Technologies and Time Tempers: How Things Mediate a State’s (Cyber Vulnerability) Disclosure Practices

State secrecy and disclosure practices are often treated as processes of intentional and strategic human agency, and as forms of political time management (Bok 1982; Horn 2011). Through a critical analysis of the United States government’s disclosure practices in the context of their discourse around the cybersecurity “Vulnerabilities Equities Process” (VEP), this paper will present a two-fold argument against these conventional treatments of secrecy and disclosure. While government secrecy and disclosure can certainly be understood as a form of (agential) timing, orientation and control (Hom 2018), this paper will also show how government secrecy practices are emergent at the point of relations with the structuring (but not over-determining) temporalities of various technologies. More than just the procedural containment of information, in which time and technologies feature as passive substrates, the paper will instead help scholars explore the ways that technologies and their times actively mediate the production of secrecy, disclosure and knowledge. By shifting beyond linear conceptions of cause-and effect, the paper will therefore theorize the understudied but important temporal dynamics of disclosure, thereby allowing for richer conceptualizations of the role of digital technologies in contemporary secrecy practices.

Between 2013 and 2018, a series of cyber breaches and international cybersecurity incidents 2 prompted criticisms from diverse commentators outside of the U.S. government. As a result of these incidents, critics challenged the rationales and legitimacy of the government's use of software and hardware vulnerabilities 3 in the course of intelligence and law enforcement missions. As one critic described it, "the NSA -despite what it and other representatives of the U.S. government say -[is] prioritizing its ability to conduct surveillance over our security" (Schneier 2016). In response, government representatives and White House administration officials 2 These included the controversy around Edward Snowden, as well as technical incidents like the Heartbleed Vulnerability, and the leaking of NSA hacking tools by a group called Shadow Brokers, tools that were subsequently repurposed by North Korea to enable the WannaCry ransomware attacks in 2017. These incidents will all feature in the story this paper tells.

3
Vulnerabilities in this context refer to undiscovered flaws in the software and hardware that make up cyberspace. Such flaws can be present in the systems from the day of their launch: discovering all the potential bugs in the millions of lines of code in a piece of equipment or software is time-consuming and not always economically induced for the vendors. They can emerge as code, interfaces, and users interact and behave unexpectedly and unpredictably, resulting in bugs or "vulnerabilities." A bug is when a system isn't behaving as it's designed to behave. A vulnerability is a way of abusing the system (most commonly in a security-related way) -whether that's due to a design fault or an implementation fault. In other words, something can have a vulnerability due to a defective design, even if the implementation of that design is perfect." (StackOverflow, 2008). When vulnerabilities are unknown to the vendor or manufacturer, they are often referred to as "zero-day vulnerabilities," or "0-days," because developers have had zero days to address and patch the vulnerability. Not all vulnerabilities are problems, but when such bugs in coding and technical configurations can be intentionally exploited through research and the development of specifically tailored code ("exploits") then they can create the means for unauthorized access and modifications of systems. Knowledge of these vulnerabilities, as a precursor to hacking techniques, can thus be incredibly valuable. See Stack Overflow (2008) and Rapid7 (2022). assumes that the means of disclosure are followed by the ends of specifiable political outcomes. Here, processes of state secrecy and its related processes of disclosure are thought to be the results of human agency.
Disclosures, as a related and co-dependent element of secrecy practices, are thus treated in both everyday parlance and in politics as a necessary part of a linear process of knowledge transfer, automatically leading to predictable outcomes (such as trust, transparency, changes of behavior or in the case of this paper's focus, cybersecurity). State secrecy and their related practices of disclosure are often treated in this sense of strategic practical and intentional action, as a locking away (or releasing) of secrets to gain time, or forestall the ill-effects of time's passing, as a form of political time management (Bok 1982;Horn 2011). Even the NSA's mission statement reflects this conception of the need for secrecy and its activities as a form of strategic time management, highlighting how the NSA's role is to enable "computer network operations (CNO) in order to gain a decision advantage for the Nation and our allies under all circumstances" (U.S. National Security Agency 2018). 4 In the case of the VEP, the assumption is that segregating this knowledge can give the government a time advantage, can protect the autonomy of state 4 The phrasing of this mission statement changed sometime around 2018, reading now as "gaining a decisive advantage" (NSA, quoted in Manach 2018). actors to carry out actions in the name of security, can protect the social order, and that trust or accountability, or security, will follow.
However, as the case of the contested role that disclosure plays in the case of the US government's computer network operations shows, human agency and efforts at timing are not the only factors that shape the symbolic or practical parameters of disclosure. How do we make sense of technological vulnerabilities, and of state secrecy practices that they are imbricated in, in ways that can help us move away from essentialized understandings of technological determinism, and away from framings (of temporal urgency) that suggest states must undertake particular (secrecy) practices because the technologies or external causative factors demand it? Rather than intentional timing efforts alone, it is also important to study how secrecy and disclosure practices (and the analytical approaches that study them) may be exceeding these linear conceptions of time and cause and effect. While building on the burgeoning literature in critical secrecy studies that has fruitfully demonstrated secrecy's productive effects, and moved us beyond understanding secrecy and disclosure practices in terms of cybernetic models of information transfer and anti-epistemology (Galison 2004), there is still more to be said about the concept of disclosure in itself. This is the contribution this paper seeks to make.
Rather than conceptualizing disclosure in terms of managing the visibility of self-evident data that speaks for itself, instead this paper will argue two things: firstly, rather than acting as passive substrates or overdetermining structures, technologies mediate the concept and practice of "disclosure," and secondly, that disclosure is a concept and practice that exceeds unified institutional (state or human) agency.
While elements of secrecy and disclosure practices can certainly be described in terms of strategic agency on the part of state actors, this paper will also show how such practices are emergent at the point of relations with the structuring (but not over-determining) temporalities and affordances of various technologies. As this paper will show, what disclosure means, what it does, how it works, is a product -and productive -of the technologies and the temporalities that mediate its practice. Instead of a standalone moment, or a linear transformation of information from one state to another, disclosure can take place in more complex and partial ways. Disclosures are a process, not an event, knowledge processes that require effort and maintenance.
More than just the procedural containment of information in which time and technologies feature as passive substrates then, or as the result of instrumental and conscious decisions to make strategic disclosures that lead to predictable effects, the paper that follows will present an argument to help scholars conceptualize the ways that time and technologies actively mediate the production of secrecy, disclosure and knowledge.
To set the scene for this two-part argument, the paper will first theorize disclosure in more detail. Next, the paper will draw out in more detail the difference that technics and temporalities make to disclosure, both as a concept and as a practice. Finally, through a critical analysis of the United States government's disclosure practices in the context of their discourse around the cybersecurity "Vulnerabilities Equities Process" (VEP), the main section of the paper will demonstrate how in the context of computer network operations conducted by state agencies, disclosure as a concept and practice has changed over time. As well as showing how government secrecy can be understood as a form of (agential) timing, orientation and control (Hom 2018), time and technologies have simultaneously mediated how disclosure works, often as a result of the negotiations of people and groups.
Therefore, rather than considering secrecy solely as the "intentional concealment of information" (Bok 1982, 5), considering secrecy and disclosures in terms of processual flows allows a shift away from what tend to be agential or unitary actor-centered approaches to secrecy. Instead, the approach outlined here means to show how attending to different temporalities, and shifting away from conceptions of secrecy-as-containment, has utility. By showing how government actors have struggled to demarcate those bugs and flaws in code as uniquely governmental, as property, and that they have had to adapt and adopt their approaches in light of external criticisms as much as the "leakiness" of the code, such an approach shows how hegemonic discourses of technological determinism, urgency, and state power, no longer look so certain.

Theorizing Disclosure
As a concept that is often twinned with secrecy, even in literature that views the two as mutually enhancing, constraining or stimulating each other (Birchall 2021), disclosures by state agencies are generally seen as intentional and instrumental. This may be as a means of visibility management (Flyverbom, et al. 2016), or of forestalling diplomatic or foreign policy matters (Carson 2015;Carnegie 2021;Aldrich and Moran 2018), where information is declassified or deliberately shared for strategic purposes. However, the trouble with these approaches is that they see information as synonymous with understanding. As Mark Fenster (2012, 757) incisively points out: such assumptions about information's essential, predictable effects rely on a mistaken understanding of what is a complicated administrative, political, and communicative process. Government information frequently has no obvious meaning. Its significance often creates significant political and social contest. It is sometimes misinterpreted; it is often ignored by all but a small minority of interested groups and individuals.
As a point that we shall return to shortly in more detail, all kinds of factors affect the reception of such information amongst different audiences. These factors are often well beyond the intentions of the authors of the disclosure or the authors of the original source material being disclosed, even at times containing "no obvious meaning" outside of the interpretive processes that must follow. As well as the "strategic proliferation of leaks, the announced use of covert and special ops, the use of 'preventive revelations'" described by Bratich (2006, 45), there is also work that has investigated the role of disclosures in terms of whistle-blowing and leaks beyond the strategic intentions of state actors (Ku 1998;Mistry and Gurman 2020;Coleman 2014;Gros et. al 2017).
More than simply critiquing some gap between the rhetoric and reality of transparency projects, work by scholars such as Birchall (2021), Bratich, and others has increasingly shown how treating secrecy in informational terms risks fetishizing transparency and disclosure effects (Fluck and McCarthy 2019), belying its situated and processual tendencies. As a means of moving beyond this informational tendency, recent work on government secrecy has emphasized the ways that secrecy should be seen as a productive and dynamic set of practices and social relations (Maret 2016;Walters 2021;Kearns 2017;van Veeren 2019;de Goede and Wesseling 2017;Birchall 2021;Kearns 2021). Work by Bratich (2006) in particular calls on us to recognize the ways in which revelation is not necessarily the end of secrecy, but rather contributes to secrecy's displacement or proliferation through what he calls "spectacular secrecy." Here, disclosure is part of secrecy's continuation: although disclosure may be promoted as an act of greater government openness and is a feature of an "unprecedented visibility of secrecy," offers of disclosure instead obscure more than they reveal, making a spectacle of the secrecy without fundamentally addressing it (Bratich 2006: 495). Indeed, Bratich (2006, 493) suggests that in this contemporary moment, "disclosure might be part of secrecy's game, not an end to it." Revelation, or disclosures, are thus not mutually exclusive from secrecy, but are mutually constituted (Anaïs and Walby 2016).
However, disclosure in itself has been less explicitly theorized in this literature, except in its relations to secrecy and other concepts such as transparency and surveillance. In the context of the use of torture during the US' and its allies' "War on Terror" is Lisa Stampnitzky's (2020) important intervention that clarifies the conceptual and the political differences between exposure and revelation. By drawing from approaches critical of conceptions of information and knowledge as synonymous, where meaning is supposed to be self-evident, a critique of approaches that imagine that truth simply exists "out there" (Stampnitzky 2020, 5), she is able to show the collective sense-making and recognition that are needed before an exposure of information becomes a politically salient revelation that leads to action or even accountability. Though information may be disclosed, she shows how informational models cannot explain why those disclosures do not have the intended effects, either for increased accountability under transparency ideals or at times for those strategically disclosing.
There are other, more undertheorized reasons, why disclosure may not have the predicted or intended effects, or why it may exceed the intentions of those acting in the name of disclosure. Controlling information and being able to make functional distinctions between "secret" and "disclosed" are based upon a widespread organizational culture within national security circles, especially in the US, which share the presumption that "secrets produce security" (Dean 2004).
However, building upon critiques like Dean's, this article contends that it is not such a simple (or linear) relationship between secrecy and security. Rather than taking the claims of security imperatives stemming from fast-moving technological frontiers, or self-evident threats, for granted, a more explicit theorization of temporality provides researchers of government secrecy (and security) some fruitful analytical purchase.
In many of the works cited so far, time and temporality are obvious and quantified externalities to the dynamics of secrecy and disclosure. For the most part to date, secrecy studies' treatment of the temporal has been limited to understanding secrecy (contained information) and its relation to revelation (uncontained information) as linear (Stampnitzky 2020;Fan and Liu 2022). As one of the few scholars to do so, Stampnitzky's work on the dynamic relations between secrecy, exposure, transparency and accountability for example has highlighted the importance of incorporating the possibility of change into our accounts of the effects of secrecy and disclosure (Stampnitzky 2020). Meanwhile, Fan and Liu (2022) have recently investigated the temporal character of secrecy for organizations through the constitution of archival records. However, more than just the role that timing has on the effects of secrecy and disclosures, or for organizations, the role of temporality in secrecy and disclosure regimes play a significant but largely undertheorized role (see Van Veeren et al, forthcoming).
That said, insofar as work has addressed temporality and anticipation, secrecy regimes are an important part of "gaining time." In this sense, secrecy is about managing time's damaging effects, what Hom identifies as a problem that requires a solution, the "transcultural symbol of time as a malevolent force confronting human affairs" (Hom 2020, 9). Here, secrecy and disclosures can be thought of as a form of timing, used as a way to make sense of world events, a way of ordering change processes so that they become legible, contextualizable, sensible, and as such a productive strategy for state actors. As Eva Horn (2011) described the arcanum, secrecy as the locking away of information was "first and foremost a form of political time management," a temporary withholding of communication to facilitate a head start for political or military actions, or as a way of keeping options open (Horn 2011, 108). This is an important temporal element implicit in logics of secrecy, what she described as "the conservative power of secrets and secrecy," namely the ability to preserve the status quo, and as such "it is a force directed toward the present and the future in that it keeps open future possibilities" and "secures the here and now of the state." (Horn 2011, 108). Beyond this section of her formative arguments though, little explicit attention is directed to the role that time and timing have for making sense of secrecy and disclosure, or conversely of the role that secrecy practices have in making sense of the past, present and future. While secrecy and disclosure practices may be an effect of timing efforts, less has been said about time's effects on disclosure and secrecy.
As the later discussion on the VEP will show, and as set out by the introductory article to this special issue, shifting our understanding of technologies away from viewing them as passive substrates, or as the things being contained, is necessary in order to account for secrecy and disclosure as processes in and through time, rather than as linear sequences of cause-and-effect. As we will see, technologies-asmediators are an example of how temporalities structure and modulate secrecy and disclosure practices, whilst also being constituted in and through those secrecy and disclosure practices, in a codependent manner. Contrary to many security discourses that posit external technological and temporal exigencies determining the ensuing political responses, a more nuanced (and less determinist) account emerges.
In the rest of this paper, a critical discussion of the Vulnerabilities Equities Process (VEP) will show how in the context of computer network operations conducted by state agencies, disclosure as a concept and practice has changed over time. At the same time, time and technologies have mediated how disclosure works, often as a result of the negotiations of people and groups, but also in ways beyond those strategic intentions. In the first part of Part Three we will see how disclosure was used instrumentally, both as a concept and in practice, to set procedural and practical parameters on disclosure in order to protect the autonomy of government agencies to look for and to use vulnerabilities in networked computer systems. We will also see how disclosure as a signifier and as a practice was used differently as the basis for claims to legitimacy by different communities. As a result of contestations between representatives of state agencies on the one hand, and cybersecurity practitioners and civil rights advocates on the other, the second part will then show how federal actors have worked to constitute "disclosure" in particular ways. Beyond the strategic and instrumental action of state and non-state actors and their competing articulations of disclosure though, the second half of Part Three will show how technological vulnerabilities and the networked systems of which they are a part play an important structuring, though not overdetermining, temporal effect on secrecy and disclosure practices. This is important because by working to translate vulnerabilities into quantifiable entities that can be deliberated, rationalized and putatively unbiased, and by gradually constituting disclosure as a transitory concept rather than a binary state, this paper finds that these debates and their interplay through and with technologies have worked to redraw the political and procedural parameters of disclosure over time, as we shall now see.

The VEP and Contesting Disclosures
In response to Heartbleed 5 and WannaCry, 6 government representatives over the course of two administrations would use "disclosure" to articulate a vision of insecurity in which the use of vulnerabilities was in the name of "national security" and would not adversaries. On the one hand, he argued that such vulnerabilities could be used as tools "…to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation's intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks" (Daniel 2014).
Vulnerabilities in the hands of "hackers or other adversaries" were thus "more dangerous vulnerabilities" than the ones being used by the government. On the other hand, he recognized that retaining "a huge stockpile of undisclosed vulnerabilities" would leave the "Internet vulnerable and the American people unprotected" (Daniel 2014).
This was one of the most explicit acknowledgments that the government had made to date of its institutionalized uses of vulnerabilities during its lawful intelligence and law enforcement activities. While hyperbolic, by describing the whole internet as being vulnerable, and making references to stockpiles, Daniel was working to invoke historically resonant conceptions of the state's role as security provider. According to this logic, the government was historically responsible for protecting the American people, and managing vulnerabilities was to be an important component in that role. By articulating their traditional roles in this way, the administration was working instrumentally and strategically to buy time for their agencies to use these vulnerabilities.
Government actors would also use national security rationales to make the case for limiting the role of disclosures. Although "responsibly disclosing a newly discovered vulnerability is clearly in the national interest," Daniel (2014) highlighted how instrumental "this tool [was] as a way to conduct intelligence collection, and better protect our country in the long-run." Hailing the use of vulnerabilities by federal agencies as like "so many national security issues," Daniel (2014) was conveying how they thought that this was a matter that the government had unique normative authority to act as an adjudicator for, suggesting that while "the answer may seem clear to some," the "reality is much more complicated." By invoking national security prerogatives, the implication here was that though "some" might disagree, the government were working to demarcate the legitimacy of using such vulnerabilities during their intelligence and law enforcement activities.
The administration thus drew a boundary between two positions: on the one hand was the government's commitment to the security of cyberspace more broadly -cybersecurity -and on the other were their national security prerogatives. Here, there was to be a "trade-off"  (2017) published a blog post that made the government's rationales for limiting disclosure explicit: Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities. Although I don't believe withholding all vulnerabilities for operations is a responsible position, we see many nations choose it. I also know of no nation that has chosen to disclose every vulnerability it discovers.
Despite the government's commitment "to promote resilience in the digital systems architecture," immediate or total disclosure was thus argued to be at the expense of pursuing adversaries who were unencumbered by such limitations (Joyce 2017). Joyce, like Daniel in the Administration before him, was here setting the parameters of disclosure in normatively laden and historically resonant terms of transparency and responsibility, so that national security was hailed as setting limits on requirements for limited and responsible disclosure, even if it was in the name of cybersecurity.
However, for commentators challenging the government's use of vulnerabilities and the deployment of disclosure as a concept to rationalize their use, disclosure was similarly used as a symbolic resource, but to contest the government's credibility and legitimacy.

These were fundamentally opposing visions of what disclosure meant,
what it is -whether it meant to patch, or to spy, based on either a technical conception of cybersecurity to secure cyberspace by fixing vulnerabilities, or on a political conception of cybersecurity to secure cyberspace by utilizing vulnerabilities for wider strategic ends (Nissenbaum 2005). For those self-described in the technical community concerned about the government's exploitation of vulnerabilities in widely used systems, disclosure for patching was meant to be a constitutive part of cybersecurity. As one prominent security expert in this debate, Bruce Schneier (2012), had described the role of disclosure as "regardless of the motivations," the role of disclosure was to facilitate patching. This was because it was an important constituent to security more broadly: "…a disclosed vulnerability is one that -at least in most cases -is patched. And a patched vulnerability makes us all more secure." It was therefore on the grounds of disclosure's role that in 2012 the civil liberties nonprofit group the Electronic Frontier Foundation (EFF) questioned the government's commitment to cybersecurity more broadly, stating that, If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. (Hofmann and Timm 2012) In other words, the EFF was arguing that fixing vulnerabilities would be a key indicator of the government's commitment to cybersecurity more broadly. As Bruce Schneier (2016) later summarized, "[p]retty much uniformly, security experts believe we ought to disclose and fix vulnerabilities." By invoking a consensus of The technological and social challenge posed by government computer network operations was thus that they take advantage of software and hardware vulnerabilities that domestic civilians and organizations may also use: Schiff's argument was that government actors cannot so easily segregate or compartmentalize their actions in space or time as they might in other classified contexts. Statements such as these were each challenging the sources and criteria of the authority conferred by the Administration's claims to disclosure in the name of "national security." They challenged the argument that Federal government agencies were uniquely qualified to manage the knowledge of these vulnerabilities as though they had direct equivalence with conventional weaponry and other matters of national security.
Furthermore, government agencies did not have a monopoly on these secrets or their disclosure.
As we shall see in the next section's discussion of the ways that disclosure practices were mediated by and through these technologies,

Disclosure as Deliberative
Looking at the wording and the documents released through FOIA requests shows how the VEP set the parameters for the debate amongst multiple government departments internally and externally negotiating their competing mission interests, or "equities." Facilitating the process, the "National Security Agency/Information Assurance Directorate" would serve as the Executive Secretariat, and they would document, host, and maintain the regular meetings. The "Equities Review Board" was made up of representatives from several agencies who had submitted a vulnerability to the process or might have an interest in the vulnerability. The Points of Contact were tasked with "ensuring the applicable … equities of their organization" were "appropriately represented in the process", which included cybersecurity, intelligence, counterintelligence and law enforcement equities amongst other listed mission interests (U.S. National Security Council 2010b, 5). Several agencies would have been involved in the process beyond the NSA, but aside from a redacted section describing the agencies involved, the unredacted agencies were described in more tentative terms in the 2010 policy document with the phrase "other participants may include" U.S. Departments of State, Justice, Homeland Security, Treasury, Commerce and Energy. This procedure was designed to be "…a comprehensive common policy and systematic process for handling the problem across the USG" (U.S. National Security Council 2010b, 2). By hosting regular meetings, turning the complexity and organizational breadth of these competing interests into a formalized procedure was therefore meant to impose some boundaries on the problem of vulnerability use and to set procedural parameters on who would be involved and when.
The procedure also set boundaries on disclosure by seeking to draw a symbolic as well as procedural line between dissemination and retention so that consensus was a simplified matter. To begin with, the purpose of the procedure was to build consensus amongst the range of government agencies. At this stage, the procedure was primarily concerned with setting parameters upon internal interagency deliberations, but a by-product of these negotiations was what they called the decision "…to disseminate information pertaining to the vulnerability" (U.S. National Security Council 2010b, 8). At this stage in the procedure's existence, disclosure was not its main focus. The procedure was instead more concerned with institutionalizing a forum that would broaden deliberations to involve government agencies involved in vulnerability questions beyond the NSA. It was also to act as a formalized mechanism that would set the terms of those Even the terms used -dissemination, rather than disclosure as would be used later 7 -suggested a cybernetic model of information transfer, 7 According to Collins American English Dictionary "to disseminate information or knowledge means to distribute it so that it reaches many people or organizations"; to disclose means "to bring into view; uncover"; in insurance, "if you disclose of senders actively distributing information rather than passively uncovering it or it needing interpretation (Stampnitzky 2020;Fenster 2015). the early VEP-as-procedure. Describing the procedure itself as "…a disciplined, rigorous and high-level decision-making process for vulnerability disclosure," this interagency forum was concerned about when to "…temporarily withhold[..] knowledge of a vulnerability" and suggesting that there were "no hard and fast rules" for making these judgments (Daniel 2014, emphasis added).
While the organization of the Equities Review Board was instituted and disciplined in a rigorous way, the vulnerabilities themselves were more loosely bound in this procedure. Disclosure could be temporarily delayed, and categorizing the vulnerabilities was more done more flexibly than being subject to "hard and fast rules." Unlike the 2010 policy document, Daniel's 2014 blogpost also outlined the range of considerations that the review board subjected vulnerabilities to, including asking the question of whether they "… could … utilize the vulnerability for a short period of time before" it was disclosed -it could be temporarily exploited, and nor did disclosure prevent it from being exploited while patches were developed or as long as patches remained uninstalled on targeted systems (Hennessey 2016). The procedure's rationale was now beginning to reflect a more expansive range of what constituted disclosure.
The VEP is demonstrative of some of the unique challenges that government actors have articulated in bounding disclosure, in this instance the distinctive problems of managing interfaces between "network" time and "bureaucratic" or "political" rhythms and time.
Government actors and the VEP work to articulate the distinctive time pressures of maintaining secrets during cyberspace operations. In 2017 government actors acknowledged that the vulnerabilities cannot or will not remain secret forever, despite the government's best intentions or wishes. Rather than aiming to totally restrict knowledge of specific vulnerabilities that government agencies may discover, they inserted a new temporal element: …the VEP balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes. (White House 2017, 1 emphasis added)

Typical of this framing was Admiral Rogers' responses to
advanced questions for his confirmation hearings as head of the NSA and CYBERCOM, where he told congress that "transparency can be ensured by establishing procedures" in "real-time," that leveraged "…technology that enables a transparent, policy-based, machine-speed infrastructure" (Rogers 2014a, 527, emphasis added). Here, "machine speeds" apparently stood in tension with the "political speeds" of interagency government processes, and the desire to pause or control the flow of knowledge for tactical or strategic reasons, even temporarily. Disclosing and sharing information in "…a space this transformative and this disruptive" would challenge institutionalized practices that took place at political-speed (Rogers 2017, 2). This was expressed in the VEP as an articulation of distinctive time pressures of the role that disclosure played, where: …the VEP balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes." The U.S. Government's determination as to whether to disseminate or restrict a vulnerability is only one element of the vulnerability equities evaluation process and is not always a binary determination. Other options that can be considered include disseminating mitigation information to certain entities without disclosing the particular vulnerability, limiting use of the vulnerability by the USG in some way, informing U.S. and allied government entities of the vulnerability at a classified level, and using indirect means to inform the vendor of the vulnerability. All of these determinations must be informed by the understanding of risks of dissemination, the potential benefits of government use of the vulnerabilities, and the risks and benefits of all options in between. (U.S. National Security Council 2017, 1, emphasis added) Pointing to a more complex range of disclosure "options" in this way was working to make disclosure a more transitory state than set out when discussing vulnerabilities in terms of "dissemination." The publication of this unclassified VEP Charter was the most detailed account of the VEP's functioning to date, indicating that the public controversy discussed in earlier had not been settled by official statements during the Obama Administration and was further aggravated by high profile incidents like WannaCry. Here, the VEP Charter was releasing more details of the procedure's range of considerations, and underscoring "disclosure" as a spectrum meant that reaching unconditional limits or thresholds was not the goal. As a former deputy director of the National Security Agency Rick Ledgett wrote in a personal op-ed following WannaCry, disclosure and patching were not a panacea: …WannaCry […] exploited flaws in software that had either been corrected or superseded, on networks that had not been patched or updated, by actors operating illegally. The idea that these problems would be solved by the U.S. government disclosing any vulnerabilities in its possession is at best naive and at worst dangerous. (Ledgett 2017) While this was a confrontational articulation of the possible bounds of disclosure and its role in cybersecurity, instituting a spectrum of disclosure was in support of this general sense that it was not a binary state or an unmediated good. This meant that government actors would be less likely to "fail" in reaching publicly acceptable thresholds for disclosure, that they would be less likely to face criticism, if the VEP had already established that those thresholds were had also expanded disclosure's possible permutations.

Disclosure as Rational
In contrast to the 2010 procedure, the way that disclosure was constituted by the VEP following Heartbleed in 2014 was thus beginning to shift. Rather than a procedural focus on when to disseminate knowledge of vulnerabilities amongst government agencies, the shift in approach was now specifically orienting the VEP around disclosure. The whole of Daniel's 2014 blogpost was describing the VEP in terms of its focus on when to disclose vulnerabilities to those outside the government. Repeatedly, government officials would emphasize that the VEP was weighted towards disclosure, on disclosure as the norm rather than the exception. As the head of NSA had described the process within the VEP, "…by orders of magnitude, the greatest numbers of vulnerabilities we find, we share" (Rogers 2014a).
This phrasing was echoed by Daniel in an interview, who stated that the procedure was working on the assumption that "…the overwhelming majority of those that we find we do disclose. The idea that we have these vast stockpiles of vulnerabilities stored up -you know, Raiders of the Lost Ark style -is just not accurate" (Daniel, quoted in Zetter 2014). The implication here was that the VEP was not designed to withhold information on vulnerabilities (or metaphorically store vulnerabilities like stacks of mysterious crates) but was an institutionalized and rigorous manifestation of disclosure in action.
Despite the VEP working to concretize disclosure practices as a spectrum, rather than an either-or, and thus broadening the boundaries of disclosure as a concept in political terms, in other ways it was institutionalizing a set of categorical parameters. Specifically, it did this by demarcating "repeatable methodologies" for quantifying risk: To the extent possible and practical, determinations to disclose or restrict will be based on repeatable techniques or methodologies that enable benefits and risks to be objectively evaluated by VEP participants. This process employs techniques that include assessment factors such as prevalence, reliance, and severity. (U.S. National Security Council 2017, 7) Categorizing risk was to be a formative element of the VEP: "understanding risk was critical" to "ensure an equitable review of vulnerability information," and that the VEP did so by making At the heart of many similar such articulations of "the current environment" was an essentialized view of vulnerabilities' characteristics, that they were something that could be "held on to" and that the government could have a unique (if temporary) hold of.
Underlying this understanding is a linear conception of cause-andeffect, a logic of if/then: if government actors can keep vulnerabilities segregated, secret, then security will follow. The problem with this informational view of vulnerabilities is that it belies a particularly static conception of them, rather than recognizing their emergent and mobile tendencies.
Those in the technical community would contest the government's account as a way to challenge the credibility of their claims that the federal agencies could manage such information, arguing that such an approach belied a technically illiterate understanding of vulnerabilities as something that could "held on to." As one former NSA hacker described the matter: …it is obvious to the technical community (although not to lawyers and policy makers) that 0days are not a simple commodity like grain or oil, but often are highly correlated, composed of smaller parts and techniques, and uniquely nonfungible. (Aitel 2016, emphasis added) In distinction to those outside this self-described community, such as lawyers and policy makers, to this "technical community" in the know, such non-fungible and hard-to-categorize matters meant that the VEP could only bound vulnerabilities and disclosure in limited ways. Their tendencies towards being transitory, leaky and moveable, emergent properties of the vicissitudes of execution (Chun 2008) meant that state articulations of the need for secrecy were being challenged by the very tempos and rhythms that they had initially proclaimed as justifications for their secrecy practices. Vulnerabilities and their associated exploits were not so neatly amenable to efforts at itemization and containment, which meant that over the course of its development, the VEP would make its methodological and rational parameters more explicit.
Rather than repeating the technologically determinist arguments discussed earlier in the article that the technologies were overdetermining the governments secrecy responses, we can see instead how disclosure would gradually shift in its meaning and practice, in effect adapting to the timescapes of networked technologies. On technical grounds, given the "non-fungible" characteristics of vulnerabilities and exploits discussed earlier, attempts to develop "repeatable techniques and methodologies" reflected a rationalist desire to impose prescriptive models of risks and their relationship to people (Wynne 1996, 57). The VEP was a manifestation of this desire to quantify and therefore regularize or standardize the decision to disclose.
The 2010 VEP contained tacit criteria for the Equities Review Board to make its determinations based on determinations of its subject matter experts of what their respective agencies' interests would be. Despite the VEP having been established as a procedure in 2010, it emerged that it "…had not been implemented to the full degree that it should have been," with the result that the administration had "…re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities," (Daniel, cited in Zetter 2014 n.p). Earlier incarnations of the VEP had set bounds too constrictively upon disclosure as a binary state, and while the VEP had been instigated, not all the agencies were communicating as consistently or in as coordinated a fashion as the policy called for (Daniel, cited in Zetter 2014). The "reinvigorated" VEP thus made the parameters of disclosure more explicit by incorporating more questions and more explicit thresholds for disclosure over time (Daniel 2014), whilst also broadening disclosure's parameters by expanding its possible permutations into a transitory and non-binary state.  …prioritize the public's interest in cybersecurity and to protect core Internet infrastructure … absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes. (National Security Council 2017, 1) Demarcating between "national security" and "the public's interest in cybersecurity" was thus intended to set procedural and political limits upon the role of disclosure in constituting cybersecurity.
In other words, by making these distinctions, the VEP Charter was setting limits on how far and how much disclosure would produce cybersecurity, in effect setting limits on cybersecurity's otherwise allencompassing scope. Joyce made such a distinction explicit when he rationalized that: What we're trying to carefully weigh is having those capabilities, to be able to use them for national security, while at the same time making sure that it's not a major liability for our economy, for the international community, for our national security." (Joyce, quoted in Bing 2017) Disclosure was important for cybersecurity, but there would be limits to its scope in the name of "our national security." Through the VEP, disclosure would not be immediate in the temporal sense then, but neither would it be immediate (self-evident) in the political or democratic sense. With each iteration of the VEP, the arguments of those in the private sector and policy advocacy communities about the importance of "disclosure" for constituting disclosure were increasingly accommodated into federal initiatives, shaping their imaginaries and the ways that they were actualized through initiatives such as the VEP.
The VEP was intended to allay some of those criticisms. At the same time however, the VEP would build into its process a broader spectrum of what would count as disclosure by institutionalizing exceptions. In 2014, Michael Daniel was reported as implying that the VEP would put vulnerabilities that had been discovered by contractors through the process (Zetter 2014). However, the 2017 Charter made a certain range of exceptions explicit when it stated that: The USG's decision to disclose or restrict vulnerability information could be subject to restrictions by foreign or private sector partners of the USG, such as Non-Disclosure Agreements, Memoranda of Understanding, or other agreements that constrain USG options for disclosing vulnerability information. (National Security Council 2017, 9) This distinction is important, because in working to constitute disclosure as a spectrum of possible variations rather than a binary state, the VEP here was also circumscribing the immediacy of the government's responsibility to disclose in instances where they paid for the vulnerability but did not see it themselves, such as through the use of contractors and proxies. Without concretized thresholds for what counts as disclosure, agencies would thus have more room for autonomy. By making the parameters of disclosure more liminal in this way, government actors were able to reassure outsiders by hailing disclosure-as-transparency, but without setting strict thresholds for agencies to be held accountable to by outsiders. The VEP was thus suffused with references to timing and urgency. The implication here was that if American society was intertwined with information technologies, then they were also intertwined with technological vulnerabilities. As a result, the VEP was intended to act as a means to temporarily set their use apart and to functionally demarcate vulnerabilities from a society "intertwined" with them. As Rob Joyce later defended the VEP at a public event, it was "…just a fact that the government is going to work to develop vulnerabilities and find them for operations. The ecosystem continues to find new and innovative ways to exploit." (Joyce, cited in Newman 2017). Implied here was that government actors were responding to external pressures of "the ecosystem" changing and innovating.
Similarly, the NSA general counsel described how, Physically, and logically, the domain is in a state of perpetual transformation. It enables the transmission of data across international boundaries in nanoseconds-controlled much more by individuals or even machines than by governments... (Ney 2020, emphasis added) In the face of the kinds of criticisms discussed earlier, processes taking place in nanoseconds and through claimed machine speeds would prompt novel questions for state actors trying to both articulate and justify the role of vulnerabilities in their cyberspace operations. As systems evolved, the assumption was that discovery, exploitation and patching would also speed up, lending an urgency to government actions.
As with many matters of risk assessment, different communities expressed competing (and subjective) expressions of the risks calculated by the VEP. Summarizing a principle from the technical security community, one security researcher stated that: It is a well-known fact that security vulnerabilities are not purely technical problems. They usually arise as a result of the interaction of several components, including technical issues, processes, management, and human errors. (Civaner 2020, emphasis added) One of the problems with vulnerabilities is that they do not speak informed of its activities, and to characterize these activities in ways intended to solicit public support by invoking normatively laden ideals of transparency, accountability and responsibility (Pozen 2013). At the same time, the VEP worked to avoid any substantive alternatives to government actions by keeping details of vulnerabilities from being made public. Normatively and procedurally, revealing the VEP under the guise of transparency was a strategic effort at legitimizing the government's actions. Although it is dressed up as transparency for democratic accountability, it sought to focus attention on the processes, rather than questioning why this process was necessary in the first place. It also helped to show that government agencies possess these offensive capabilities (perhaps as a form of deterrence signaling), but without really addressing the contents of the disclosure.
Those vulnerabilities that government actors did reveal, and by extension the hacking capabilities of state agencies, still required interpretation and translation into something politically meaningful.
Policies in the name of "cybersecurity" like the VEP are an example of government actors reimagining established secrecy and security practices in the face of ubiquitous computing. While my empirics focus on the US, this paper has relevance for more general conceptualizations of official secrecy in the age of digital networks and technologically-mediated security contexts. Countries all over the world are pursuing and developing these capabilities through the global internet and the VEP is demonstrative of government actors trying to make sense of ongoing change-processes in the world. Through a critical discussion of the US government's secrecy practices in this context, I suggest that it is possible to see some common themes, behaviors, assumptions and technologies that can shed light on wider global patterns (Marx 2007).

Conclusion
At first reading, it appears that the story of the VEP fits the standard conceptualization of disclosure as instrumental, undertaken strategically to manage PR, to manage expectations, to allay fears in the public that the government is undermining its own transparency and accountability ideals. There is certainly an element of what Bratich would call spectacular secrecy here.
But in a second reading, we can see how practices and conceptualizations of disclosure have emerged and iterated. Attending to time and technologies has allowed us to shift away from linear conceptions of cause and effect, to more processual and therefore contingent arrangements of structures and agents. The secrecy practices that governmental actors are seeking to rationalize here are not about the closing off or concealment of knowledge that the government already possesses, but about a speculative secrecy that anticipates the need to claim as-yet undiscovered vulnerabilities in the future for national security purposes. Disclosure does not operate solely in the past (as a reference to historic entities or information already discovered), or in the present (as the simple revelation of these entities). Indeed, in the case of entities like vulnerabilities that are emergent properties rather than informational "nuggets," such a linear and informational model of the relationships between secrecy and revelation have been the very thing that government actors have struggled to transpose.
At the same time, we can see not only how vulnerabilities and internet technologies pose particular challenges to government actors seeking to claim a monopoly on secrecy, we can also see how these technologies and political processes have given rise to new interpretations of the concept of disclosure itself, moving beyond regular conceptions of disclosure as a binary state, or even as a spectrum, to a mutable or transitory process. Disclosure also produces opportunities for strategic maneuver in the future, a concept mediated by its interactions with networked technologies, an artifact of the nonfungible qualities of the technological vulnerabilities and capabilities in question. Technologies, and their times, have served to mediate disclosure in particular ways in this particular set of circumstances.
The paper has sought to show how attending to different temporalities, and shifting away from conceptions of secrecy-ascontainment or linear relations between secrecy-and-disclosure, has utility for future work on state secrecy. In this instance, it has shown how government actors have struggled to demarcate those bugs and flaws in code as uniquely governmental, as property, and that they have had to adapt and adopt their approaches in light of external criticisms as much as the "leakiness" of the code and its own secrecy practices. Hegemonic discourses of technological determinism, security and state power, no longer look so certain.