The White House has selected a new leader to head a secretive government group that helps decide which software vulnerabilities should be kept for intelligence gathering purposes or widely released to the public.
Grant Schneider, the National Security Council’s senior director for cybersecurity policy, has been named chairman of the Vulnerability Equities Process (VEP) board, an NSC spokesperson told CyberScoop. Schneider is also currently serving as the acting federal chief information security officer.
His appointment comes as recent White House Cybersecurity Coordinator Rob Joyce left 1600 Pennsylvania Avenue in May. He is now serving as a senior adviser at the National Security Agency.
Joyce was instrumental in a public charter released last year that brought transparency to the VEP, by which the U.S. government determines to either withhold or disclose information to tech companies about newly discovered flaws in their software. The charter originally named Joyce as the head of the multi-agency Equities Review Board (ERB), which weighs in on such decisions. But with Joyce’s departure, the administration needed to select a new leader from within the NSC.
A longtime civil servant, Schneider is widely respected in the federal IT community. Before joining the White House, he served in various information security roles at the Office of Personnel Management, Office of Management and Budget and Defense Intelligence Agency.
Over the last year, Schneider has also played a significant role in executing Trump’s cybersecurity executive order which calls on federal agencies to improve their digital defenses.
Aspects of the VEP framework, a previously classified document, first became public in 2016 when a Freedom of Information Act request by the Electronic Frontier Foundation unearthed a redacted version.
The ERB includes representation from multiple relevant agencies, including the CIA, FBI, Treasury Department, State Department, Justice Department and Homeland Security Department, among others. Typically, when an agency secretly discovers a software flaw and wants to keep it for espionage purposes, they’re supposed to bring it to the ERB for consideration. While these undisclosed vulnerabilities can provide the U.S. government with special access to specific targets, they also leave companies susceptible to cyberattacks.