Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/15/2017
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

White House Releases New Charter for Using, Disclosing Security Vulnerabilities

Updated Vulnerability Equities Process provides transparency into how government will handle new vulnerabilities that it discovers in vendor products and services.

Technology experts and others have been demanding greater transparency on the US government's practices for handling security vulnerabilities that it learns about, especially after the Shadow Brokers group leaked a tranche of top-secret National Security Agency attack tools and exploits last year.

On Wednesday, the Trump administration responded to those calls with a new version of the so-called Vulnerability Equities Process (VEP) governing the use and disclosure of software vulnerabilities that the NSA and other government agencies might discover.

The VEP charter provides fresh details on the process the government uses to determine whether to notify a private company about a security flaw in its products or services or to exploit it for intelligence gathering and other purposes.

The document — released by White House cybersecurity coordinator Rob Joyce — addresses several of the questions that people have asked in recent months about how VEP works, oversight, the agencies involved in the process, and other aspects. It also promised annual statistics on the number of vulnerabilities the government retains for later exploitation and the number disclosed to affected vendors — another major demand from industry stakeholders.

"It's good to see the White House releasing this document publicly without redactions," says Andrew Crocker, staff attorney at the Electronic Frontier Foundation (EFF).

The rights group had previously filed a Freedom of Information Act lawsuit against the government for its failure to release adequate details on VEP. "The revised VEP is a step forward on transparency — it makes public a good deal of information that the government withheld throughout EFF's lawsuit over the previous version of the VEP."

The US government, like many other governments worldwide, routinely stockpiles vulnerability information and exploits that it discovers so the information can be used later for surveillance, intelligence gathering, and law enforcement purposes. As Joyce noted in his announcement Wednesday, the exploits can produce valuable intelligence for attribution, evidence of crimes, enable investigations and help build better cyber offensive capabilities.

But many cybersecurity experts have said that indiscriminately withholding vulnerability and exploit data from affected technology vendors is extremely dangerous and could expose organizations using products from these vendors to devastating attacks. Several of the NSA attack tools that Shadow Brokers leaked last year, for instance, exploited zero-day flaws in widely used systems from major vendors such as Cisco and Microsoft. One of the leaked tools, code-named Eternal Blue, was used in the WannaCry ransomware attacks that ravaged computers worldwide earlier this year.

The argument has been that if the US government can find these flaws, others, including cybercriminals and nation-state actors, can as well. It's only by disclosing vulnerabilities in a timely manner that vendors have a chance to fix flaws before exploitation by adversaries.

Joyce acknowledged such concerns in spelling out how the VEP works and in describing the process the government will now use to handle information pertaining to new and previously unknown vulnerabilities.

Under the process, most new and unknown vulnerabilities that federal agencies might discover have to go through the VEP.  A board comprised of representatives from 10 agencies including the CIA and the Departments of Defense, State, Justice, and Treasury will meet monthly to review the vulnerabilities. The board is responsible for determining whether the government should disclose the vulnerabilities to the respective technology vendors so the flaws can be patched or to restrict dissemination of the information.

Among the factors the board will consider are how broadly an affected product is being used, how easily discoverable and exploitable a flaw might be, the impact of exploitation and how easy or not it is to mitigate. From an intelligence and operational standpoint the board will consider how useful a flaw might be in supporting intelligence collection and whether it provides any operational value against cyber actors or their infrastructures.

In some cases, the government might decide to release mitigation information without releasing vulnerability details. Or it might restrict how the vulnerability can be used and by which agencies. The goal in all cases is to ensure a balance between the need to properly secure systems versus the need for government to maintain and edge in cyberspace. Under the new charter, agencies do not always have to go through VEP. But requests for exceptions will have to go through the White House's National Security Council.

Importantly, the charter creates an annual classified and unclassified reporting requirement on VEP to Congress to ensure proper oversight.

Crocker says the charter makes public a good deal of information that the government had previously withheld. That includes details like the list of agencies that participate in the decision to retain or disclose vulnerabilities and the list of considerations the group will use to reach decisions. Crocker says he is also pleased that the document contains explicit acknowledgement that exploiting vulnerabilities poses potential harm to individual privacy, the economy, and national security.

"However, we remain concerned about potential loopholes allowing vulnerabilities to avoid entering the VEP at all," Croker notes. "Exceptions for vulnerabilities obtained under non-disclosure agreements are problematic because NDAs are reportedly very common in this area."

Daniel Castro, vice president of the Information Technology and Innovation Foundation, said the White House has addressed many of the transparency concerns heads on with the new VEP charter.

"The information put out today by the White House is a huge positive step forward on transparency in the Vulnerabilities Equities Process," he said. In crafting the new process the administration appears to have clearly heard the requests for transparency and oversight from many stakeholders, he said.

"Now that we have a fully documented process and commitments to publish annual metrics, we can start to have a productive debate about how to assess and improve that process."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...
CVE-2020-8905
PUBLISHED: 2020-08-12
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of ...
CVE-2020-12106
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
CVE-2020-12107
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
CVE-2020-7374
PUBLISHED: 2020-08-12
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user ...