Background

Nate Fick, the Ambassador-at-Large for Cyberspace and Digital Policy (which is the head of the State Department’s Bureau of Cyberspace and Digital Policy) was also the co-chair (along with Jami Miscik of Global Strategic Insights) of the Council on Foreign Relations (CFR) Independent Task Force on Cybersecurity.

We want to focus on the CFR Task Force’s recommendation calling for the international expansion of the Vulnerabilities Equities Process (VEP), but we also found it instructional to first review the conclusions of and recommendations made by the CFR Independent Task Force on Cybersecurity – which are at the intersection of the future of cyber international relations, data, privacy, national security, and international norms, practices, and cyber law, of which the VEP recommendation is only one of many moving parts.

CFR Task Force’s final report, “Confronting Reality in Cyberspace: Foreign Policy for a Fragmented Internet.” offers the following conclusions:

1. The Future of Cyber International Relations
   • The era of the global internet is over.
   • U.S. policies promoting an open, global internet have failed, and Washington will be unable to stop or reverse the trend toward fragmentation.
   • Artificial intelligence (AI) and other new technologies will increase strategic instability.
2. The Future Role of Data in Geopolitics and National Security
   • Data is a source of geopolitical power and competition and is seen as central to economic and national security.
   • The United States has taken itself out of the game on digital trade, and the continued failure to adopt comprehensive privacy and data protection rules at home undercuts Washington’s ability to lead abroad.
3. The Digital Sovereignty of the Nation-State
   • Most cyber-attacks that violate sovereignty remain below the threshold for the use of force or armed attack. These breaches are generally used for espionage, political advantage, and international statecraft, with the most damaging attacks undermining trust and confidence in social, political, and economic institutions.
   • The United States can no longer treat cyber and information operations as two separate domains.
4. Cybercrime as a Pressing National Security Threat
   • Increased digitization increases vulnerability, given that nearly every aspect of business and statecraft is exposed to disruption, theft, or manipulation.
   • Cybercrime is a national security risk, and ransomware attacks on hospitals, schools, businesses, and local governments should be seen as such.
5. Washington and its Allies’ Failure to Impose Sufficient Consequences on Attackers
   • • Norms are more useful in binding friends together than in constraining adversaries.
     • Indictments and sanctions have been ineffective in stopping state-backed hackers. (1)

The major recommendations of the Task Force are as also instructional:

• Cyber International Relations and Cyber Policy
  • Build a digital trade agreement among trusted partners.
  • Launch a focused program for cyber aid and infrastructure development.
  • Work jointly across partners to retain technology superiority.
  • Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communications (NC3) systems.
  • Promote the exchange of and collaboration among talent from trusted partners.
• National Security
  • Make digital competition a pillar of the national security strategy.
  • Clean up U.S. cyberspace by offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure.
  • Address the domestic intelligence gap.
  • Develop the expertise for cyber foreign policy.
• International Data Policies and Agreements
  • Agree to and adopt a shared policy on digital privacy that is interoperable with Europe’s General Data Protection Regulation (GDPR).
  • Resolve outstanding issues on U.S.-European Union (EU) data transfers.
• International Cyber Norms, Practices, and Legal Frameworks
  • Create an international cybercrime center.
  • Declare norms against destructive attacks on election and financial systems.
  • Adopt greater transparency about defend forward actions.
  • Hold states accountable for malicious activity emanating from their territories.
  • Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).  (1)

Our analysis is also based on the recent Rand Report, To Disclose, or Not to Disclose, That Is the Question: A Methods-Based Approach for Examining & Improving the US Government’s Vulnerabilities Equities Process, which is the impressive Ph. D. dissertation by Lindsey Polley.  Polley was a Defense & Policy Researcher at the RAND Corporation and is currently the Director, Disruptive Technologies (Cyber & Space Intelligence, MACH37) at VentureScope.

The Origin Story of the Vulnerabilities Equities Process (VEP)

Polley notes that the VEP “…although declassified in 2017, the VEP remains relatively unknown to the general public despite the fact that it has far-reaching ramifications for virtually every American citizen – and arguably, the international community as well…since its public acknowledgment in 2014, the benefits and shortcomings of the VEP have been sharply debated in the public arena by media, digital advocacy groups, and academia”: (2)

“A 2008 presidential directive [“National Security Presidential Directive (NSPD)-54 / Homeland Security Presidential Directive (HSPD)-23”] established what became the Vulnerabilities Equities Process, an interagency procedure the U.S. government uses to decide whether to disclose vulnerabilities or hold them for potential offensive operations. A U.S. official stated that the government’s bias is toward disclosure and explained that the process attempts to determine the extent to which the vulnerability is in use, how useful it is, how likely it is to be discovered, how damaging it would be in adversarial hands, whether another government has access to it, and whether it can be patched.” (2)

The Domestic U.S. VEP Policy Debate

The CFR Task Force report gets to the root cause of the debate surrounding the VEP:   “When the U.S. intelligence community, law enforcement agencies, or other government actors discover a zero-day vulnerability, they face a decision of whether to disclose the vulnerability to the private sector or keep the vulnerability secret to facilitate future offensive capabilities. In addition, zero days can be bought and sold in certain markets, some legal, others underground.  Disclosing to industry can result in timely patching and bolster national and personal security. Retaining and using the vulnerabilities can benefit national security through intelligence gathering and disrupted adversary operations.”  (1)

Emergence of the Current VEP Charter

Between the time the “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process” (the original iteration of the VEP) had been established and the public reporting of the Heartbleed vulnerability, the original VEP had fallen dormant. (48) Heartbleed (and to some degree, the remaining fallout from Snowden), however, reinvigorated this effort, ultimately resulting in the updating of the VEP’s charter and its public release in 2017 under the Trump Administration. (49) This updated VEP charter addressed many of the criticisms (50) voiced about the original charter and was largely applauded by the media for its increased transparency regarding how the US Government approaches a subset of cyber domain events. Despite these improvements, though, certain criticisms remained.

The early VEP – including the documents and initiatives that led up to the VEP, such as NSPD-54 – were generally viewed as first steps in the right direction by members of the Federal Government who were aware of them (given that they were all classified at the time of their establishment); they marked the designation of cybersecurity as a national priority and established policies, strategies, and guidelines for a critical area that lacked Federal-level coordination. With that said, though, once the documents were declassified and entered into the public’s view, criticisms began to surface.

Perhaps the most widely expressed criticism was the perceived “lack of transparency” (51-55) on behalf of the government towards the public regarding the contents of these formative documents – meaning that the public (as voiced through media outlets and digital advocacy groups) believed that the Federal Government was not sharing information around the existence of these policies and process with them when they should be; some of this may be attributable to bad timing, as a wave of public distrust regarding the Federal Government’s digital activities (particularly as they relate to the US population) was still present from the Snowden leak in 2013. (56) One key driver behind this lack of transparency, though, was the fact that these documents were all classified at the time of their development, and unclassified versions – or even unclassified summaries – were generally not available, making it difficult for anyone who was not directly involved to understand what the true policy stances were, what the processes looked like, or what the policies did – or did not – cover. (2)

The Structure of the Current VEP

Purpose & Objective

Through the course of carrying out missions, research, or other work, different components of the US Government uncover previously unknown software vulnerabilities (also known as “zero-days”) that could potentially be exploited by threat actors for nefarious reasons; alternatively, these vulnerabilities could also be leveraged by the US Government for intelligence gathering or operational purposes that support US national security interests. But as our world has become more interconnected and dependent on the cyber domain, coordination of the exploitation or patching of these zero-days through a standardized and pre-designated process became necessary. The establishment of the VEP supports coordinated cyber activities through the informed evaluation of competing considerations and equities associated with the dissemination or retention of newly discovered software vulnerabilities. (95)

As stated in the updated charter, the VEP’s primary objective during these risk versus benefit discussions is to “prioritize the public’s interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy.” (96)  In theory, the VEP should demonstrate this prioritization by tending towards the disclosure of vulnerabilities to vendors for security patching (as mentioned in the charter), unless there is a “demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law   enforcement, or national security purposes.” (97) (2)

Participants & Stakeholders

Entities participating within the VEP fall into one of four categories: a permanent member of the Equities Review Board (ERB), a temporary participant with the ERB, the VEP Director, or the VEP Executive Secretariat. Per the VEP charter, the following entities are considered permanent members of the ERB:

• Office of Management and Budget (OMB)
• Office of the Director of National Intelligence (to include Intelligence Community Security Coordination Center (IC-SCC))
• Department of the Treasury
• Department of State
• Department of Justice (to include the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force (NCIJTF))
• Department of Homeland Security (to include the National Cybersecurity
• Communications and Integration Center (NCCIC) and the United States Secret Service (USSS))
• Department of Energy
• Department of Defense (DoD) (including the National Security Agency (NSA) (including Information Assurance and Signals Intelligence elements)), United States Cyber Command, and DoD Cyber Crime Center (DC3))
• Department of Commerce
• Central Intelligence Agency (CIA)

Any other US Government agency that can demonstrate responsibility for – or equity in – a vulnerability under review by the ERB is permitted to become a temporary participant with the ERB – although the VEP charter does not indicate how non-permanent ERB members (e.g., an agency that is not already an ERB member) are notified in order to have the chance to demonstrate equity in a given vulnerability and participate in the discussion process. If granted permission to participate, such an agency would also be required to select one individual authorized to represent the views of the respective agency head at the relevant ERB meeting. (2)

Vulnerabilities Discovered by Non-US Government Entities

In some cases, vulnerabilities may be brought forward to a US Government entity by a private business, a research entity, or a foreign government. In these instances, the VEP charter directs the involved US Government entity to encourage the discoverer to either disclose the vulnerability (given international standards and best practices), and/or take additional mitigating actions to reduce the risk posed by the vulnerability.  (2)

Equity Considerations

In order to construct a comprehensive understanding of the potential risks a vulnerability under review may pose to current and near-future US national security and national interests, four core categories of equities are considered before a determination is made: (1) Defensive equities, (2) Intelligence, Law Enforcement, and Operational equities, (3) Commercial equities, and (4) International Partnership equities. The VEP charter’s outlining of these categories suggests that these four stakeholder groups compose the core of what the US Government believes to be representative of the “public interest” or “public good.” (2)

International Partnership Equities
The final equities review focuses on the US Government’s relationship with international partners and allies. Similar to the review focused on the commercial sector, this part of the review must address how the relationship between the US Government and its international partners would be impacted if it was revealed that the US Government had knowledge of the vulnerability. (2)

Annex B, Part 4 of the current VEP

Annex B is divided into “Part 1 – Defensive Equity Considerations,” “Part 2 – Intelligence, Law Enforcement, and Operational Equity Considerations,” “Part 3 – Commercial Equity Considerations,” and “Part 4 – International Partnership Equity Considerations”:

• Parts 1 & 2 (which both consider government-oriented equities) are quite extensive and composed of multiple subparts, whereas Parts 3 & 4 are only composed of one bullet each.
• Part 3 – Commercial Equity Considerations: “If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?” (378)
• Part 4 – International Partnership Equity Considerations: “If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?” (379) (2)

How Are Other Countries Handling Vulnerability Disclosure?

At the time of the Rand report (December 2021), “very few countries had a publicly available national-level vulnerabilities equities process in place to determine whether a newly discovered vulnerability should be disclosed to vendors for patching or retained by the government for future use. Recently, however, an increasing number of entities are calling for the international creation and harmonization of national-level vulnerability disclosure policies (sometimes referred to as ‘government disclosure decision process” [GPPD]) – even citing international standards ISO/IEC 30111:2013 on vulnerability handling processes and 29147:2014 on vulnerability disclosure as beneficial starting points.’  (198, 199)  Members of the European Union (EU) have particularly been vocal about the topic and have advocated for the EU to ‘outline specific principles for member states to follow in developing a European vulnerability equities process with clear priority given to reporting vulnerabilities to vendors,’ suggesting that this role could be effectively performed by ENISA, the European Union’s Agency for Network and Information Security.”  (200, 201) (2)

“The possibility of an EU-focused VEP has been discussed recently at various forums, including the Global Forum on Cyber Expertise202 and the Carnegie Endowment for International Peace.203 In the interim, though, the Centre for European Policy Studies (a think tank focused on EU affairs) has been vocal in encouraging member states to adopt their own equity-based vulnerability review processes. (204) While there are still only a small number of countries with VEP-like policies in place, a larger number of countries are beginning to design and implement Coordinated Vulnerability Disclosure programs which facilitate the communication of vulnerabilities from the private sector to government.” (2)

Countries With VEP Policies

At the time of this dissertation’s composition (December 2021), Australia, Canada, and the United Kingdom were the only countries outside of the United States that had publicly acknowledged and available VEP policies. Note that all four countries are of the Anglosphere and have long-spanning intelligence-sharing relationships, perhaps making it more explainable as to why the VEP policies of all four countries are strikingly similar and place their intelligence agencies as leads for their VEP processes. (205, 206).  (2)

Countries on the Path to Developing Publicly Available VEP Policies

At the time of this dissertation’s composition (December 2021) Germany, Japan, and Lithuania were actively developing VEP-like policies in the public sphere. (2)

NOTE:  For a deeper dive into the current state of both of these categories of international adoption of VEP policies, see pages 39-44 of Polley’s dissertation.

On China and the VEP

According to the CFR Task Force Report,  “the VEP stands in sharp contrast to recent developments in China. Beijing banned Chinese security researchers from attending international hacking events and competitions (which they regularly won), and new regulations require all software security vulnerabilities to be reported to the government first. These regulations appear to have significantly improved Chinese offensive capabilities as Chinese government hackers have moved from simpler methods to more powerful zero-day vulnerabilities.

Aggressive Chinese assaults on American computer networks in 2021, for example, used zero-day vulnerabilities in Microsoft Exchange systems and Pulse Security VPNs. A Chinese researcher at Alibaba did report the Log4J vulnerability to Apache, but the Ministry of Industry and Information Technology suspended cooperation with Alibaba Cloud for six months for not reporting in China first.” (116, 1)

What Next:  Develop Coalition-wide Practices for the Vulnerabilities Equities Process (VEP)?

1. Following are the more specific recommendations from the CFR Task Force, building on the initial recommendation to “develop coalition-wide practices for the Vulnerabilities Equities Process (VEP)”:
   • Washington has led in the development of the process to evaluate when to share vulnerabilities with the private sector, and it should help expand the process to its coalition partners.
   • The VEP periodically revisits undisclosed zero-day vulnerabilities to assess whether conditions have shifted toward disclosure. Over the last few years, the NSA has steadily increased the number of public disclosures and advisories. This should be further supported and will require additional funding.
   • As its adversaries rely more heavily on zero-day attacks, the United States should reprioritize cyber defense and encourage partners to develop similar processes. (117) As a result of American leadership, Australia, Canada, and the United Kingdom released publicly their equities processes. The Netherlands announced that it has put a VEP in place but has not released any details on the process. (118) The three countries should work together to help other coalition partners implement VEPs. In the past, intelligence agencies have not taken credit for zero-day disclosures to software makers. They stand to gain greater credibility with the private sector by claiming credit for these public disclosures. The United States and its allies should also conduct national awareness campaigns around the urgency of patching, given that critical systems still remain unpatched months—even years—after a patch becomes available. (1)
2. Lindsey Polley echoed the recommendations made by the CFP Task Force, and expands on them in the following manner:
   • Expand “Part 4” of Annex B [of the current VEP] to address internationally oriented equities…while the VEP is a domestic-facing policy, the resulting vulnerability adjudications have potential implications for the broader international community – whose associated equities which are supposed to be represented on the ERB by the State Department, as well as through the VEP charter’s Annex B. My interview results, however, support the claim that (1) a robust perspective on how vulnerability adjudications impact the US’ international partnerships is currently not present in the ERB, and (2) there is no consideration given to how vulnerability adjudications may potentially impact civilian members of the international community.  (2)
3. Polley also provided some perspective on Industry and the VEP:  “Industry has never been identified as a formal participant in any iteration of the VEP (although their engagement by participating agencies is not explicitly prohibited). Many industry stakeholders, however, have expressed the opinion that their lack of involvement in the VEP unnecessarily exposes both the public and service providers to systemic, long-term risk. Two of the most vocal members of industry on this topic have been Mozilla and Microsoft.  Even though industry has not been given many formal tools by the Federal Government to support in the securing of cyberspace and the protection of users, we have seen coordination between the two increase (as some of the examples above highlighted). This coordination, however, has continuously been overshadowed by the question of “when is it appropriate to disclose a vulnerability?” – and the answer to that question largely depends on which side of the spectrum your entity exists on.”  (2)
4. Future Research
   • What role will the newly formed State Department Bureau of Cyberspace and Digital Policy play in the development of coalition-wide practices for the VEP?
   • Should the VEP Equities Review Board (ERB), the VEP Director, and the VEP Executive Secretariat leverage some of the operational and organizational structures of The Cybersecurity and Infrastructure Security Agency’s (CISA), which has a highly effective industry partnership component (through the Joint Cyber Defense Collaborative [JCDC)])?
   • Per the RAND report:
     • The policy community is in need of more objective and rigorous methods-based examinations of the VEP (and similar policies) to better inform the revision of current and development of new cyber-oriented public policies. While there is a plethora of recommendations rooted in uninformed
       opinion, these cannot be used to shape the future of cyber policy in the United States.
     • An exploration into what the impact of the VEP has been is another key area where additional research is needed. What type of downstream effects has the VEP created? In what ways has the VEP generated “good” or beneficial outcomes for society, and in what ways has it generated “bad” or undesirable outcomes? We know through public reporting that the VEP has led to the capture of varying types of cybercriminals, but at what costs or possible infringements of civil liberties? Questions like these have not been addressed in an objective or methods-based manner and would provide the research community with a deeper understanding of the potential tradeoff between benefits and civil liberties which could greatly inform the structure of cyber-oriented public policies in the United States going forward.
     • The type and amount of data required to make more informed decisions at the federal level regarding software vulnerabilities is another area where additional research is needed. This is particularly true for better understanding the prevalence and impact of a given software vulnerability, as well as the development of new tools to support these assessments.
     • I also hope this study sparks new interest in the development and application of ethics frameworks to cyber-oriented public policies – an area that is deeply under-researched. My research indicated that policies oriented toward artificial intelligence and machine learning have been the primary focus of ethics application – leaving the majority of cyber policies unexamined and unaccounted for from an ethics perspective. Further research applying ethics frameworks to non-AI / non-ML public policies is needed to ensure that this growing segment of public policy geared towards the cyber or digital domain adequately reflects the ethics considerations deemed foundational to society.  (2)

Further OODA Loop Resources

Optimizing Cyber Defenses: Research and analysis on defensive strategies:  OODA Loop research and analysis on defensive strategies.

OODA Network Member Junaid Islam on Security Automation and Automated Continuous Threat Testing:   OODA Network Member Junaid Islam on the future of security automation – and what is known as “Automated Continuous Threat Testing.”

January 2020

Flaws in the U.S. Vulnerabilities Equities Process:  Last week, the security community was in a flurry around the disclosure of a severe vulnerability (known as CVE-2020-0601) in Microsoft’s Windows operating system. Notably, it was because the National Security Agency (NSA) tipped off Microsoft, helping the tech giant patch the flaw instead of exploiting it for national security missions. NSA was praised for its cultural shift from offense to defense, however, in my opinion, not all that glitters is gold.

Vulnerabilities, the Search for Buried Treasure, and the US Government: Most weeks, it is far outside the normal job responsibilities for cybersecurity professionals to understand what the United States (or other governments) do to find or use computer vulnerabilities. Just stay patched and keep the board of directors happy. This is not one of those weeks.  This week we learned that the National Security Agency disclosed to Microsoft that it had discovered a major vulnerability (dubbed CVE-2020-0601) in Windows 10. A Washington Post article, by veteran cyber journalist Ellen Nakashima, declared this to be a “major shift in the NSA’s approach, choosing to put computer security ahead of building up its arsenal of hacking tools that allow the agency to spy on adversaries’ networks.”

May 2019

The NSA knows its weapons may one day be used by its targets: Several large scale cyber attacks have utilized cyberweapons and exploits first developed by the United States military and intelligence communities. While much has been done to develop vulnerability equities programs and responsible disclosure processes, such tools are an essential component of our cyber mission and will continue to be developed and used, despite the risks:  “U.S. military commanders say that when Cyber Command and the National Security Agency use a capability against targets abroad, they understand it might eventually be used by an adversary.”

March 2019

The Cyber Threat Analysis Report Volume 1 Edition 2:  Fresh off of RSA – OODA Network Expert Michael Tanji provides insightful analysis of the most recent and significant cyber news.

November 2016

The U.S. Government and Zero-Day Vulnerabilities: From Pre-Heartbleed to Shadow Brokers:  “In August 2016, a group calling itself Shadow Brokers released a cache of top secret cyber-spying capabilities almost certainly belonging to the U.S. National Security Agency (NSA). Out of the fifteen exploits in the cache, several appear to be previously unknown vulnerabilities (a so-called zero-day or 0day vulnerability).”

VEP Origin Story – Expanded Version

For the uninitiated, the following is the expanded version of the history of the VEP as told by Lindsey Polley:

…on April 7, 2014, news of a serious software vulnerability in the popular OpenSSL cryptographic software library spread around the globe. (11) Dubbed “Heartbleed,” this vulnerability allowed attackers to eavesdrop on internet communications and steal data directly from compromised service providers and users. (12) With the Snowden leak and alleged NSA surveillance revelation still fresh in the public’s memory, various media sources began reporting that the NSA had known about the Heartbleed vulnerability for several years and failed to disclose it for patching in order to exploit it for other intelligence gathering programs. (13)

In response, the NSA, White House, and the Director of National Intelligence (DNI) all denied these accusations, stating that no entity within the Federal Government had been aware of the Heartbleed vulnerability prior to its public disclosure.(17-19) In the eyes of the media, however, this denial of knowledge around such a catastrophic vulnerability – if true – highlighted potential widespread institutional weaknesses in how the Federal Government was approaching and implementing its policies to securing cyberspace – and this negative press continued to fuel the already-present public distrust. (20-21)

What is the Vulnerabilities Equities Process (VEP), why haven’t we heard about it before, and what impact does it have on the public? It was questions like these that spread through the media, digital advocacy groups, and research institutes alike in the weeks, months, and even years following the DNI’s revelation of the VEP – a federal-level process that, up until that point, had been classified and unknown to the public. It is against this backdrop of the Snowden leak, the Heartbleed discovery, and the revelation of the VEP that this dissertation begins.

Within days of Heartbleed’s public disclosure, DNI’s Public Affairs Office released an official statement that the “NSA was not aware of [Heartbleed]… until it was made public in a private sector cybersecurity report.” Although this further fueled the media skepticism, it was two sentences at the end of this statement that would spark discussion on a new topic in the United States: “[The] White House has reviewed its policies in this area and reinvigorated an interagency process for deciding when to share vulnerabilities. This process is called the Vulnerabilities Equities Process.” (22-23)

OODAcon 2022

To register for OODAcon, go to: OODAcon 2022 – The Future of Exponential Innovation & Disruption

The future of the VES, cyberspace and digital policy, along with the future of cyber international relations, data, privacy, national security, and international norms, practices, and cyber law will be discussed at OODAcon 2022 – The Future of Exponential Innovation & Disruption on the following panels:

• The Future Hasn’t Arrived – Identifying the Next Generation of Technology Requirements
• The Disruptive Futures: Digital Self Sovereignty, Blockchain, and AI
• Tomorrowland: A Global Threat Brief
• Future Wars:  Beyond Cyberconflict
• Open the Pod Bay Door – Resetting the Clock on Artificial Intelligence
• Twenty Years of Cyber Threat Intelligence
• Keynote Conversation with Congressman Will Hurd

OODAcon is about understanding the future and developing the resiliency to thrive and survive in an age of exponential disruption.

Society, technology, and institutions are confronting unprecedented change. The rapid acceleration of innovation, disruptive technologies and infrastructures, and new modes of network-enabled conflict require leaders to not only think outside the box but to think without the box.

The OODAcon conference series brings together the hackers, thinkers, strategists, disruptors, leaders, technologists, and creators with one foot in the future to discuss the most pressing issues of the day and provide insight into the ways technology is evolving. OODAcon is not just about understanding the future but developing the resiliency to thrive and survive in an age of disruption.

OODAcon is the next-generation event for understanding the next generation of risks and opportunities.

OODA Network Members receive a 50% discount on ticket prices. For more on network benefits and to sign up see: Join OODA Loop

Please register to attend today and be a part of the conversation.