Can government guide industry to better cyber info-sharing?

Shutterstock image. 

Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.

The National Telecommunications and Information Administration is working to finalize consensus best practices to close the gap between government and industry interests when it comes to disclosing technical vulnerabilities that could impact public safety.

NTIA, a component of the Department of Commerce, doesn't regulate industry. Instead it convenes groups of stakeholders with an eye to forge consensus on best practices. At a Nov. 7 meeting, three working groups presented their progress in three main areas: safety and disclosure, multi-vendor disclosure, as well as adoption and awareness.

The first working group submitted a short, sample template for how safety-critical industries should address writing policy for vulnerability disclosures.

Cyber Statecraft Initiative Director Josh Corman said the template is aimed at manufacturers who may not be used to working with security researchers, and "it happens to be pretty useful for people in a non-safety-critical industry."

The sample includes which products the policy covers, a legal posture clearly stipulating fair vulnerability disclosures, how to report a discovered vulnerability and the company's procedure after receiving the report.

The legal posture bit is important, said Cyber Statecraft Initiative Deputy Director Beau Woods, because in most cases, vulnerability research is conducted in good faith, so the parties involved "should almost never" be fearful of legal recourse.

The second working group submitted a draft guidance for how stakeholders can collaboratively handle product vulnerabilities.

The guidance includes definitions and various real-world use cases of vulnerability reporting "that have been observed to happen in nature in this field," said Art Manion, a senior member of the vulnerability analysis team in the CERT program at Carnegie Mellon University.

Manion said that while following all of the steps of the document will not prevent all security concerns, quick and collaborative action without fear of legal recourse will produce the best results.

The third working group conducted an online survey of security researchers and vendors to compile recommendations on how to drive greater awareness and adoption of disclosure practices.

Jen Ellis, vice-president of community and public affairs at the internet security company Rapid7, acknowledged the survey was an imperfect measurement, but said the most surprising findings were researchers' responses that bug bounty programs will not "open the floodgates" to scrutinize vulnerabilities, and that far more respondents desired communication in addressing the vulnerabilities than a monetary reward.

While exemptions protecting security researchers exist, Ellis said she was "saddened, but not surprised" that concerns about legal repercussions -- against both vendors and researchers -- has stymied collaboration on vulnerability patching.

Ellis added that her working group expects to further analyze the results and send out a guidance sometime in late December or January, in hopes of finalizing a guidance by Feb. 1, 2017.

About the Author

Chase Gunter is a former FCW staff writer.


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.