On December 2, 2015, the National Telecommunications and Information Administration (NTIA) convened its second meeting as part of a multistakeholder process dedicated to cybersecurity vulnerability research disclosure, the goal of which is to develop a shared understanding of the overlapping interests between security researchers and the vendors and owners of products discovered to be vulnerable, and to establish a consensus about voluntary principles to promote better collaboration. The multistakeholder process for cybersecurity vulnerability research disclosure is the first of several processes initiated by NTIA’s Internet Policy Task Force in March 2015 that will be focused on cybersecurity in the digital ecosystem.6
Participants at the second meeting included representatives from technology companies, academia, automobile and medical device manufacturers, and security service providers. The group heard presentations from four working groups that were formed at the first meeting: (1) adoption and awareness, (2) multiparty disclosure, (3) safety and disclosure, and (4) economic incentives in the security industry. At the meeting, participants discussed various perspectives and the goals of industry stakeholders in response to the presentations, which included the circulation of discussion documents prepared by each working group.
At the meeting, technology company representatives from the working group on adoption and awareness focused their presentation on the current lack of adoption of security best practices. They suggested that a lack of education, finite resources, and the absence of personal accountability may be contributing to the limited adoption of security best practices. Government and industry representatives from the working group on multiparty disclosure discussed the complexity of vendor-to-vendor coordination, asserting that there is an absence of broad consensus on how to address vulnerability disclosures that affect multiple vendors because stakeholders generally disagree about how best to minimize risk. Suggesting that dependence on technology is increasing faster than the industry’s ability to secure it, an industry representative from the safety and disclosure working group emphasized that consequences of security failures in either the auto industry or the medical device industry can result in physical harm. Representatives from industry and academia who participated in the economics and incentives working group noted both positive and negative incentives for parties to engage in vulnerability testing, including the economic benefits of early discovery and advanced defense systems, as well as the high cost and disruption of deploying patches to address security vulnerabilities.
The next meeting for the cybersecurity vulnerability research disclosure multistakeholder process will be held in February 2016.