The U.S. government took steps toward offering more transparency into the Vulnerabilities Equities Process. On Wednesday it released of the “Vulnerabilities Equities Policy and Process” (PDF) charter that outlines how the government will disclose cyber security flaws and when it will keep them secret.
The release of the charter is viewed as a positive by critics and a step toward addressing private-sector concerns that the VEP’s framework is to secretive.
“The VEP is in dire need of more transparency and oversight, and we believe today’s announcement makes significant progress towards these objectives,” said Heather West, Mozilla Corp. senior policy manager said in a statement Wednesday.
The release of the 14-page document offers new insights into who makes up the VEP’s Equities Review Board and outlines how the government will publicly release information related to its vulnerability assessment work.
The VEP is the internal process by which the government decides which software vulnerabilities in its possession it will disclose to vendors, and which it will hold on to and exploit for the purposes of intelligence gathering and supporting national security operations.
“The United States is a world leader when it comes to sophisticated processes and conversation on this topic, and no other nation in has created and run a process as advanced, meticulous, and transparent as ours,” wrote Rob Joyce, the White House cyber security coordinator in a post Wednesday announcing the charter.
Disclosed Wednesday is the Equities Review Board Members, which include the Departments of Homeland Security, Energy, State, Treasury, Justice, Defense, and Commerce, as well as the CIA and the FBI. The National Security Agency is identified as the VEP and Equities Review Board’s “executive secretariat”.
According to the Vulnerabilities Equities Policy and Process charter, rules require an annual report that discloses information regarding the number of flaws discovered, retained and disclosed. If the VEP review board votes and agrees for a vulnerability to be disclosure, the private-sector company will be notified “when possible” within 7 business days, according to the charter.
The Equities Review Board is required to only make portions of the report public. And part of that annual review will also include decisions about the merits of retaining certain vulnerabilities.
Ari Scwhartz, coordinator of the Coalition for Cybersecurity Policy and Law and former Obama administration senior director for cybersecurity, told Reuter’s news agency the move by the Trump administration was a “a major improvement.” He said the Obama administration was working toward similar transparency (PDF).
VEP remains a controversial process. Iterations of the VEP have existed in some form since 2008. Its existence didn’t become widely known until 2016 when the Electronic Frontier Foundation filed a lawsuit under the Freedom of Information Act in order to gain access to the VEP.
“EFF agrees that more transparency is a prerequisite to any debate about government use of vulnerabilities, so it’s gratifying to see the government take these affirmative steps,” wrote Andrew Crocker, a staff attorney with the EFF, in blog post Thursday.
However, Crocker said their is still much to be critical of when it comes to VEP. “In spite of these positive signs, we remain concerned about exceptions to the VEP. As written, agencies need not introduce certain vulnerabilities to the process at all if they are ‘subject to restrictions by partner agreements and sensitive operations.’ Even vulnerabilities which are part of the process can be explicitly restricted by non-disclosure agreements.”
Ever since then, the VEP has been a lightning rod for government critics who have long claimed the process isn’t transparent enough and protects government security researchers whom critics claim stockpile discovered and purchased vulnerabilities for intelligence operations. VEP criticism hit a high watermark in 2014 when the federal government was accused of having advanced knowledge of the Heartbeed bug and not warning the public. That’s a claim the NSA denies.
More recently, the VEP came under fire in the WannaCry ransomware outbreaks where a leaked NSA EternalBlue exploit was used in the attacks. At the time, the VEP was highly criticized. Microsoft President and chief legal officer Brad Smith slammed the U.S. government.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith said.
Asked about the WannaCry attack in October at a Boston cybersecurity conference, Joyce said there was a “patch from Microsoft available (for WannaCry) at the time, actually a couple months before the worm spread. So, the idea of withholding or releasing, in that case, the release was out there.”
Still others in the private sector say the Trump administration’s VEP charter is unsatisfactory. Willis McDonald, threat research manager at Core Security said the charter is a positive gesture but more transparency is needed.
“Still too much of the process is cloaked in secrecy,” McDonald said. “In some fashion, the private sector needs a seat at the table when it comes to zero days,” he said.
McDonald said U.S. firms are important stakeholders in the VEP process and need to have appropriate participation and insights into the process of how the various federal agencies decide what flaws to keep secret.