You are here

Remarks of Deputy Assistant Secretary Angela Simpson at the Vulnerability Research Disclosure Multistakeholder Process Meeting 09/29/2015

September 29, 2015

Remarks of Angela Simpson
Deputy Assistant Secretary of Commerce for Communications and Information
Vulnerability Research Disclosure Multistakeholder Process
Berkeley, California
September 29, 2015

—As Prepared for Delivery—

Thank you Allan and Jim.  It is great to see this all of you here today, and I am happy to welcome you to the first meeting of NTIA’s cybersecurity multistakeholder process as we launch this stakeholder-driven dialogue on vulnerability research disclosure. It may be a testament to picking a good topic to start with, or it may relate to the nice location for this meeting, but I have to say I’m happy to see so many unfamiliar faces in this room today. We are really hoping to engage the right voices for this proceeding, and in many cases the right voices are new voices that aren’t necessarily always heard in D.C. circles. Thank you for engaging.

I am Angela Simpson, the Deputy Assistant Secretary of NTIA, which is the National Telecommunications and Information Administration within the Department of Commerce.  On behalf of Larry Strickling, who is the head of NTIA, and our terrific staff here who I hope you will get to know well in the coming months, we are sincerely looking forward to working with you.

NTIA is primarily focused on domestic and international Internet policy, spectrum, telecom research and testing, and broadband. While cybersecurity may be more closely associated in your minds with other parts of the Federal government, including our sister agency NIST, we are aiming to fill a space with this initiative that is not being addressed by other Federal efforts. We will focus on issues that fall between different parts of the digital ecosystem and will look at risks that lie between different companies or sectors and can’t be fixed by one company or sector. This process is aimed at complementing other Federal efforts -- not duplicating them.

When we first announced the launch of this initiative in March, we asked for comments on which cybersecurity issues facing the digital economy could be best addressed by a consensus-based multistakeholder process. Many of you told us that vulnerability research disclosure was important to you. We heard this from large companies, small companies, even individuals with years of experience as security researchers.

 More and more players are struggling with this. Some of you in the room have been dealing with this for years. It is an important issue, and one that we feel still deserves clarity.  In a workshop held here at UC Berkeley earlier this year, the participants noted that "there are multiple, sometimes competing, standards and best practices for vulnerability disclosure." And our focus here is not necessarily to develop new ones, or arbitrate between existing ones.  Rather, based on the work of stakeholders in the room and participating remotely, we can foster awareness, adoption, adaptation, and further innovation of existing tools.

NTIA has a lot of experience bringing people together through multistakeholder processes to try to make progress on important policy issues.

We’ve convened a process to promote transparency in the mobile applications market and privacy regarding commercial use of facial recognition technology. In August, we launched a new process aimed at developing best practices that enhance privacy and promote transparent and accountable operation by commercial and private users of unmanned aircraft systems, also known as drones. We’ve also collaborated with the Patent and Trademark Office on a process that developed a helpful list of good, bad, and situational practices on Digital Millennium Copyright Act Notice and Takedown, and we have been widely advocating multistakeholder policymaking internationally. To those of you who participated in any of those processes, thank you for joining us again, and I hope you will help the new participants get acclimated. 

To those who did not participate in any of our previous multistakeholder efforts, we have convened this process to encourage you – together – to develop best practices or guidelines on how to work more collaboratively together. However, it is not our job to tell you what to do. NTIA will not impose its views on you.  We will not tip the scales.  We are not regulators.  We are not developing rules. We do not bring enforcement actions. 

Instead, we are in a unique position to encourage you to come together, to cooperate, and to reach agreement on important issues.  We want you to be able to nimbly innovate, lead globally, and create jobs. We will act as the neutral convener of a bottom-up process.  We ask that you work together, make decisions, and reach consensus.  This sort of process is not always easy or fun, and it might take some of you outside your comfort zones.  However, it is what you make of it, and I have confidence that you can meet this challenge.

Bottom-up decision making is a hallmark of the multistakeholder approach – an approach if you think about it that has played a major role in the design and operation of new technologies.  It is a flexible model that can produce good results for all parties.  However, it only works if you actively engage with a collaborative, collegial spirit.

I hope that today’s meeting is the first step in a process that will result in a framework on how to make progress on this topic.  The purpose of today’s meeting, though, is not to begin the actual drafting or vetting of a possible document.

Instead, I suggest to you that we will have succeeded with flying colors if we meet the following goals today:  (1) to establish a common level of understanding within the group, (2) to identify the high-priority issues, and (3) to develop a plan for structuring the group’s future work.  You will need to work together to determine the best way to maintain an open process while making progress on the substantive issues.

So now without further ado, let me turn to Evelyn Remaley, Deputy Associate Administrator for NTIA’s Office of Policy Analysis and Development who is working closely with Allan on this process. She’ll help us start to dive in deeper.

Thank you very much for your interest and for your attention.