White House unveils process behind disclosing software vulnerabilities
The White House released a charter Wednesday that it says brings more clarity and transparency to the vulnerabilities equities process (VEP), the mechanism by which the U.S. government determines to either withhold or disclose information to tech companies about newly discovered flaws in their software.
The charter lays out the core considerations taken into account by the U.S. government when one of these vulnerabilities — called zero-days — comes into its possession, weighing “the benefit to national security and the national interest” when deciding whether to secretly retain a vulnerability, for use in spying operations, or disclose it to the manufacturer so the software can be fixed or patched.
“Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests,” reads a fact sheet about the charter. “The new VEP Charter balances those interests in a way that is repeatable and defensible, and its publication will bolster the confidence of the American people as we continue to carry out this important mission.”
Despite the additional transparency and regularity that the charter is intended to bring to the VEP, at least one congressional critic said he would push ahead with an effort to enshrine the process in legislation.
“This has always been handled administratively, I get that,” Sen. Ron Johnson, R-Wis., said in a brief statement emailed to CyberScoop. “But I think it would be helpful to do something in statute.” In May this year, along with Sen. Brian Schatz, D-Hawaii, Johnson introduced the PATCH Act which would give the VEP a basis in law.
At an event held Wednesday by the Aspen Institute, White House Cybersecurity Coordinator Rob Joyce gave more insight into how the process has evolved since President Donald Trump took office in January.
Joyce said the charter, which has been in the works for several months, shined a light on the “sophisticated conversation” that goes into the process. Previously, Joyce said information about the interagency debates “was held out of executive privilege” and “not a lot of details” about what went into the decision making were available to parties who needed it.
The charter would also cover zero-days the government purchases from private sector hackers-for-hire, Joyce said. “They will come to the VEP,” he said. When agencies buy such zero-days on a “non-exclusive basis” — meaning they cannot legally disclose them due to the terms of the contract — “You still have to tell every member of the VEP that you’ve invoked that exception … and reveal all of the details” to the White House cybersecurity coordinator.
“So that gives us a framework and a set of insights we never had” under the current system, said Joyce, where agencies could simply say they can’t disclose for contractual reasons.
Under the new charter, “departments and agencies are discouraged from [using] those [contractual] vehicles,” he added. “We should be structuring our engagements with commercial entities going forward in such a way that we are purchasing with the right to disclose if we need to.”
The new charter also takes account of “diplomatic equities,” he added, regarding vulnerabilities in foreign-made products and the possible use by allied intelligence services of vulnerabilities the U.S. government might be set to disclose.
“If we have previously shared a capability with another nation, and we chose to disclose it, that impacts their capabilities as well as ours,” he said. He said the U.S. was touting the revamped process to the allies it shares intelligence with most closely, the so-called “Five Eyes,” in the hope of promoting its use internationally.
As part of its increased transparency, the charter lays out four sets of considerations that are weighed in VEP discussions:
- Threat considerations, like how widely used the vulnerable product is and whether it is found in key industries or businesses.
- Impact considerations, like how much users rely on the security of the product or how severe the vulnerability is and what are the consequernces of its exploitation by bad actors. Also weighed is the issue of whether enough users will actually install any patch to offset the harm to security caused by educating attackers about the vulnerability — which can often be reverse-engineered from the patch or fix.
- Mitigation considerations, like whether there are ways to configure software that will close the vulnerability — especially if such mechanisms are already part of existing best-practice guidance. Also included is consideration of whether the manufacturer is likely to actually patch the flaw.
- Vulnerability considerations, like “What access must a threat actor possess to exploit this vulnerability?” and “How likely is it that threat actors will discover or acquire knowledge of this vulnerability?”
The final point touches on a huge debate in the cybersecurity community, over what’s called the rediscovery or collision discovery rate — how often vulnerabilities discovered and secretly retained will be discovered by others. Rediscovery is important because, if the U.S. government hasn’t disclosed the flaw so it can be fixed, it can be exploited by other actors who independently find it. Different studies have come to different conclusions about the rediscovery rate, but Joyce said, for the ones employed by U.S. intelligence, his experience was that the rate was very low.
“The kinds of vulnerabilities we use … are rarely rediscovered by anyone else,” he said.
According to the charter, the following federal entities have a seat at the VEP table:
- Department of Homeland Security, particularly the National Cybersecurity and Communications Integration Center
- Secret Service
- Office of the Director National Intelligence
- Department of Treasury
- Department of State
- Department of Justice
- FBI’s National Cyber Investigative Joint Task Force
- Department of Energy
- White House’s Office of Management and Budget
- Department of Defense, particularly U.S. Cyber Command and the Cyber Crime Center
- National Security Agency
- Department of Commerce
- Central Intelligence Agency
Joyce said that with the new considerations, all sides of the table “come away a little unhappy,” but the “give and take” is necessary since so much of society is “intertwined with IT.”
“We run government on IT, we run military operations using computers, we trust the banking industry, we trust the grid to be computer controlled,” Joyce said. “If there is a flaw, there is a imperative to close that hole and make sure its exploits, so our well being, our financial well being is protected. On the other side, we have the need to produce foreign intelligence.”
Over the past few months, the process has come under scrutiny from the infosec community as critics have charged that the U.S. government hoards a stockpile of zero-day vulnerabilities and fails to alert companies of the flaws because it wants to retain strategic intelligence advantage. Joyce pushed back against that notion, saying the idea of a stockpile is a “falsehood,” and the U.S. government’s communication with software companies is “outstanding.”
Software companies are “not getting tips from Russia, China, Iran, North Korea to close holes,” Joyce said. “It just doesn’t happen.”
You can read the full charter below.
[documentcloud url=”http://www.documentcloud.org/documents/4223719-External-Unclassified-VEP-Charter-FINAL.html” width=675 height=500]
Shaun Waterman contributed to this story.