Caulfield, T;
Ioannidis, C;
Pym, D;
(2017)
The U.S. Vulnerabilities Equities Process: An Economic Perspective.
In: Rass, S and An, B and Kiekintveld, C and Fang, F and Schauer, S, (eds.)
GameSec 2017: Decision and Game Theory for Security.
(pp. pp. 131-150).
Springer International Publishing: Cham, Switzerland.
Preview |
Text
VEP.pdf - Accepted Version Download (132kB) | Preview |
Abstract
The U.S. Vulnerabilities Equities Process (VEP) is used by the government to decide whether to retain or disclose zero day vulnerabilities that the government possesses. There are costs and benefits to both actions: disclosing the vulnerability allows the vulnerability to be patched and systems to be made more secure, while retaining the vulnerability allows the government to conduct intelligence, offensive national security, and law enforcement activities. While redacted documents give some information about the organization of the VEP, very little is publicly known about the decision-making process itself, with most of the detail about the criteria used coming from a blog post by Michael Daniel, the former White House Cybersecurity Coordinator. Although the decision to disclose or retain a vulnerability is often considered a binary choice—to either disclose or retain—it should actually be seen as a decision about timing: to determine when to disclose. In this paper, we present a model that shows how the criteria could be combined to determine the optimal time for the government to disclose a vulnerability, with the aim of providing insight into how a more formal, repeatable decision-making process might be achieved. We look at how the recent case of the WannaCry malware, which made use of a leaked NSA zero day exploit, EternalBlue, can be interpreted using the model.
Type: | Proceedings paper |
---|---|
Title: | The U.S. Vulnerabilities Equities Process: An Economic Perspective |
Event: | GameSec 2017, International Conference on Decision and Game Theory for Security, 23-25 October 2017, Vienna, Austria |
ISBN-13: | 9783319687100 |
Open access status: | An open access version is available from UCL Discovery |
DOI: | 10.1007/978-3-319-68711-7_8 |
Publisher version: | https://doi.org/10.1007/978-3-319-68711-7_8 |
Language: | English |
Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science |
URI: | https://discovery.ucl.ac.uk/id/eprint/10039118 |
Archive Staff Only
View Item |