You are here

Enhancing the Digital Economy Through Collaboration on Vulnerability Research Disclosure

July 09, 2015 by Angela Simpson, Deputy Assistant Secretary for Communications and Information

Promoting and preserving the digital ecosystem is a core mission of the Department of Commerce, and the security and resiliency of that ecosystem is vital.  For the digital economy to thrive, users must trust that their personal data and the systems and websites they use every day are as secure as possible.

To help support this goal, the Department of Commerce announced in March an initiative to address key cybersecurity issues facing the digital economy that could be best addressed by a consensus-based multistakeholder process.  Based on input from a broad range of stakeholders, we are today announcing that the first cybersecurity multistakeholder process will launch in September and will focus on vulnerability research disclosure. The goal of this process will be to bring together security researchers, software vendors, and those interested in a more secure digital ecosystem to create common principles and best practices around the disclosure of and response to new security vulnerability information.

There is widespread recognition that information technology systems – from traditional software to popular websites and cloud platforms to embedded devices – will never be completely secure. It is inevitable that vulnerabilities will be discovered, as a key aspect of security research as well as an integral part of the burgeoning security industry. The security community has begun to make significant progress to promote coordination, and this process will build on these efforts. The coordinated outcomes of this process could range from high-level principles that shape future policy and inform best practices, or participants may choose to focus on particular aspects of the disclosure question that might be addressed to meet the needs of all parties.

President Obama has made clear that cybersecurity is one of the most important challenges we face as a Nation, and today outlined a number of steps the Administration is taking to raise the level of cybersecurity in both the public and private sector, improve our ability to disrupt, interrupt, and deter our adversaries, and enhance our ability to respond to and recover from cyber incidents when they occur. The multistakeholder process on vulnerability research and disclosure we announce today is a small, but important, piece of the puzzle. Many other federal agencies, including our sister agency the National Institute of Standards and Technology (NIST), have done important work to help enhance the nation’s cyber defenses. The process we announced today, which NTIA will lead in partnership with the Department’s Internet Policy Task Force, is meant to complement – not duplicate – that work by focusing on ways to work with industry and other stakeholders to improve security and user trust in the digital economy while also promoting U.S. innovation.  NTIA has long promoted the multistakeholder process to help address a broad range of policy issues both domestically and internationally. As with our previous multistakeholder efforts, NTIA will serve as the neutral convener and will let the stakeholders drive the direction of the process. 

We welcome broad participation and diverse perspectives, particularly from small businesses, independent security researchers, and those with experience on all sides of the disclosure question.  Our meetings will be webcast to allow participation by those unable to attend in person.

Stay tuned for more information on the September kickoff meeting, and indicate your interest in participating here.