The Trump administration has concerns about a proposed reform of the policy process the U.S. government uses when deciding how to handle newly discovered software vulnerabilities known as zero-days, White House Cybersecurity Coordinator Rob Joyce told a meeting of tech leaders in Boston this week.
The vulnerability equities process, or VEP, is how government officials decide whether to disclose such flaws to the software manufacturer — so they can be patched and all users made safe — or to secretly keep them and use them to spy on U.S. adversaries. Former officials said the process needs overhauling and lawmakers dropped a bill to codify it — the Protecting our Ability To Counter Hacking, or PATCH, Act. The bill would establishing a review board that would publish guidelines explaining the basis for its decisions.
Joyce, addressing the launch of CyberMA, a Massachusetts affiliate of the national CyberUSA initiative on Monday, said Trump administration officials were engaging with the bill’s backers, but saw the need for changes in the draft. It’s the first time an administration official has commented on the proposal, which has bipartisan support including the backing of the GOP chairman of the Senate Homeland Security Committee.
“We are working with Congress about that [PATCH Act bill] right now,” said Joyce. “I do have some concerns because legislators are talking about giving authority to a non-neutral entity,” he said. The new VEP review board would include non-national-security officials like the Commerce secretary as members.
“I think the processes right now gives us the balance where we don’t have the offense or the defense with too much thumb on the scale,” Joyce said.
Joyce, who chairs the current VEP committee — established by policy, not law — from his perch in the White House, said the process was already “tilted” towards disclosure. “The VEP does favor defense today … it understands how significant the vulnerability is, [which industries] it is used in … are there mitigations even if there’s no patch?” he said.
He said officials were making “non-black-and-white decisions about when a vulnerability needs to be withheld” because the U.S. government needed the online spying capability it offers.
Joyce pointed out later to Cyberscoop that the current VEP is already led by a White House committee with non-intelligence-agency officials on it. Since April 2014, “all new and not publicly known vulnerabilities are submitted into this process led out of the White House,” he said in an email.
He also echoed the comments of former officials who have called more disclosure of zero-days a form of unilateral disarmament, because U.S. adversaries will not follow suit.
“It’s important to note that the adversarial intelligence services of China, North Korea, Russia, and Iran don’t have anything remotely like our VEP program, which makes it easier for them to do us harm,” he said.
He added: “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area.”
But those principles, which date back to the Bush administration last decade, have come under renewed scrutiny following the release online of leaked source code for a set of powerful NSA hacking tools using zero-days in ubiquitous Windows software. Despite the VEP, the vulnerabilities were kept secret by the NSA and are now being used by cybercriminals and hackers.
The bill’s sponsors, Sens. Brian Schatz, D-Hawaii, and Ron Johnson, R-Wis., did not immediately respond to requests for comment.