ICYMI: Internet Nonprofit Mozilla Backs Senators' Call for President to Strengthen Cybersecurity Networks

WASHINGTON, D.C. -- In case you missed it, Mozilla, a global, nonprofit organization dedicated to defending a free and open web, applauded U.S. Senators Angus King (I-Maine) and Martin Heinrich (D-N.M.) for their letter earlier this week calling on President Barack Obama to work with Congress to strengthen the federal government’s ability to detect and repair cyber-vulnerabilities within U.S. networks.

In a blog post published yesterday, Heather West, a senior public policy representative at Mozilla, echoed Senators King’s and Heinrich’s call to the President and wrote in support of their request to implement a government-wide “Bug Bounty” program, which rewards so-called “white hat” hackers who detect and report security vulnerabilities.

The blog post also outlined Mozilla’s proposed reforms to the Vulnerabilities Equities Process (VEP), which serves as the primary process for deciding whether a government entity must disclose to private companies information about security vulnerabilities in their products, or whether the government may withhold the information for law enforcement or intelligence purposes. In their letter, Senators King and Heinrich requested that the Administration establish a comprehensive policy that includes standard criteria for reporting vulnerabilities to the VEP, guidelines for making VEP determinations, clear time limits for each stage of the process, adequate participation of all relevant government agencies, and regular reporting to Congress.

“Last week’s cyber attack on Dyn that blocked access to popular websites like Amazon, Spotify, and Twitter is the latest example of the increasing threats to Internet security, making it more important that we acknowledge cybersecurity is a shared responsibility. Governments, companies, and users all need to work together to protect Internet security,” the blog post stated. “This is why Mozilla applauds Sens. Angus King Jr. (I-ME) and Martin Heinrich (D-NM) for calling on President Obama to establish enduring government-wide policies for the discovery, review, and sharing of security vulnerabilities.

Mozilla’s complete blog post can be read HERE and is below:

+++

Mozilla Asks President Obama to Help Strengthen Cybersecurity

Last week’s cyber attack on Dyn that blocked access to popular websites like Amazon, Spotify, and Twitter is the latest example of the increasing threats to Internet security, making it more important that we acknowledge cybersecurity is a shared responsibility. Governments, companies, and users all need to work together to protect Internet security.

This is why Mozilla applauds Sens. Angus King Jr. (I-ME) and Martin Heinrich (D-NM) for calling on President Obama to establish enduring government-wide policies for the discovery, review, and sharing of security vulnerabilities. They suggest creating bug bounty programs and formalizing the Vulnerabilities Equities Process (VEP) - the government’s process for reviewing and coordinating the disclosure of vulnerabilities that it learns about or creates.

“The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation’s efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities,” Senators King and Heinrich wrote in their letter.

Mozilla prioritizes the privacy and security of users and we work to find and fix vulnerabilities in Firefox as quickly as possible. We created one of the first bug bounty programs more than 10 years ago to encourage security researchers to report security vulnerabilities.

Mozilla has also called for five specific, important reforms to the VEP:

  • All security vulnerabilities should go through the VEP and there should be public timelines for reviewing decisions to delay disclosure.
  • All relevant federal agencies involved in the VEP must work together to evaluate a standard set of criteria to ensure all relevant risks and interests are considered.
  • Independent oversight and transparency into the processes and procedures of the VEP must be created.
  • The VEP Executive Secretariat should live within the Department of Homeland Security because they have built up significant expertise, infrastructure, and trust through existing coordinated vulnerability disclosure programs (for example, US CERT).
  • The VEP should be codified in law to ensure compliance and permanence.

These changes to the discovery, review, and sharing of security vulnerabilities would be a great start to strengthening the shared responsibility of cybersecurity and reducing the countless cyber attacks we see today.