UPDATE: Just after 9AM Washington, D.C. time the US government published three documents that describe its Vulnerabilities Equities Policy (VEP) and the process by which decisions about vulnerability disclosure are made. Here are the documents:
- Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do
- A statement, posted on the WhiteHouse.gov website by Rob Joyce, the White House Cybersecurity Coordinator
- Vulnerabilities Equities Policy and Process for the United States Government
- A 14-page unclassified PDF describing the Vulnerability Equities Process (VEP) in some detail
- FACT SHEET: Vulnerabilities Equities Process
- A 3-page summary, including a listing of the Defensive Equity Considerations
This followed our earlier reporting that the Trump administration was set to release its rules for determining whether to disclose the cyber vulnerabilities that government agencies find, according to a national security official in the US who spoke to the Reuters news agency.
The anonymous source told Reuters that the revised rules would be released on whitehouse.gov on Wednesday. The changes are expected to make the process, which federal agencies go through when dealing with finding cybersecurity flaws, more transparent.
The move is likely to be seen as an attempt by the US government to fend off criticism that it routinely exposes internet security by keeping cybersecurity flaws and vulnerabilities secret. According to the report on Reuters.com, the proposed rule change will name the agencies involved in the process, such as the Departments of Commerce, Treasury and State.
Currently the US government employs an inter-agency review, created under former President Barack Obama. Known as the Vulnerability Equities Process, it is tasked with deciding what happens to any cybersecurity flaws that is discovered by the National Security Agency (NSA).
This approach to online security has received criticism from experts who claim a failure to disclose findings has a more negative impact on the industry, with Reuters pointing out the dangers experts find with the approach:
“The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.
The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use."
Named WannaCryptor, but also referred to as WannaCry, this malicious code spread rapidly by utilizing the EternalBlue SMB exploit, part of a large collection of files that leaked from the NSA.
According to Stephen Cobb, a Senior Security Researcher at ESET, "The view among many security researchers, myself included, is that the risks of vulnerability hoarding outweigh the benefits in pretty much every case."
While welcoming the increased transparency around the government's Vulnerabilities Equities Policy provided by today's statements and publications, Cobb points out that in 2017, "We witnessed the manifestation of one of those vulnerability hoarding risks: that the bad guys will cause hundreds of millions of dollars' worth of damage by exploiting a hoarded vulnerability."
Adds Cobb, "In light of that incident there is a strong argument for saying that if a super-secretive agency can't keep secret vulnerabilities secret, then the government's duty of care to society would be better served by working with industry to fix all vulnerabilities as soon as they are discovered."