PROFESSOR AMY GAUDION’S ARTICLE PUBLISHED IN THE VIRGINIA JOURNAL OF LAW & TECHNOLOGY
May 2024 — Professor Amy Gaudion’s article, “Auditing the U.S. Government’s Vulnerabilities Stockpile,” was published in the Virginia Journal of Law & Technology in April 2024.
In 2017, the WannaCry and NotPetya attacks wreaked havoc on a global scale, resulting in significant harm to governments, companies, and individuals. Both attacks exploited a vulnerability found in Microsoft Windows operating systems, a vulnerability that the U.S. government had discovered five years earlier. Rather than notifying Microsoft of the vulnerability so that it could be patched, the U.S. government decided to keep the vulnerability secret so that it could be utilized for national security, intelligence, and law enforcement purposes. In assessing whether to disclose or retain such vulnerabilities, the U.S. government follows an interagency policy called the Vulnerabilities Equities Policy and Process (the VEP). The VEP weighs the benefits of sharing vulnerability information with vendors and the public against the government’s interest in retaining the vulnerability to accomplish national security objectives. While vulnerabilities are recognized as a legitimate tool in a government’s cyber arsenal, the practice of stockpiling vulnerabilities has been subject to significant critique. The critiques are wide-ranging and reflect technical, ethical, policy and legal dimensions. They question the legality of these vulnerability stockpiling practices pursuant to traditional frameworks governing constitutional separation of powers and emerging frameworks aimed at recognizing privacy and civil liberties interests in the digital domain. The critiques often lead to calls for greater transparency and more rigorous oversight, usually by proposing codification and increased reporting to legislative bodies.
Professor Gaudion’s article rejects the conventional calls for reform. It reorients the reform efforts to consider a more dynamic role for the Inspector General of the Intelligence Community in the oversight web, one that utilizes the position’s auditing and inspection capabilities and taps into its collaborative partnerships across the intelligence community (the IC IG Forum) and with foreign partners (the Five Eyes Intelligence Oversight and Review Council).
The full article is available here.
Amy C. Gaudion is an associate professor of law at Penn State Dickinson Law as well as the founder of Dickinson Law’s annual cyberspace simulation with the U.S. Army War College. Her scholarship focuses on national security law, cyberspace, and civilian-military relations, and she leads Dickinson Law’s national security and cyberspace programs.