UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

The U.S. Vulnerabilities Equities Process: An Economic Perspective

Caulfield, T; Ioannidis, C; Pym, D; (2017) The U.S. Vulnerabilities Equities Process: An Economic Perspective. In: Rass, S and An, B and Kiekintveld, C and Fang, F and Schauer, S, (eds.) GameSec 2017: Decision and Game Theory for Security. (pp. pp. 131-150). Springer International Publishing: Cham, Switzerland. Green open access

[img]
Preview
Text
VEP.pdf - ["content_typename_Accepted version" not defined]

Download (132kB) | Preview

Abstract

The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model.

Type: Proceedings paper
Title: The U.S. Vulnerabilities Equities Process: An Economic Perspective
Event: GameSec 2017, International Conference on Decision and Game Theory for Security, 23-25 October 2017, Vienna, Austria
ISBN-13: 9783319687100
Open access status: An open access version is available from UCL Discovery
DOI: 10.1007/978-3-319-68711-7_8
Publisher version: https://doi.org/10.1007/978-3-319-68711-7_8
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
UCL classification: UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: http://discovery.ucl.ac.uk/id/eprint/10039118
Downloads since deposit
45Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item