In the wake of recent Dyn attacks that temporarily shut down major websites such as Twitter, Amazon, and PayPal, Sens. Angus King, I-Maine, and Martin Heinrich, D-N.M., sent a letter to President Obama this week to request a strengthening of the U.S. ability to detect and respond to major vulnerabilities.
“Given the growing threat to our nation’s networks and digital services, we write to urge you to work with us to establish enduring government policies for the discovery, review, and sharing of security vulnerabilities. The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation’s efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities,” King and Heinrich wrote.
As an example of positive advancement in vulnerability reporting, the senators pointed to the Department of Defense’s bug bounty program, which successfully engaged with the white hat hacker community and found a number of bounty-worthy vulnerabilities.
“We believe such programs represent a cost-effective way to supplement and support the people who defend our government’s IT systems–and these efforts should not be limited to the Pentagon’s networks,” the senators wrote. “As such, we request that your administration work with us to establish standards and appropriate coordination platforms to build on the success of the department’s pilot and promote governmentwide bug bounty programs.”
They have also suggested that the president strengthen the Vulnerabilities Equities Process (VEP), which determines whether the government discloses or withholds private companies’ product vulnerabilities.
The senators’ request has garnered support from members of the private sector, such as Mozilla.
“Mozilla applauds [King and Heinrich] for calling on President Obama to establish enduring governmentwide policies for the discovery, review, and sharing of security vulnerabilities. They suggest creating bug bounty programs and formalizing the Vulnerabilities Equities Process–the government’s process for reviewing and coordinating the disclosure of vulnerabilities that it learns about or creates,” Mozilla wrote in a blog post about the letter.
The company also suggested specific updates to the VEP, such as public timelines, cooperation between government agencies, independent oversight of the process, and a codification into law.