Privacy & Cybersecurity Law Blog

On July 9, 2015, the National Telecommunications and Information Administration (“NTIA”) announced the launch of its first cybersecurity multistakeholder process, in which representatives from across the security and technology industries will meet in September to discuss vulnerability research disclosure.

This process is the first effort of the multistakeholder initiative, which was announced by the Department of Commerce in March. The initiative aims to address the major cybersecurity threats and issues facing the digital ecosystem as a whole, shoring up such threats with an eye toward fostering a healthy economy in the digital space.

The NTIA will act as a neutral facilitator for discussions among security researchers, software vendors, and “those interested in a more secure digital ecosystem,” as those parties work toward developing best practices and common principles for operating safely in the digital arena. Although there is no set agenda or proposed result, the NTIA suggested in a fact sheet released by the White House that “potential outcomes could include a set of high level principles that could guide future private sector policies, or a more focused and applied set of best practices for a particular set of circumstances.”

The topic of vulnerability disclosure was selected after a comment period, which drew responses from the American Civil Liberties Union and Microsoft, as well as a number of cybersecurity organizations and other industry groups. Many of these groups expressed concern about the current climate of vulnerability disclosure, in which large corporations have frequently threatened legal action against “security researchers” who discover weaknesses in their systems and propose to announce such weaknesses publicly. Among the solutions presented by the comments are “bug bounty” programs, which actually incentivize such detection, as well as industry-wide agreements not to sue or report to law enforcement individuals who detect vulnerabilities.

The meeting has not been given an exact date or location, but is expected to be held in the San Francisco Bay-area, and will be simultaneously webcast.