By Willis McDonald, Threat Research Manager and Senior Threat Research, Core Security
When the U.S. Government discovers an unpatched vulnerability, it has a choice: disclose the vulnerability to the vendor so that it can be patched, or exploit the vulnerability for its own purposes. It’s not an easy call. Disclosure may eliminate an opportunity to gather valuable intelligence while keeping an exploit secret can put both the public and private sectors at risk, as demonstrated by the WannaCry ransomware outbreak.
To assist the government in its efforts, the Obama Administration established the Vulnerabilities Equities Process (VEP), a set of rules used for determining whether the U.S. Government should disclose a zero-day security vulnerability. The VEP has long been criticized for its lack of transparency and oversight. Last month, the Trump administration released the charter to the public.
According to The White House, “[Trump] promised to strengthen America’s cybersecurity capabilities and secure America from cyber threats. The release of this Charter and adherence to the rigor it demands follows through on that commitment to the American people.”
It’s worth repeating that the VEP isn’t new. The policies of the Trump administration with regards to vulnerability disclosure are no different from the previous administration. VEP is just a rehash of previous policies and councils that were in place to appease public perception on government-curated vulnerabilities—it does nothing to strengthen cybersecurity.
The fact of the matter is, the White House’s move to release the VEP validates what the industry has been concerned about all along. There are a number of loopholes and a lack of industry oversight, both of which are troublesome. Let’s start with the lack of industry oversight. In its press release, the White House claims that the VEP represents the interests of “commercial equities; and international partnership equities.” However, the VEP council does not include any representation from either commercial or international entities.
Under the VEP, vulnerabilities are reviewed by the Equities Review Board. The Board is comprised of folks from the Departments of Homeland Security, Energy, State, Treasury, Justice, Defense, and Commerce. The CIA and FBI are also on the Board, and the National Security Agency serves as the Board’s executive secretariat. Commercial and international entities are noticeably missing from this list.
This is an obvious exclusion for national security purposes. However, it also closes the door on external oversight of decisions deemed in the interest of national security. Commercial and international entities should have a place on the council if vulnerability disclosure decisions are being made on their behalf.
The loopholes are also caused by concern. The VEP charter limits the scope of vulnerabilities addressed by the council to certain classes, thus allowing reporting entities to report as they see fit any vulnerabilities that fall outside the scope of the VEP.
In addition, the VEP does not address vulnerabilities that are discovered and shared by international partners. Granted, this so-called non-disclosure agreement (NDA) loophole is necessary for the U.S. government to continue operations with its allies. Without it, our allies would fear that sharing vulnerability information with us could compromise their own national security operations. However, like the previous loophole, this could allow participating entities to bypass the controls of the VEP and report a vulnerability as they see fit.
While the push for transparency is great, we shouldn’t hold our breath waiting for change. Legislation like the Protecting Our Ability to Counter Hacking Act of 2017 (PATCH Act) and, now, the VEP charter are intended to appease the public rather than cause change. And, to some extent, it has done just that.
It is worth noting that vulnerabilities such as those used in WannaCry never would’ve been released through VEP due to their usefulness in providing access to remote systems for collection purposes. And we all know how that turned out.