The White House has opened up about the so-called Vulnerabilities Equities Process (VEP) established during the Obama administration, providing its first public explanation of how the government goes about determining whether to disclose cybersecurity flaws or keep them secret.
The Trump administration released the unclassified charter for the equities process Wednesday in the face of growing concerns surrounding the government's hoarding of exploits and the related security risks, particularly in light of losing control of classified hacking tools subsequently used to wage wide-scale cyberattacks recently affecting victims in the U.S. and abroad.
Published on the White House website, the charter shows for the first time the government agencies that participate in the equities process and the criteria used when deciding whether to disclose otherwise unknown security vulnerabilities -- laws colloquially called "zero days," because there's been zero days to patch them.
Federal authorities have exploited zero day in digital products during the course of pursuing law enforcement and national security matters, perhaps most notably evidenced by Stuxnet, a malicious computer worm reportedly created by U.S. and Israeli intelligence that sabotaged Iran's contentious nuclear program by harnessing several unpatched security flaws.
By keeping these vulnerabilities private, however, critics argue that the government keeps vendors from securing their products and consequently make their customers prone to hacking.
Indeed, Microsoft vulnerabilities previously hoarded by the National Security Agency (NSA) were leaked online and ultimately weaponized into WannaCry, a ransomware strain that crippled computers systems in more than 150 countries earlier this year and briefly sidelined the United Kingdom's National Health Service (NHS), among others victims.
Any decision to withhold security bugs must be revisited one year later, and the government must issue an annual report providing information on the equities process, according to the charter published Wednesday.
The agencies that participate in the equities process include the Departments of Commerce, Defense, Energy and Homeland Security, as well as the Secret Service, Office of the Director of the National Intelligence, NSA, CIA, Treasury, State Department and White House, the charter revealed.
The government considers criteria including the severity of the vulnerability and the scope of potential victims while determining whether to disclose security bugs, according to the charter.
"The United States is a world leader when it comes to sophisticated processes and conversation on this topic, and no other nation in has created and run a process as advanced, meticulous and transparent as ours," White House cybersecurity coordinator Rob Joyce said in a blog post published in tandem with the publication. "While not infallible, these processes ensure rigorous consideration of all factors vital to our national security."
More than 90 present of security flaws detected by the government are ultimately disclosed to vendors, Mr. Joyce said at an event Wednesday, but critics including former NSA analyst Edward Snowden said the statistic wasn't terribly meaningful.
"The percentage of [vulnerabilities] the government discloses to vendors is largely PR," tweeted Mr. Snowden, who leaked evidence of the NSA's offensive previously secret operations in 2013. "The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones. We need to know the severity of disclosed vulnerabilities, not just the number."
"The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous," Mr. Snowden suggested. "When replacements can no longer be produced, that's not a loss; it means defense has finally matured."
© 2017 Washington Times under contract with NewsEdge/Acquire Media. All rights reserved.