• EDUCATE
    EDUCATE

    ...our citizens to be cyber smart, and develop pathways for the future cyber workforce.

  • ENGAGE
    ENGAGE

    ...and convene partners to address emerging cyber and cryptologic issues.

  • COMMEMORATE
    COMMEMORATE

    ...our cryptologic history & those who served within the cryptologic community.

THE NCF VISION

Advance the nation’s interest in cyber and cryptology through leadership, education, and partnerships.

UPCOMING EVENTS

*** Remember to check out our "On This Date in History" calendar. See link below.

Saturday, May 4, 2024
8:30 am2:00 pm
TAC's TheLink, 7000 Columbia Gateway
Suite 150
Columbia, MD 21046
US

Thursday, October 3, 2024
Waverly Woods Golf Course
2100 Warwick Way
Mariottsville, MD 21104
US

Vulnerabilities in the Spotlight - Vulnerabilities Equity Process (VEP)

On 15 November 2017, White House Cybersecurity Coordinator Rob Joyce released the government’s new policy on publicizing information about the Vulnerabilities Equity Process (VEP). Long treated as a classified process, VEP is used to decide which vulnerabilities in hardware, software, network equipment, and industrial control system components discovered by NSA and other government agencies can be released to U.S. companies for mitigation and which ones remain classified for potential operational use by intelligence or law enforcement agencies. The VEP will be implemented by an interagency Equities Review Board (ERB) under the National Security Council. NSA will serve as the VEP Executive Secretariat and will be responsible for preparation of ERB meeting agendas, information flow, and record keeping.

Rob Joyce announced the development of a new VEP Charter at the Washington Post “Cyber Summit” in October. He said that transparency in the VEP process was an important goal, adding that NSA historically has disclosed more than 90% of the vulnerabilities it discovered to the affected vendors. The last point is important. While the VEP process is now public knowledge, specific vulnerabilities and related technical information will only be released to the company owning the products with the specific vulnerability.

In his blog post that accompanied publication of the VEP Charter, Joyce discusses the tension created when government discovers vulnerabilities. Should the government release this information in line with its law enforcement and national security responsibilities? Or should government retain knowledge of at least some vulnerabilities to use against “extremely capable actors whose actions might otherwise go undiscovered and unchecked.” His belief is that conducting the risk/benefit analysis of discovered vulnerabilities is “a vital responsibility of the Federal Government.” (For Rob Joyce’s’ blog, see https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do; the blog includes a link to the Charter, “Vulnerabilities Equities Policy and Process for the United States Government.”)

The VEP Charter outlines the purpose, background, and scope of the VEP as well as the process used when a vulnerability is identified for review. The Charter also reveals the agencies that are on the ERB, described as “the primary forum for interagency deliberation and determinations considering the VEP.” The ERB will consist of ten Executive Branch organizations: OMB, ODNI, Treasury, State, Justice, DHS, Energy, DoD (including NSA, USCYBERCOM, and the DoD Cyber Crime Center), Commerce, and CIA. NSA will serve as the Executive Secretariat. An annual report will be released at the lowest possible level of classification to include an unclassified Executive Summary.

The Charter emphasizes the need for speed in the determination about whether to release or restrict discovered vulnerabilities. ERB members will be notified within one business day of a reported vulnerability. Upon notification, they must identify any equities they may have. Decisions will generally be made within a two-week period in which all agencies will have the opportunity to agree, disagree, and/or discuss the proposed solution. If there is no consensus, the ERB will consider decision options based on department/agency inputs.

There are some caveats spelled out in the Charter. One concerns the handling and dissemination of vulnerability information to vendors. That can be done by the agency or department that first discovered the vulnerability or it may be delegated to another department. The VEP Executive

Secretariat will monitor the process and the ERB will consider the vendor’s response. If the ERB determines that the vendor is not patching the vulnerability for any reason, the U.S. Government may take appropriate mitigation steps.

A second caveat has to do with the process for contesting ERB decisions by one or more of its members. This process will initially include the ERB, but may ratchet up to the Executive Office of the President for final determination about the disclosure (or non-disclosure) of a specific vulnerability.

A third set of caveats focuses on institutional considerations. The needs of defense, intelligence, law enforcement, commercial, and international relations must be considered in the equities review process, and all agencies must safeguard vulnerability information provided by any agency. NSA is responsible for bringing to the ERB any vulnerability reported in Government-Off-The-Shelf (GOTS) products previously certified by NSA. Finally, any malicious activity discovered by any agency in a vulnerability considered by the ERB must be reported to the VEP Secretariat. They will launch an equities review discussion on the next business day.

The last section in the Charter clarifies “Exceptions” to the VEP and ERB process. These include vulnerabilities discovered by security researchers and reported to security organizations like US-CERT for immediate response. These will not be included in the equities review process. Several categories of “misuse” will also not fall under VEP. An important exception is made for any vulnerabilities disclosed to the U.S. by foreign partners or used in sensitive operations. Agencies are required to report anything in these categories to the VEP Secretariat for inclusion in a classified Annex to the Charter.

Public release of the VEP Charter is an exciting and overdue development in cybersecurity. It provides transparency into a decision-making process that is, by definition, complex and highly sensitive. While some critics may say that the Charter is only an administrative directive and not U.S. law, the fact that there is a vulnerabilities equity review process that is well-organized and run as part of the national security process should be comforting to cyber professionals in industry, academia, and elsewhere in government. Professionals will understand that information about some vulnerabilities must be restricted for reasons of national security and law enforcement, but can rest assured that most vulnerabilities discovered by the government will be revealed to the vendors who made the original product. This contributes to the well-being of the U.S. economy and the general public.

The U.S. is not the only country with an equities review process for digital products and systems. NSA’s British counterpart, GCHQ, manages a similar process. The former Director of GCHQ gave an interview to Cipher Brief soon after the White House published the VEP Charter. Robert Hannigan states that the UK Government also releases more than 90% of discovered vulnerabilities, but points out that some discovered vulnerabilities must remain restricted because the government has to retain “some tools” to do the work of intelligence.

Hannigan also notes that the process is not legislated in the UK either, but is run by the GCHQ in concert with its new cybersecurity arm, the National Cyber Security Centre. He also points out that GCHQ analysts work closely with NSA, so discussions about vulnerabilities are not done in isolation. (For the full interview, see https://www.thecipherbrief.com/column_article/britains-gchq-decides-secrets-share )

THIS MONTH on the

On This Day In History

Calendar

  • The first hire at SIS was Annie Louise Newkirk, hired as a cryptographic clerk. Interesting note, when a phone call came in for someone working in the vault room, Ms. Newkirk would buzz the back room using a Morse code equivalent for the first initial of the individual's name. In honor of Women's History Month - click to learn about more female cryptologic pioneers!

About Us

The NCF's Vision is to strengthen trust in the digital ecosystem.

The NCF Mission: Advance the nation’s interest in cyber and cryptology as we:

Educate citizens to be cyber smart individuals, 

Develop pathways for the future cyber and cryptologic workforce, 

Engage and convene partners to address emerging cyber and cryptologic issues and, 

Commemorate our cryptologic history and those who served. 

The Foundation provides exceptional cryptologic programs, encourages young minds to learn about cryptology and to explore cyber-related career opportunities, hosts educational, cryptology-related exhibits at various community events, and honors the people— past and present—whose contributions to our national security protect and make possible our way of life.

The NCF also provides needed support to the National Cryptologic Museum (NCM), the first public museum in the U.S. Intelligence Community. Located adjacent to the National Security Agency (NSA) in Maryland, the NCM houses a unique and priceless collection of artifacts that represent our Nation's history in code making and code breaking, as well as a world class library of cryptologic media. The NCF has acquired rare and invaluable artifacts for the Museum and helps to support new educational and interactive exhibits.

The NCF is a 501(c)(3) organization.

Learn more about our MISSION, VISION, and VALUES.