On 15 November 2017, White House Cybersecurity Coordinator Rob Joyce released the government’s new policy on publicizing information about the Vulnerabilities Equity Process (VEP). Long treated as a classified process, VEP is used to decide which vulnerabilities in hardware, software, network equipment, and industrial control system components discovered by NSA and other government agencies can be released to U.S. companies for mitigation and which ones remain classified for potential operational use by intelligence or law enforcement agencies. The VEP will be implemented by an interagency Equities Review Board (ERB) under the National Security Council. NSA will serve as the VEP Executive Secretariat and will be responsible for preparation of ERB meeting agendas, information flow, and record keeping.
Rob Joyce announced the development of a new VEP Charter at the Washington Post “Cyber Summit” in October. He said that transparency in the VEP process was an important goal, adding that NSA historically has disclosed more than 90% of the vulnerabilities it discovered to the affected vendors. The last point is important. While the VEP process is now public knowledge, specific vulnerabilities and related technical information will only be released to the company owning the products with the specific vulnerability.
In his blog post that accompanied publication of the VEP Charter, Joyce discusses the tension created when government discovers vulnerabilities. Should the government release this information in line with its law enforcement and national security responsibilities? Or should government retain knowledge of at least some vulnerabilities to use against “extremely capable actors whose actions might otherwise go undiscovered and unchecked.” His belief is that conducting the risk/benefit analysis of discovered vulnerabilities is “a vital responsibility of the Federal Government.” (For Rob Joyce’s’ blog, see https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do; the blog includes a link to the Charter, “Vulnerabilities Equities Policy and Process for the United States Government.”)
The VEP Charter outlines the purpose, background, and scope of the VEP as well as the process used when a vulnerability is identified for review. The Charter also reveals the agencies that are on the ERB, described as “the primary forum for interagency deliberation and determinations considering the VEP.” The ERB will consist of ten Executive Branch organizations: OMB, ODNI, Treasury, State, Justice, DHS, Energy, DoD (including NSA, USCYBERCOM, and the DoD Cyber Crime Center), Commerce, and CIA. NSA will serve as the Executive Secretariat. An annual report will be released at the lowest possible level of classification to include an unclassified Executive Summary.
The Charter emphasizes the need for speed in the determination about whether to release or restrict discovered vulnerabilities. ERB members will be notified within one business day of a reported vulnerability. Upon notification, they must identify any equities they may have. Decisions will generally be made within a two-week period in which all agencies will have the opportunity to agree, disagree, and/or discuss the proposed solution. If there is no consensus, the ERB will consider decision options based on department/agency inputs.
There are some caveats spelled out in the Charter. One concerns the handling and dissemination of vulnerability information to vendors. That can be done by the agency or department that first discovered the vulnerability or it may be delegated to another department. The VEP Executive
Secretariat will monitor the process and the ERB will consider the vendor’s response. If the ERB determines that the vendor is not patching the vulnerability for any reason, the U.S. Government may take appropriate mitigation steps.
A second caveat has to do with the process for contesting ERB decisions by one or more of its members. This process will initially include the ERB, but may ratchet up to the Executive Office of the President for final determination about the disclosure (or non-disclosure) of a specific vulnerability.
A third set of caveats focuses on institutional considerations. The needs of defense, intelligence, law enforcement, commercial, and international relations must be considered in the equities review process, and all agencies must safeguard vulnerability information provided by any agency. NSA is responsible for bringing to the ERB any vulnerability reported in Government-Off-The-Shelf (GOTS) products previously certified by NSA. Finally, any malicious activity discovered by any agency in a vulnerability considered by the ERB must be reported to the VEP Secretariat. They will launch an equities review discussion on the next business day.
The last section in the Charter clarifies “Exceptions” to the VEP and ERB process. These include vulnerabilities discovered by security researchers and reported to security organizations like US-CERT for immediate response. These will not be included in the equities review process. Several categories of “misuse” will also not fall under VEP. An important exception is made for any vulnerabilities disclosed to the U.S. by foreign partners or used in sensitive operations. Agencies are required to report anything in these categories to the VEP Secretariat for inclusion in a classified Annex to the Charter.
Public release of the VEP Charter is an exciting and overdue development in cybersecurity. It provides transparency into a decision-making process that is, by definition, complex and highly sensitive. While some critics may say that the Charter is only an administrative directive and not U.S. law, the fact that there is a vulnerabilities equity review process that is well-organized and run as part of the national security process should be comforting to cyber professionals in industry, academia, and elsewhere in government. Professionals will understand that information about some vulnerabilities must be restricted for reasons of national security and law enforcement, but can rest assured that most vulnerabilities discovered by the government will be revealed to the vendors who made the original product. This contributes to the well-being of the U.S. economy and the general public.
The U.S. is not the only country with an equities review process for digital products and systems. NSA’s British counterpart, GCHQ, manages a similar process. The former Director of GCHQ gave an interview to Cipher Brief soon after the White House published the VEP Charter. Robert Hannigan states that the UK Government also releases more than 90% of discovered vulnerabilities, but points out that some discovered vulnerabilities must remain restricted because the government has to retain “some tools” to do the work of intelligence.
Hannigan also notes that the process is not legislated in the UK either, but is run by the GCHQ in concert with its new cybersecurity arm, the National Cyber Security Centre. He also points out that GCHQ analysts work closely with NSA, so discussions about vulnerabilities are not done in isolation. (For the full interview, see https://www.thecipherbrief.com/column_article/britains-gchq-decides-secrets-share )