The U.S. government’s role in vulnerability disclosures is a vital part of our national security and should be codified in law, said a group of policy experts at a panel discussion last week at the RSA Conference. The panelists argued that the government’s current process of vulnerability use and disclosure, called Vulnerability Equities Process (VEP), is voluntary and should be protected by law.
“With a new administration, there is concern it might wield its powers over the government’s security apparatus and that would include the VEP,” said Susan Hennessey of the Brookings Institution and former attorney for the National Security Agency. “There is an appetite to put additional protections in place around the VEP so that it is protected from the discretions of the federal government.”
VEP is a controversial process that resides in the NSA that determines whether the government should withhold or disclose information about computer security vulnerabilities. Iterations of the VEP have existed in some form since 2008. Its existence didn’t become widely known until 2016 when the Electronic Frontier Foundation filed a lawsuit under the Freedom of Information Act in order to gain access to the VEP.
Ever since then, the VEP has been a lightning rod for government critics who have long claimed the process isn’t transparent enough and protects government security researchers whom critics claim stockpile discovered and purchased vulnerabilities for intelligence operations. VEP criticism hit a high watermark in 2014 when the federal government was accused of having advanced knowledge of the Heartbeed bug and not warning the public. That’s a claim the NSA denies.
According to panelist Heather West, a senior policy manager for Mozilla, the VEP may be imperfect, but it’s the best the U.S. has in terms of a government vulnerability disclosure policy.
“From our perspective, it’s time for this process to be codified in law,” West said. “We need to make sure it continues to operate at the level it is today.” She acknowledged there could be a lot more transparency and accountability in the process, but argues the framework that exists today for vulnerability disclosure by the U.S. government is the envy of the world and needs to be preserved.
What is known about the VEP comes from a heavily redacted document released in January 2016. Briefly, it lays the groundwork for when the government should disclose a vulnerability. It weighs many criteria for disclosure such as how likely is it that others will discover the vulnerability, how badly the vulnerability is needed to obtain intelligence, and what are the risks posed and the harm that could be done if the vulnerability is left unpatched.
“We need to move from what is an interagency agreement to substantiate VEP into law,” said Rob Knake senior fellow with The Council on Foreign Relations and Former Director for Cybersecurity Policy at the White House National Security Council. “I think it’s time to put a legal framework around this process. It’s something the intelligence industry and the software industry are looking for and we hope the administration is listening.”
Knake and other panelists said making VEP law would inspire trust in the vulnerability disclosure process by its skeptics. He also said legal accountability would force the NSA to be more transparent in its VEP oversight. Currently the VEP is an administrative policy, not law nor executive order.
“Right now there are no penalties for individuals to hold back information,” Knake said. “If you’re concerned about accountability, then making VEP law offers a lot of fringe benefits from congressional oversight to individual accountability.”
Neil Jenkins director of the Enterprise Performance Management Office with the Department of Homeland Security, said the VEP processes was reinvigorated over the past few years by the Obama administration. Its goal, he said, is responsible and speedy disclosure of vulnerabilities and working with the private sector on patching.
“It’s not in our national interest to build up a stockpile of vulnerabilities to hide behind for intelligence purposes. We have to get them out so that systems remain secure,” Jenkins said.
Jenkins said, currently government researchers find 100 vulnerabilities a year with about two percent withheld from the VEP for intelligence purposes. “In a small number of cases, where we do restrict dissemination of the vulnerability, we look at those vulnerabilities regularly and make a determination every three to six months as to whether to release them,” he said.
During the discussion, panelists mostly sidestepped thornier questions that came up such as whether the government’s vulnerability disclosure policies currently skewed toward offensive purposes versus defensive purposes.
However when it came to the hot-button issue of the government buying vulnerabilities, panelist Knake advocated a new approach. “I’d like to see the U.S. government actively looking for more vulnerabilities and supporting the research community. I also think they should push the vast majority of those vulnerabilities back to companies and only use vulnerabilities they need for a very short time,” he said.
Knake said by accelerating the pace of discovering and buying vulnerabilities and then disclosing them, it would raise the bar for security across the board.
“I love the notion of a beautiful virtuous cycle of finding vulnerabilities and patching them and then finding more,” Hennessey said. “I wouldn’t hold your breath that will happen anytime soon.”
She argued cost of the strategy would be too high when it came to government vulnerability research. She added the more often the U.S. government paid for vulnerabilities the higher it would drive the cost up in the market for vulnerabilities.
“That plan also doesn’t account for the fragility of intelligence. It’s not so easy to replace one unknown vulnerability with another. Whenever the government doesn’t have those vulnerabilities it makes their job even more difficult,” Hennessey said.