European Union MP Marietje Schaake proposed creating an EU-wide rule describing when governments must disclose security flaws to manufacturers. Governments often use these security flaws for surveillance.
Why it matters: There is no way to guarantee that only well-meaning governments use a vulnerability that a nation intends to use for surveillance. In a blog post Thursday announcing her intent to seek an EU standard for disclosure, Schaake noted, "We live in an age where vulnerabilities are leaked or sold by criminals to those with potentially geopolitical motives, and where certain governments are stockpiling vulnerabilities as offensive weapons."
The U.S. has such a rule, the Vulnerability Equities Process. The VEP was flung into the spotlight in 2017 when a massive global cyberattack used a leaked code believed to be written by the NSA to become more virulent. The Obama administration developed the VEP but kept it secret. A number of critics, including many in the tech industry, questioned whether the VEP was adequately representing citizen's cybersecurity interests.
- The Trump administration quickly committed to increasing its transparency, and released a VEP charter in November that introduced an annual report to give a limited outline of VEP deliberations in the prior year.
- Schaake cited the U.S. charter in her blog post to encourage her peers. "Last year the White House released its Vulnerabilities Equities Process, which provides some increased transparency around this process in the US. It is high time for us to do the same in Europe," she wrote.
