The German VEP

Most policy-work is still done in the reverse of logic, with gestaltian leaps of faith covered in heaping gobs of wishful thinking as to cause and effect. Vulnerability Equities Process papers are especially susceptible to this, because the Mozilla and Microsoft lobbyist team is punching well above their weight and has turned it into a "moral human rights" issue in the EU, to try to get codified in law what they could not do in the United States, because what's good for Mozilla is not necessarily good national policy.

This is especially true for Germany though! Germany is a huge industrial state at great risk for information operations and more direct cyber attack, that manufactures factories, but is notably behind on its own offensive capabilities. Sven Herpig's proposed VEP policy (for Germany, and the EU in general) would be like trying to catch up in the America's Cup Yacht race, but without pulling up your anchor.

However, that is gestaltian thinking at work! And I have been trying to propose a more rigorous process for looking at policy papers. And it is this:

• Convert proposed language into flowchart
• Use boolean alegebra to simplify flowchart (see below for the 4d4 Wassenaar flowchart, rearranged to demonstrate the real structure)
• Look at whether any parts of the flowchart imply other parts (for example, all places that STORE data in a database also obviously INDEX it, etc.) Sometimes what looks like a large technical differentiation chart can be reduced by inference.
• Make a spreadsheet of scenarios for regression testing all proposed changes to the text
• Use GIT or other version tracking to attach rationals and other notes to proposed changes in language
• Look at the total return on investment of the proposal, given the regression testing results
• When people adjust the language, don't let them assume an effect, but go through the entire regression test again with the new language. THIS FINDS WEIRD THINGS.

This diagram is much more useful for running sample scenarios through than the language in WA itself, imho.

So when looking at VEP proposals in general, it's possible to say uncontroversially that this is a new area for governments, and that law in particular has been "not great" at dealing with rapidly changing environments in the cyber domain, and that therefor it is always fascinating when, without doing this kind of work or without testing their VEP for a decade or so, people want to en-scribe a particular VEP into their law (Sven's proposal sunsets the law after five years - but most laws in this space get automatically renewed, so that is of little comfort in terms of malleability). If your update process is crazy expensive and difficult, it makes more sense that you would test everything for many years, before shipping it, right?

Regardless, let's look at the details of Sven's proposal in detail, as promised.

The first thing is he pre-frames the argument with his title:
Weighing Temporary Retention versus Immediate Disclosure of 0-Day Vulnerabilities

But those are not the only options. Obviously indefinite retention is an option, as are many other things that happen in practice but make poor policy papers, for example, having the Government distribute patches themselves, or special purpose workarounds, or any number of other creative things which enable NOBUS, for example.

So one sample scenario spreadsheet to help make decisions about the proposed German VEP is here. It is not comprehensive, but it's similar to the ones I've made for export control language proposals.

There's a lot of negative results in the spreadsheet, but if someone who is pro-VEP wants to take a crack at it, I'm happy to send over the editing rights to the document, although obviously my opinion is that this is because on the whole, this policy proposal is a bad idea for Germany and the EU.

That said, I think "not addressing the negative repercussions" is the strategy of choice for the lobbyist teams who want to push this sort of thing forwards, but there's a reason particular gaps and flexibilities were built in the US VEP and it's not that they didn't think of all the various issues or just really like keeping 0day in a giant horde like a dragon sitting on a gold pile in a cave somewhere underneath Ft. Meade.

----
Additional CinemaSIN:
Why do policy people just do "Absent data, we can assume X" as a thing?

This is an especially terrible paragraph in the German VEP paper.

And for bonus negative points:

I think it's worth pointing out that making decisions on bad data is in no way better than than making decisions on no data. In fact, it's probably worse, since you have a higher confidence level in your decisions when you make them on data.

And, for the record, I engage in Cyber Policy work because we've been wandering in the desert for what seems like 40 years, and it's time to head in a direction of some sort.