The Trump administration is making what was a previously secret process for disclosing software vulnerabilities more transparent. Rob Joyce, the White House cyber coordinator, said the administration released new details Nov. 15 about how the government decides which software bugs to tell the vendor about and which ones to keep secret for use by intelligence or law enforcement agencies.
The White House made public its Vulnerabilities Equities Process (VEP) describing eight broad factors the Equities Review Board — an interagency committee — uses to make disclosure decisions.
“That actually is a pretty hard debate. It’s a sophisticated conversation. It’s one that the U.S. government has been having for a number of years. It’s gone on at NSA within the dual-hat society that lives at NSA for a number of years, and then it was rolled up to an interagency process led out of the White House previously,” Joyce said during an event at the Aspen Institute in Washington, D.C. “One of the problems we found with that is that was held as executive privilege. Since it was run out of the White House, there was not a lot of detail about the considerations that went into the decisions, there was not a lot of information about who was in the room participating and there wasn’t a lot of transparency in just the whole way it was run, up to and including the information flow that was available to overseers. As we entered into this administration, we felt we needed to relook at it.”
Joyce said the process didn’t change substantially, but got a lot of tighter based on lessons learned. The White House last addressed the VEP in 2010.
The desire to alert software developers about existing bugs heightened when the National Security Agency allegedly suffered a data breach of software vulnerabilities it was using or developing. The group, called the Shadow Brokers, claims it took data from a government contractor.
Joyce said the Obama administration recognized the need to re-charter the VEP based on the ongoing and ever-increasing cyber threats. The Trump administration took it on and came to this new approach.
The 10-member board includes the departments of Commerce, State, Energy, Defense, Homeland Security as well as the intelligence community and the Office of Management and Budget.
The White House said the board will consider a number of factors, including defensive equities such as the threat and severity of the vulnerability, and operational, commercial and international issues with revealing the weaknesses.
Joyce said the board will balance the reasons to disclose with the operational value of the vulnerability.
He said the government already discloses more than 90 percent of all problems.
“As a result of this re-charter is annual reports at the unclassified level. There are classified exposure and reports to Congress. But there also will be an understanding of what I’ll call ‘goes into’ and ‘goes out of’ so how many vulnerabilities were considered, how many were disclosed and how many were retained,” Joyce said. “It’s not a lifetime waiver. We have a six-month window where every retained vulnerability is reviewed to make sure the conditions are the same or at least similar to when we made that decision. That’s really important. There are rumors of this vast stockpile [of retained vulnerabilities]. That is factually inaccurate.”
Joyce said the VEP board knows they have to push out the bugs more quickly, and in some cases, the intelligence community or law enforcement agencies use the vulnerability in operational situations, and then the board relooks at its decision after only a month or three months.
Additionally, Joyce said if another country or hacker discovers the vulnerability and releases it into the “wild,” then the VEP board would review the bug and decide whether to release it more broadly.
Agencies have focused mainly on finding bugs in existing software over the last few years. Several agencies, ranging from DoD to the General Services Administration, have brought in “white hat” hackers under bug bounty programs.
Joyce said the re-charter lets Congress and software companies have more oversight and hold the government more accountable and transparent.