The White House has put on its white hat and tossed its weight behind the cybersecurity research community.
In a notice from the Biden administration, National Cyber Director Harry Coker Jr. said that a new guidance issued to federal agencies will require adoption of the traffic light protocol (TLP) when handling information disclosures.
As its name would suggest, TLP is a three tiered system where different color codes define the level of disclosure a researcher wants the recipient to provide. A red report means the information is strictly confidential, while a yellow level allows outside parties to receive details on a need-to-know basis, and a green report allows for community sharing and clear means full public disclosure.
The idea is to allow researchers to keep total control over the information they share with federal agencies, said Coker. This, in turn, allows the researcher to share data with the government ahead of time to secure critical systems and infrastructure while still being able to coordinate a public disclosure with the vendor or a bug bounty portal.
“Information sharing is the lifeblood of our discipline and is called out as such in the National Cybersecurity Strategy,” Coker said.
“But, as with any partnership, it is vital that our relationships with the security research community be built on a foundation of trust. A key element of that trust is the idea that when information is shared voluntarily in confidence, the wishes of the sharer will be respected.”
While the directive itself will be welcome news to security researchers, the gesture also indicates a larger willingness by the White House to work directly with those who make up the security vulnerability research community.
Long gone are the days when white hat hackers were viewed with suspicion and hostility by the government. In recent years, the DHS has reached out to the private sector for security guidance, with vulnerability researchers being one particular area of focus.
“We already do so much work together as a cybersecurity community to achieve an affirmative, values-driven vision for a secure cyberspace that creates opportunities to achieve our collective aspirations,” said Coker.
“We hope that this guidance will help both our interagency and private sector partners clearly understand the immense respect we have for trusted information sharing channels — and that it will allow more of those partnerships to flourish.”
The notice also comes at a critical time for the government’s cybersecurity administrators. With the presidential elections nearing, experts have warned of the possibility that foreign threat actors will possibly launch attacks on election offices and networks in hopes of disrupting the voting process and tipping results in the favor of their nation’s preferred candidate.