Vulnerabilities Equities Process: Feds' Obligation To Inform Public May Change

The White House released its Vulnerabilities Equities Process (VEP) Wednesday, revealing to the public the unclassified set of rules used for determining if a security vulnerability should be shared or kept private.

The rules deal in largely with security vulnerabilities that have otherwise yet to be discovered and have not been patched and are used to determine when the government is obligated to report those threats to vendors—and perhaps more importantly, when it isn’t.

VEP, which was established under the Obama administration and largely kept secret until Wednesday, provides a framework for government agencies to disclose zero-day security vulnerabilities.

The process requires review from a board consisting of multiple intelligence agencies. Through that review process, the agencies determine if the government should inform a tech company or other firm of a security flaw or if it will keep the information secret to use for its own purposes, including intelligence operations.

Agencies involved in the review process include the Department of Defense, National Security Agency, CIA, Department of Justice, FBI, Department of State, Department of Homeland Security, Office of Director of National Intelligence, Department of Treasury, Department of Energy, Department of Commerce and Office of Management and Budget and the White House.

Members of the board review four primary areas when determining if a vulnerability will be disclosed or stashed. The group looks to determine how widespread the vulnerable product is, how easy the vulnerability is to take advantage of, how much damage could be done if the flaw were to be exploited and how easy it is to fix the issue.

The group then reviews the potential benefits for the government if it were to hold on to the exploit for its own purposes. That is weighed against potential risks that would be posed to organizations and businesses in the U.S. and other countries by the vulnerability and how it would be handled if it was learned an attack was the result of an exploit that the government knew about ahead of time.

That particular scenario was put into practice earlier this year, when a stolen exploit that was being held by the NSA was used to carry out the WannaCry ransomware attack. The attack spread to over one million machines across the world and disrupted the operation of businesses and government organizations. The NSA failed to disclose the exploit to Microsoft until it was discovered to have been stolen.

When executed, the review process takes place within five days—and is performed faster if there are already attacks making use of the vulnerability. The board reaches consensus on whether to disclose the flaw or not. If they choose to disclose an issue, the company affected is informed within seven business days. If the board chooses to keep the exploit secret, it is subject to an annual review by the board to determine if it is still of value.

"In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest," according to the policy.

The decision to disclose the VEP review process is considered a rare but important act of transparency that provides insight into how the government deals with security vulnerabilities. In a blog post published Wednesday, White House Cybersecurity Coordinator Rob Joyce said improved transparency is critical to the process.

“The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities,” Joyce wrote, noting that the White House has “spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public.”

The White House was in part applauded for the step taken to provide transparency to the public regarding vulnerability disclosure. Michelle Richardson—the Deputy Director of Center for Democracy and Technology's Freedom, Security, and Technology Project—said the disclosure of the policy "is unprecedented and should prevent the government from amassing vulnerabilities for later use."

"The list of considerations to guide any single determination clearly recognizes how high the stakes are, and we hope the forthcoming statistics reflect the charter's preference for protecting the health of the internet and its users. Government hacking may be a necessary evil, but it still can be conducted in a targeted, thoughtful way," she said.

Ben Johnson, the co-founder and chief technology officer of Obsidian Security and a former NSA computer scientist, told IBT VEP is "a step in the right direction" and noted, "having a more clearly defined process, with important considerations and factors being weighed, will fill a gap that has existed with potentially very significant consequences."

Johnson said there are still plenty of challenges, including the fact that "organizations will have to follow the process for it to be worth anything." He also said that the context surrounding a vulnerability is often unique so it is hard to say the government will respond in any sort of uniform way even with the guidelines.

"If the government discloses a vulnerability and then other organizations do not upgrade or patch, did the government just give away a potentially effective tool for very little defensive benefit? ... It's very hard to quantify the cyber value-at-risk when it comes to how damaging potential attacks would be, so any calculations used to weigh various costs and benefits will likely be inaccurate," Johnson said. "This is a good step to work toward protecting our virtual borders while remaining capable of intelligence, but more work is to be done.”

The disclosure process is not without its flaws or its critics. Former NSA contractor and whistleblower Edward Snowden pointed out a loophole in the rules that exempt critical flaws in U.S. infrastructure from disclosure.

“The [United States government’s] decision to disclose or restrict vulnerability information could be subject to restrictions by foreign or private sector partners of the USG, such as Non-Disclosure Agreements, Memoranda of Understanding, or other agreements that constrain USG options for disclosing vulnerability information,” the policy reads.

According to Snowden, that portion of VEP provides digital arms brokers who bring flaws to the government the ability keep exploits secret by using non-disclosure agreements, which prevent the government from disclosing the information.

Willis McDonald, the threat research manager at Core Security, told International Business Times that while the disclosure of VEP provides some important information for the public, he said its failure to include any members of private organizations on the review board skews the perspective of the review process.

“The VEP council does not include any representation from either commercial or international entities. For national security purposes this is an obvious exclusion but closes the door on external oversight of decisions deemed in the interest of national security,” he said.

McDonald also pointed out the scope of VEP is relatively limited, in part thanks to loopholes like those highlighted by Snowden. As such, government agencies have free rein to do what they would like with exploits that do not fall under the guidance of VEP.

“Vulnerabilities discovered and shared by international partners are not addressed by the VEP, which would allow a participating entity to report the vulnerability as they see fit,” McDonald said. “The VEP merely expands the agency participants in procedures and councils already in place for making decisions on reporting vulnerabilities.”