The White House released a charter Wednesday publicly describing the principles, aims and values of the secretive process it uses to decide what hacking tools to keep in its arsenal and which it would report to tech companies to allow them to fix. It marked the first time cybersecurity professionals and policy professionals had a chance to investigate what had been a shadowy system.
The transparency and policies were largely met with positive reviews.
For years, the cybersecurity community tried to piece together how that system – known as the vulnerabilities equity process (VEP) – worked, through freedom of information act requests, innuendo and complex modeling of what little information had been shared with the public.
The Obama administration made clear the VEP existed and involved some sort of executive office panel who would weigh whether the benefits of using a particular vulnerability for espionage would outweigh the potential damage that would occur if criminal hackers or foreign spies discovered exploited the same vulnerability for their own gain.
One fear had been that the VEP would be too heavily weighted towards the intelligence communities wants.
But a big reveal of the VEP charter was how many civilian agencies and interests are represented.
There are so many agencies in the room that, at a early Wednesday event, White House Cybersecurity Czar Rob Joyce needed to read it from a list.
In addition to the Office of the Director of National Intelligence, Department of Justice, FBI, NSA, Cyber Command Department of Defense and CIA – all of whom have interests in adding new tools to the arsenal – the VEP contains representatives from the Office of Management and Budget (representing defensive security interests of government systems), Treasury (banks), Energy (the power grid), Commerce (private sector firms, including tech companies), State (foreign interests) and Homeland Security (critical infrastructure).
“What’s most important is the recognition that all agencies have equities in the VEP,” said Heather West, Senior Policy Manager at Mozilla, the maker of the Firefox web browser.
West added she felt Mozilla’s interest was “absolutely” represented by the VEP’s construction.
Michelle Richardson, deputy director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project, said she was impressed by the VEP charter was formally designating a policy to disclose vulnerabilities to tech firms by default. Former Cyber Czar Michael Daniel had publicly claimed this was the official policy, but it Richardson did not feel that it had been properly written in an official capacity.
“There’s a balance in the need to disclose that was really missing from files that were released in the [Freedom of Information Act requests], she said, adding that “It means a lot for it to be formalized.”
Richardson also backed increased transparency measures, including regular reports sharing statistics about how often the VEP kept or disclosed security bugs.
Joyce said the VEP ultimately discloses more than 90 percent of vulnerabilities to manufacturers for repair. But there had been no official statistic or public accounting in any form.
The VEP drew increased attention from Congress, advocacy groups and tech firms in recent months after two malware outbreaks in rapid succession used vulnerabilities allegedly leaked from the NSA. WannaCry and NotPetya caused havoc internationally, forcing British hospitals to cancel surgeries, a massive shipping firm to temporarily shut down and outages at several other businesses and government agencies around the world.
Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), responded to the outbreaks with the PATCH act, a bill that would codify the VEP and place it under the auspices of the DHS.
Richardson said the Center for Democracy and Technology supported the PATCH act, including its elevating the civilian, defense-focused DHS’s role in the process.
“But, with the transparency in VEP now available, Homeland Security’s lead is not as important,” she said.
The VEP charter shined some light on controversial aspects of the process in a way that may be unsatisfactory to some stakeholders.
Richardson still hopes that the VEP will be in some way codified.
After the San Bernardino terrorist attacks, the FBI purchased use of a vulnerability from a contractor to break into a suspects iPhone. That vulnerability never went through the VEP because it was purchased under a non-disclosure agreement.
There were fears from some digital rights quarters that non-disclosure agreements could be used as a loophole to prevent agencies from needing to go through the VEP. The charter leaves in an exemption for vulnerabilities acquired under NDAs.
The VEP charter does not answer one of the primary concerns of Katie Moussoris, chief executive of LutaSec, and an expert in vulnerability disclosure strategies.
The VEP, she noted, is based on the idea that government agencies would be able to accurately assess the risk of different vulnerabilities.
“Agencies might not be able to determine that threat without industry assistance, which they can’t get without tipping the industry off,” Moussoris said.
But all experts agreed the public charter gave more insight into a process whose secrecy was counterproductive to its mission.
“It’s a significant step forward in transparency,” said West.
- Content by Joe Uchill, posted on 11/15/2017
- Image credit: Getty
- Originally posted at: http://thehill.com/policy/cybersecurity/360543-cybersecurity-pros-take-first-peek-at-once-secretive-deliberations