Technology experts and others have been demanding greater transparency on the US government's practices for handling security vulnerabilities that it learns about, especially after the Shadow Brokers group leaked a tranche of top-secret National Security Agency attack tools and exploits last year.
On Wednesday, the Trump administration responded to those calls with a new version of the so-called Vulnerability Equities Process (VEP) governing the use and disclosure of software vulnerabilities that the NSA and other government agencies might discover.
The VEP charter provides fresh details on the process the government uses to determine whether to notify a private company about a security flaw in its products or services or to exploit it for intelligence gathering and other purposes.
The document — released by White House cybersecurity coordinator Rob Joyce — addresses several of the questions that people have asked in recent months about how VEP works, oversight, the agencies involved in the process, and other aspects. It also promised annual statistics on the number of vulnerabilities the government retains for later exploitation and the number disclosed to affected vendors — another major demand from industry stakeholders.
"It's good to see the White House releasing this document publicly without redactions," says Andrew Crocker, staff attorney at the Electronic Frontier Foundation (EFF).
The rights group had previously filed a Freedom of Information Act lawsuit against the government for its failure to release adequate details on VEP. "The revised VEP is a step forward on transparency — it makes public a good deal of information that the government withheld throughout EFF's lawsuit over the previous version of the VEP."
The US government, like many other governments worldwide, routinely stockpiles vulnerability information and exploits that it discovers so the information can be used later for surveillance, intelligence gathering, and law enforcement purposes. As Joyce noted in his announcement Wednesday, the exploits can produce valuable intelligence for attribution, evidence of crimes, enable investigations and help build better cyber offensive capabilities.
But many cybersecurity experts have said that indiscriminately withholding vulnerability and exploit data from affected technology vendors is extremely dangerous and could expose organizations using products from these vendors to devastating attacks. Several of the NSA attack tools that Shadow Brokers leaked last year, for instance, exploited zero-day flaws in widely used systems from major vendors such as Cisco and Microsoft. One of the leaked tools, code-named Eternal Blue, was used in the WannaCry ransomware attacks that ravaged computers worldwide earlier this year.
The argument has been that if the US government can find these flaws, others, including cybercriminals and nation-state actors, can as well. It's only by disclosing vulnerabilities in a timely manner that vendors have a chance to fix flaws before exploitation by adversaries.
Joyce acknowledged such concerns in spelling out how the VEP works and in describing the process the government will now use to handle information pertaining to new and previously unknown vulnerabilities.
Under the process, most new and unknown vulnerabilities that federal agencies might discover have to go through the VEP. A board comprised of representatives from 10 agencies including the CIA and the Departments of Defense, State, Justice, and Treasury will meet monthly to review the vulnerabilities. The board is responsible for determining whether the government should disclose the vulnerabilities to the respective technology vendors so the flaws can be patched or to restrict dissemination of the information.
Among the factors the board will consider are how broadly an affected product is being used, how easily discoverable and exploitable a flaw might be, the impact of exploitation and how easy or not it is to mitigate. From an intelligence and operational standpoint the board will consider how useful a flaw might be in supporting intelligence collection and whether it provides any operational value against cyber actors or their infrastructures.
In some cases, the government might decide to release mitigation information without releasing vulnerability details. Or it might restrict how the vulnerability can be used and by which agencies. The goal in all cases is to ensure a balance between the need to properly secure systems versus the need for government to maintain and edge in cyberspace. Under the new charter, agencies do not always have to go through VEP. But requests for exceptions will have to go through the White House's National Security Council.
Importantly, the charter creates an annual classified and unclassified reporting requirement on VEP to Congress to ensure proper oversight.
Crocker says the charter makes public a good deal of information that the government had previously withheld. That includes details like the list of agencies that participate in the decision to retain or disclose vulnerabilities and the list of considerations the group will use to reach decisions. Crocker says he is also pleased that the document contains explicit acknowledgement that exploiting vulnerabilities poses potential harm to individual privacy, the economy, and national security.
"However, we remain concerned about potential loopholes allowing vulnerabilities to avoid entering the VEP at all," Croker notes. "Exceptions for vulnerabilities obtained under non-disclosure agreements are problematic because NDAs are reportedly very common in this area."
Daniel Castro, vice president of the Information Technology and Innovation Foundation, said the White House has addressed many of the transparency concerns heads on with the new VEP charter.
"The information put out today by the White House is a huge positive step forward on transparency in the Vulnerabilities Equities Process," he said. In crafting the new process the administration appears to have clearly heard the requests for transparency and oversight from many stakeholders, he said.
"Now that we have a fully documented process and commitments to publish annual metrics, we can start to have a productive debate about how to assess and improve that process."
- Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study Shows
- Shadow Brokers Calls It Quits After Failing to Get Buyers for NSA Exploits
- Shadow Brokers Offers Database of Windows Exploits for Sale
- 6 Steps for Sharing Threat Intelligence
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.