Big Advance for Cybersecurity Also Important for Energy Cybersecurity

Array
(
    [field_authors] => Array
        (
            [#theme] => field
            [#weight] => 0
            [#title] => Author(s)
            [#access] => 1
            [#label_display] => hidden
            [#view_mode] => full
            [#language] => und
            [#field_name] => field_authors
            [#field_type] => entityreference
            [#field_translatable] => 0
            [#entity_type] => node
            [#bundle] => wp_blog
            [#object] => stdClass Object
                (
                    [vid] => 8261
                    [uid] => 90
                    [title] => Big Advance for Cybersecurity Also Important for Energy Cybersecurity
                    [log] => 
                    [status] => 1
                    [comment] => 1
                    [promote] => 0
                    [sticky] => 0
                    [nid] => 4413
                    [type] => wp_blog
                    [language] => und
                    [created] => 1510781205
                    [changed] => 1531354762
                    [tnid] => 0
                    [translate] => 0
                    [revision_timestamp] => 1531354762
                    [revision_uid] => 1
                    [body] => Array
                        (
                            [und] => Array
                                (
                                    [0] => Array
                                        (
                                            [value] => 

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[summary] => [format] => full_html [safe_value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => William Hederman [format] => [safe_value] => William Hederman ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Photo source: www.enisa.europa.eu [format] => [safe_value] => Photo source: www.enisa.europa.eu ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( ) [field_primary_theme] => Array ( ) [field_secondary_themes] => Array ( ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => lindsey [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) ) [#formatter] => entityreference_label [0] => Array ( [#theme] => entityreference_label [#label] => William F. Hederman [#item] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) [#uri] => Array ( [path] => node/2344 [options] => Array ( [entity_type] => node [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) ) ) [#settings] => Array ( [display] => Array ( [bypass_access] => 0 [link] => 1 ) [field] => Array ( [target_type] => node [handler] => base [handler_settings] => Array ( [target_bundles] => Array ( [people_bio] => people_bio [people_no_bio] => people_no_bio ) [sort] => Array ( [type] => none ) [behaviors] => Array ( [views-select-list] => Array ( [status] => 0 ) ) ) ) ) ) ) [links] => Array ( [#theme] => links__node [#pre_render] => Array ( [0] => drupal_pre_render_links ) [#attributes] => Array ( [class] => Array ( [0] => links [1] => inline ) ) [node] => Array ( [#theme] => links__node__node [#links] => Array ( ) [#attributes] => Array ( [class] => Array ( [0] => links [1] => inline ) ) ) ) [field_intro_image] => Array ( [#theme] => field [#weight] => 1 [#title] => Intro Image [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => field_intro_image [#field_type] => image [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8261 [uid] => 90 [title] => Big Advance for Cybersecurity Also Important for Energy Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 4413 [type] => wp_blog [language] => und [created] => 1510781205 [changed] => 1531354762 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354762 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[summary] => [format] => full_html [safe_value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => William Hederman [format] => [safe_value] => William Hederman ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Photo source: www.enisa.europa.eu [format] => [safe_value] => Photo source: www.enisa.europa.eu ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( ) [field_primary_theme] => Array ( ) [field_secondary_themes] => Array ( ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => lindsey [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) ) [#formatter] => image [0] => Array ( [#theme] => image_formatter [#item] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) [#image_style] => new_hero [#path] => ) [#printed] => 1 [#children] =>
) [field_image_caption] => Array ( [#theme] => field [#weight] => 2 [#title] => Image Caption/Source [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => field_image_caption [#field_type] => text [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8261 [uid] => 90 [title] => Big Advance for Cybersecurity Also Important for Energy Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 4413 [type] => wp_blog [language] => und [created] => 1510781205 [changed] => 1531354762 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354762 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[summary] => [format] => full_html [safe_value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => William Hederman [format] => [safe_value] => William Hederman ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Photo source: www.enisa.europa.eu [format] => [safe_value] => Photo source: www.enisa.europa.eu ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( ) [field_primary_theme] => Array ( ) [field_secondary_themes] => Array ( ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => lindsey [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [value] => Photo source: www.enisa.europa.eu [format] => [safe_value] => Photo source: www.enisa.europa.eu ) ) [#formatter] => text_default [0] => Array ( [#markup] => Photo source: www.enisa.europa.eu ) ) [body] => Array ( [#theme] => field [#weight] => 3 [#title] => Body [#access] => 1 [#label_display] => hidden [#view_mode] => full [#language] => und [#field_name] => body [#field_type] => text_with_summary [#field_translatable] => 0 [#entity_type] => node [#bundle] => wp_blog [#object] => stdClass Object ( [vid] => 8261 [uid] => 90 [title] => Big Advance for Cybersecurity Also Important for Energy Cybersecurity [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 4413 [type] => wp_blog [language] => und [created] => 1510781205 [changed] => 1531354762 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1531354762 [revision_uid] => 1 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[summary] => [format] => full_html [safe_value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[safe_summary] => ) ) ) [taxonomy_wp_blog_tags] => Array ( ) [field_intro_image] => Array ( [und] => Array ( [0] => Array ( [fid] => 2280 [uid] => 118 [filename] => 941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [uri] => public://941ddc39-cb0d-49cd-9e9c-751a37f31148.jpeg [filemime] => image/jpeg [filesize] => 73339 [status] => 1 [timestamp] => 1510781770 [focus_rect] => [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 634 [height] => 423 ) ) ) [field_blog_author] => Array ( [und] => Array ( [0] => Array ( [value] => William Hederman [format] => [safe_value] => William Hederman ) ) ) [field_image_caption] => Array ( [und] => Array ( [0] => Array ( [value] => Photo source: www.enisa.europa.eu [format] => [safe_value] => Photo source: www.enisa.europa.eu ) ) ) [field_set_as_featured_] => Array ( [und] => Array ( [0] => Array ( [value] => no ) ) ) [field_authors] => Array ( [und] => Array ( [0] => Array ( [target_id] => 2344 [entity] => stdClass Object ( [vid] => 5058 [uid] => 10 [title] => William F. Hederman [log] => [status] => 1 [comment] => 1 [promote] => 0 [sticky] => 0 [nid] => 2344 [type] => people_bio [language] => und [created] => 1471364880 [changed] => 1538490944 [tnid] => 0 [translate] => 0 [revision_timestamp] => 1538490944 [revision_uid] => 90 [body] => Array ( [und] => Array ( [0] => Array ( [value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[summary] => [format] => full_html [safe_value] =>

William Hederman is an independent senior advisor at Deloitte and Touche. He most recently served as senior advisor to U.S. Secretary of Energy Ernest Moniz, providing leadership on Department of Energy (DOE) missions to Ukraine, the Baltics, and Germany. In this position, he was also the chief architect for the analytic framework developed for DOE's groundbreaking Quadrennial Energy Review. 

Hederman began his professional career as a systems integration engineer at Bell Labs in the directorate that later developed the cell phone system. He served on the RAND Corporation's research team, worked as the Congressional Budget Office's first energy and science budget analyst, and led the establishment of: the policy analysis department at INGAA (pipeline association), the International Energy Agency's gas technology center, and the Washington office for RJ Rudden Associates (now Black & Veatch). Additionally, he was vice president for Business Development and Strategic Initiatives at Columbia Transmission Companies on the management team that brought Columbia out of bankruptcy. During the Enron and California crises, he joined the Federal Energy Regulatory Commission (FERC) and formed the Office of Market Oversight and Investigations, which has been credited with playing a major role in the restoration of confidence in electricity and natural gas regulatory oversight.

Hederman holds engineering degrees from the Massachusetts Institute of Technology and the University of Notre Dame, and a professional degree (M.P.P.) from the University of California at Berkeley.

[safe_summary] => ) ) ) [field_headshot] => Array ( [und] => Array ( [0] => Array ( [fid] => 1838 [uid] => 10 [filename] => Bill Hederman.jpg [uri] => public://Bill Hederman.jpg [filemime] => image/jpeg [filesize] => 95282 [status] => 1 [timestamp] => 1495476045 [focus_rect] => 88,0,285,285 [crop_rect] => [rdf_mapping] => Array ( ) [alt] => [title] => [width] => 399 [height] => 499 ) ) ) [field_org_title] => Array ( [und] => Array ( [0] => Array ( [value] => Independent Senior Adviser [format] => [safe_value] => Independent Senior Adviser ) ) ) [field_email] => Array ( [und] => Array ( [0] => Array ( [email] => hederman@upenn.edu ) ) ) [field_phone_number] => Array ( ) [field_people_designation] => Array ( [und] => Array ( [0] => Array ( [value] => fellow ) ) ) [field_adboard_organization] => Array ( [und] => Array ( [0] => Array ( [value] => Deloitte and Touche, LLP [format] => [safe_value] => Deloitte and Touche, LLP ) ) ) [field_project_years] => Array ( ) [field_bio_type] => Array ( [und] => Array ( [0] => Array ( [tid] => 187 ) ) ) [field_omit] => Array ( [und] => Array ( [0] => Array ( [value] => 0 ) ) ) [field_biodepartment] => Array ( ) [field_teaser] => Array ( [und] => Array ( [0] => Array ( [value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

[format] => full_html [safe_value] =>

is a senior fellow at the Kleinman Center for Energy Policy.

) ) ) [field_label_above_name] => Array ( [und] => Array ( [0] => Array ( [value] => Senior Fellow [format] => [safe_value] => Senior Fellow ) ) ) [field_year] => Array ( ) [metatags] => Array ( [und] => Array ( [article:published_time] => Array ( [value] => ) [article:modified_time] => Array ( [value] => ) ) ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => bill [picture] => 0 [data] => b:0; ) [access] => 1 ) ) ) [field_addthis] => Array ( [und] => Array ( [0] => Array ( [value] => Dummy value ) ) ) [field_teaser] => Array ( ) [field_primary_theme] => Array ( ) [field_secondary_themes] => Array ( ) [field_exclude] => Array ( ) [field_more_like_this] => Array ( ) [field_show_cropped_image] => Array ( [und] => Array ( [0] => Array ( [value] => 1 ) ) ) [field_voices] => Array ( ) [rdf_mapping] => Array ( [rdftype] => Array ( [0] => sioc:Item [1] => foaf:Document ) [title] => Array ( [predicates] => Array ( [0] => dc:title ) ) [created] => Array ( [predicates] => Array ( [0] => dc:date [1] => dc:created ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [changed] => Array ( [predicates] => Array ( [0] => dc:modified ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) [body] => Array ( [predicates] => Array ( [0] => content:encoded ) ) [uid] => Array ( [predicates] => Array ( [0] => sioc:has_creator ) [type] => rel ) [name] => Array ( [predicates] => Array ( [0] => foaf:name ) ) [comment_count] => Array ( [predicates] => Array ( [0] => sioc:num_replies ) [datatype] => xsd:integer ) [last_activity] => Array ( [predicates] => Array ( [0] => sioc:last_activity_date ) [datatype] => xsd:dateTime [callback] => date_iso8601 ) ) [path] => Array ( [pathauto] => 1 ) [name] => lindsey [picture] => 0 [data] => a:1:{s:18:"htmlmail_plaintext";i:0;} [entity_view_prepared] => 1 ) [#items] => Array ( [0] => Array ( [value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[summary] => [format] => full_html [safe_value] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

[safe_summary] => ) ) [#formatter] => text_default [0] => Array ( [#markup] =>

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

) ) [submitted_by] => Array ( [0] => Array ( ) [#weight] => 12 [#access] => ) )
Photo source: www.enisa.europa.eu
November 15, 2017

At an Aspen Institute cybersecurity discussion I attended today, White House "cyber czar" Robert Joyce announced the long-anticipated charter for the Vulnerabilities Equities Process (VEP).

The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system's operations) might be used to harm legitimate users of cyberspace.

Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:

  • Office of Management and Budget
  • Office of Director of National Intelligence—including IC-SCC)
  • Department of Treasury
  • Department of State
  • Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
  • Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
  • Department of Energy
  • Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
  • Department of Commerce
  • Central Intelligence Agency
  • and other agencies, as appropriate

We can consider these agencies the core of the nation's cyber defense and offense.

NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.

When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.

Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.


If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation's energy infrastructure and related systems.

This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed.  The transparency provided through this move is a small victory for the "good guys" and should help the long-range goal of protecting free societies.

Our blog highlights the research, opinions, and insights of individual authors. It does not represent the voice of the Kleinman Center.