How Should We Govern Government Hacking?

Two Panel Discussions on Policy Responses to a Growing Trend

Never before has the issue of government hacking, and the shadowy market for hacking tools, been more in the public eye than in 2016. How should policymakers and the public respond?

This past spring, the FBI bought a hacking tool to break into the San Bernardino shooter’s iPhone — then refused to disclose it to Apple. Last month, the mysterious “Shadow Brokers” published a stolen cache of NSA’s hacking tools — revealing two previously unknown or “zero-day” vulnerabilities in Cisco routers that the NSA had secretly stockpiled and that Cisco had to rush to patch. And just a few weeks ago,researchers discovered three new iPhone vulnerabilities by analyzing spyware being sold to repressive governments to spy on human rights defenders.

The issue of government hacking — and the question of when and how the government should disclose the software vulnerabilities it buys or discovers — is now front page news. This news in turn raises hard questions: Do we need new laws to regulate government hacking, or the government’s disclosure of vulnerabilities, and if so, what should they look like? Should law enforcement be allowed to hack, or participate in the market for hacking tools, at all?

Building upon its recent paper on the topic, Bugs in the System: A Primer on the Software Vulnerability Ecosystem and its Policy Implications, New America’s Open Technology Institute is convening a pair of panels where a wide range of experts with backgrounds in government, industry, civil society and academia will tackle these questions and more.

Follow the conversation online using #OTIgovhack and by following @OTI.


  • 9:15-9:30 - Opening Remarks
  • 9:30-10:45 - PANEL I: Hacking Secrets: When Should the Government Disclose What It Knows About Software Vulnerabilities? 
  • 10:45-11:00 - Break
  • 11:00 -12:15 - PANEL II: Hacking Law: How Should We Regulate Hacking by Law Enforcement? 
  • 12:15-12:30 - Closing Remarks


Andrew Crocker
Staff Attorney, Electronic Frontier Foundation

Daniel Kahn Gillmor
Senior Staff Technologist, American Civil Liberties Union

Andrew Grindrod
Assistant Federal Public Defender, Office of the Federal Public Defender for the Eastern District of Virginia

Jason Healey
Senior Research Scholar, Columbia University’s School for International and Public Affairs

Susan Hennessey
Fellow in National Security in Governance Studies, Brookings Institution
Managing Editor, Lawfare Blog

Ellen Nakashima
Reporter, Washington Post

Paul Ohm
Professor of Law, Georgetown University Law Center

Ari Schwartz
Managing Director of Cybersecurity Services, Venable LLP

Amie Stepanovich
U.S. Policy Manager, Access Now

Heather West
Senior Policy Manager, Americas Principal at Mozilla

Dustin Volz
Reporter, Reuters