REP LIEU QUESTIONS NATIONAL SECURITY COUNCIL ABOUT PROCESS FOR DISCLOSING CYBERSECURITY VULNERABILITIES
WASHINGTON – This week, Congressman Ted W. Lieu (D-Los Angeles County) sent a letter to Rob Joyce, Cybersecurity Coordinator for the National Security Council, about the Administration’s recently released Vulnerabilities Equities Policies and Process (VEP), the NSC’s official guidance for the decisionmaking process regarding disclosure of cybersecurity vulnerabilities to the public.
The VEP is a crucial part of our country’s national security. The VEP dictates the careful balancing act the intelligence community must follow in order to weigh the costs and benefits of exposing a vulnerability and allowing it to be patched, or maintaining it for possible exploitation.
In the letter, Congressman Lieu writes:
- As you may know, I introduced the PATCH Act with a bipartisan, bicameral group of Members of Congress in May 2017 specifically to bring transparency to the government’s decision-making process regarding when and how to disclose vulnerabilities and accountability to the VEP’s results. The November 2017 policy represents an important step toward accomplishing the former goal. I am pleased to see clarity over which agencies have a seat at the table, ranging from Department of Defense to the Department of Commerce. I also appreciate that the framework takes into account the United States’ international relationships and commitments.
- However, the new policy lacks the critical piece of accountability to give the American people full confidence in the government’s decision-making on vulnerability disclosure. In Section 4.3 (“Annual Reporting”), the policy states, “As part of a commitment to transparency, annual reporting maybe provided to the Congress” (emphasis added). The ultimate success of the VEP hinges on whether the results of the government’s opaque decision-making on vulnerability disclosure can be audited by Congress to ensure the desired policy is being achieved.
- Given the VEP document’s extant language, I respectfully request responses to the following questions:
- Will your office commit to providing annual reports to Congress?
- Will a report for 2017 be included in the inaugural report to Congress?
- The VEP is dependent upon departmental and agency cooperation and participation. Without buy-in from U.S. Government entities, the VEP is fundamentally stunted. Can you clarify what authorities the VEP Director has at his or her disposal to ensure agencies are complying with the reporting requirements to the Equities Review Board?
READ THE FULL TEXT OF THE LETTER HERE
# # #