Who Decides When to Tell a Company Its IT is Vulnerable

By Ari Schwartz

Ari Schwartz is Managing Director of Cybersecurity Services at Venable LLP. He directs the firm's cybersecurity consulting services, assisting organizations with understanding and developing risk management strategies, including implementation of the Cybersecurity Framework and other planning tools to help minimize risk. Previously, Schwartz served at the White House National Security Council, as Special Assistant to the President and Senior Director for Cybersecurity where he led legislative and policy outreach to businesses, trade groups and others. Before his work at the White House, Schwartz led the Department of Commerce's Internet Policy Task Force, worked at the National Institute of Standards and Technology, and served for twelve years at the Center for Democracy and Technology.

With the seemingly constant barrage of leaks revealing the U.S. intelligence community’s hacking capabilities, many are wondering where government draws the line between priorities of intelligence collection versus assisting companies to secure their products in order to keep the digital lives of U.S. citizens and companies secure. The Cipher Brief spoke with Ari Schwartz, the managing director of Cybersecurity Services at Venable LLP and former Senior Director for Cybersecurity at the National Security Council during the Obama administration, about the current state of U.S. vulnerability disclosure policy.

The Cipher Brief: What are zero-day vulnerabilities – zero days, for short – and how often are they used by criminals and nation-states as opposed to already known vulnerabilities? How often are zero days found and used by more than one actor?

“The Cipher Brief has become the most popular outlet for former intelligence officers; no media outlet is even a close second to The Cipher Brief in terms of the number of articles published by formers.” —Sept. 2018, Studies in Intelligence, Vol. 62

Access all of The Cipher Brief’s national security-focused expert insight by becoming a Cipher Brief Subscriber+ Member.


Related Articles