilities.
The Government Accountability Office last week published a report that, among other things, weighs in on the pros and cons of the NSA/CYBERCOM “dual-hat” system (pursuant to which the director of the NSA/CSS and commander of CYBERCOM are the same person). The report deserves attention but also some criticism and context. Here’s a bit of all three.
1. What is the “dual-hat” issue?
Some revisions to our recent paper on the rediscovery of software vulnerabilities.
Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.