Can government guide industry to better cyber info-sharing?

Shutterstock image. 

Optional caption goes here. Optional caption goes here. Optional caption goes here. Optional caption goes here.

The National Telecommunications and Information Administration is working to finalize consensus best practices to close the gap between government and industry interests when it comes to disclosing technical vulnerabilities that could impact public safety.

NTIA, a component of the Department of Commerce, doesn't regulate industry. Instead it convenes groups of stakeholders with an eye to forge consensus on best practices. At a Nov. 7 meeting, three working groups presented their progress in three main areas: safety and disclosure, multi-vendor disclosure, as well as adoption and awareness.

The first working group submitted a short, sample template for how safety-critical industries should address writing policy for vulnerability disclosures.

Cyber Statecraft Initiative Director Josh Corman said the template is aimed at manufacturers who may not be used to working with security researchers, and "it happens to be pretty useful for people in a non-safety-critical industry."

The sample includes which products the policy covers, a legal posture clearly stipulating fair vulnerability disclosures, how to report a discovered vulnerability and the company's procedure after receiving the report.

The legal posture bit is important, said Cyber Statecraft Initiative Deputy Director Beau Woods, because in most cases, vulnerability research is conducted in good faith, so the parties involved "should almost never" be fearful of legal recourse.

The second working group submitted a draft guidance for how stakeholders can collaboratively handle product vulnerabilities.

The guidance includes definitions and various real-world use cases of vulnerability reporting "that have been observed to happen in nature in this field," said Art Manion, a senior member of the vulnerability analysis team in the CERT program at Carnegie Mellon University.

Manion said that while following all of the steps of the document will not prevent all security concerns, quick and collaborative action without fear of legal recourse will produce the best results.

The third working group conducted an online survey of security researchers and vendors to compile recommendations on how to drive greater awareness and adoption of disclosure practices.

Jen Ellis, vice-president of community and public affairs at the internet security company Rapid7, acknowledged the survey was an imperfect measurement, but said the most surprising findings were researchers' responses that bug bounty programs will not "open the floodgates" to scrutinize vulnerabilities, and that far more respondents desired communication in addressing the vulnerabilities than a monetary reward.

While exemptions protecting security researchers exist, Ellis said she was "saddened, but not surprised" that concerns about legal repercussions -- against both vendors and researchers -- has stymied collaboration on vulnerability patching.

Ellis added that her working group expects to further analyze the results and send out a guidance sometime in late December or January, in hopes of finalizing a guidance by Feb. 1, 2017.

About the Author

Chase Gunter is a former FCW staff writer.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected