With increasing calls for improved transparency of the tools government uses to determine the security flaws that it can use in its cyber efforts and which to disclose, the White House Wednesday made public the vulnerability equity policy (VEP) process created by the Obama administration but mostly shrouded in secrecy.
“Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use,” White House Cyber Czar Rob Joyce wrote in a blog post. “Those exploits produce intelligence for attribution, evidence of a crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities.”
But government faces a challenge “to find and sustain the capability to hold malicious cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace,” he said, noting that the interagency VEP process for “newly discovered cybervulnerabilities that are not yet in the public domain” was developed “in recognition of these competing considerations.”
The process is intended to improve transparency, represent the interests of a multitude of stakeholders, establish accountability both of the process and its operators, and encourage the “informed and vigorous dialogue” critical to government’s function, Joyce said.
The VEP, according to a charter released by the White House, “balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the [U.S. government], and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.”
That determination, though, is only one part of the VEP. “Other options that can be considered include disseminating mitigation information to certain entities without disclosing the particular vulnerability, limiting use of the vulnerability by the [U.S. government] in some way, informing U.S. and allied government entities of the vulnerability at a classified level, and using indirect means to inform the vendor of the vulnerability,” according to the charter, which defines the method for “evaluating competing considerations” so that a decision can be made. “All of these determinations must be informed by the understanding of risks of dissemination, the potential benefits of government use of the vulnerabilities, and the risks and benefits of all options in between.”
The charter establishes an Equities Review Board (ERB) for interagency deliberation and VEP determinations that includes representatives from the Office of Management and Budget (OMB, Office of the Director of National Intelligence (DNI), Treasury Department, State Department, Justice Department (including the FBI), Department of Homeland Security (DHS) and the U.S. Secret Service, Energy Department, Defense Department of Defense (including the National Security Agency), U.S. Cyber Command, Commerce Department and CIA.
The NSA will serve as the VEP’s executive secretariat.
“Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests,” Joyce wrote, adding that the charter offers a “repeatable and defensible” method for balancing those interests. “By making it public, we hope to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission.”