Langevin Statement on New Vulnerabilities Equities Process Charter

Congressman Jim Langevin (D-RI), co-founder and co-chair of the Congressional Cybersecurity Caucus and a senior member of the House Committee on Homeland Security, issued the following statement regarding the National Security Council’s release of a new charter for the Vulnerabilities Equities Process (VEP):

“Closing security vulnerabilities in software is fundamental to building a free, open, interoperable global Internet and improving stability in cyberspace. The United States government has a responsibility to disclose such vulnerabilities when it discovers them in order to protect U.S. citizens and the broader Internet ecosystem. However, there are rare cases when national security and law enforcement needs mean disclosure should be delayed. Weighing these equities is an enormous responsibility, as a decision not to disclose leaves certain users at risk. Today’s actions by Cybersecurity Advisor Rob Joyce strengthen the existing process for making these decisions and significantly increase its transparency, and I commend him for developing this new VEP charter.

“In particular, I am grateful that the new charter continues a commitment to bringing all stakeholders within the government, including those with a focus on defensive cybersecurity measures and commerce, to the table. There is a reason that the default treatment of a vulnerability is disclosure, as recent cybersecurity incidents have demonstrated the damage that can be caused by unpatched software. By including a broad array of perspectives as part of the Equities Review Board, the National Security Council will be able to take as holistic a view as possible before making a decision. I also look forward to reviewing the annual reports called for in the new charter, and I am pleased that the document makes specific reference to Congressional partners.

“We owe the selfless Americans who serve their nation as members of the Intelligence Community an enormous debt of gratitude, a debt that is far too infrequently acknowledged. As Members of Congress, we also owe them rigorous oversight to ensure the tools they develop remain secure. I believe that the VEP is an appropriate process for selecting the very few vulnerabilities where disclosure will be delayed. However, that process falls apart if the exploits cannot be kept in government hands, and Congress must do more to ensure those safeguards are in place.”