The federal government has declassified portions of the Vulnerabilities Equities Policy and Process (VEP) revised charter detailing when it will divulge unearthed software bugs to vendors and users and when it will keep them hidden from view.
In plain English, the federal interagency process known as VEP is where the fate of newly found cyber vulnerabilities not yet in the public domain are determined. Will the feds allow a known flaw to be fixed by the vendor or left as is for possible weaponizing in cyber warfare? VEP is where and how those determinations are made.
The White House believes that opening aspects of the VEP to public review is a step in the direction of transparency, one designed to speak to criticism from the private sector on the VEP’s overly secretive internal processes. Certainly, the timing is right: The National Security Agency (NSA) has been roundly accused of stockpiling vulnerabilities to the detriment of software makers and users. Stashing bugs has made it a juicy target for adversarial hackers such as the Shadow Brokers, critics have argued.
Along with specifying how the feds will release cyber flaw information to the public, the 14-page document lists who has say-so on the VEP’s Equities Review Board -- it hadn’t been previously known who has a seat at the table to decide whether to give voice to a bug or keep it quiet.
Stakeholders include the Departments of Commerce, Defense, Energy, Homeland Security, Justice, State and Treasury as well as the CIA, FBI and NSA, the latter of which is designated as the “executive secretariat” tasked with record keeping, communications and drafting annual reports to Congress and the public.
Rob Joyce, the White House’s cybersecurity coordinator, oversees the entire process. In a blog post announcing the revamped VEP, he said “there can be no doubt that America faces significant risk to our national security and public safety from cyber threats.” The task, he said, is to “find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”
The government faces a balancing act between publicizing “every vulnerability discovered” and preserving “some select capability” to act against cyber criminals “whose actions might otherwise go undiscovered and unchecked,” Joyce wrote.
Until the Electronic Frontier Foundation (EFF) filed suit under the Freedom of Information Act last year to make the VEP public, it was deemed classified material.
“Many of the changes to the VEP do seem intended to facilitate transparency and to give more weight to policies that were previously not reflected in the official document,” wrote Andrew Crocker, EFF staff attorney, in a blog post. “In spite of these positive signs, we remain concerned about exceptions to the VEP.” In some cases, vulnerabilities that are part of the process can be restricted by non-disclosure agreements with outside contractors, he said.
