The Trump administration plans to launch a “public charter” to add transparency and clarity to the Vulnerabilities Equities Process (VEP), a policy that guides when and if the U.S. government will tell a software vendor about digital flaws they’ve discovered in their products that could be otherwise used for espionage or intelligence operations.
Rob Joyce, White House Cybersecurity Coordinator, provided details on the charter on Tuesday and Wednesday during two separate public speaking engagements. He said the VEP is largely misunderstood and that making part of the process public means explaining the considerations, rubric and individuals involved in the process.
“We are in the process of a policy decision-making group that’s reviewing it, endorsing it, and then we will be able to push it out,” Joyce said Wednesday at the Cambridge Cyber Summit about the charter. “What we’re trying to carefully weigh is having those capabilities, to be able to use them for national security, while at the same time making sure that it’s not a major liability for our economy, for the international community, for our national security.”
In an interview with CyberScoop, Joyce said the public charter would provide some new information concerning the number of vulnerabilities entered into the process each year compared to those ultimately disclosed back to the private sector.
The policy work behind the charter is still ongoing, and it’s not entirely clear yet how much context the government will eventually provide regarding the vulnerabilities mentioned.
“We went back and looked at it … and there are things that I think don’t need to be secret,” said Joyce, who previously led the NSA’s Tailored Access Operations unit before joining the White House.
Beyond providing a quantitative baseline for the VEP, the public charter will name the interagency leaders who weigh in on the process and what goes into these decisions, said Joyce. In addition, there will be an explanation for how the VEP is used bi-annually to continuously review certain vulnerabilities that remain withheld from companies.
Chris Inglis, former deputy director of the NSA, backed Joyce’s efforts to create a charter, telling CyberScoop it could help build trust, improve public awareness and possibly repair relations between D.C. and the tech sector.
“Now is the right time to do this .. especially after WannaCry and NotPetya,” said Inglis. “Increasingly the need for this sort of transparency is obvious and so I welcome it as long as it’s done correctly.”
Inglis mentioned that he supports the idea of providing a raw number for vulnerabilities reviewed via the VEP, but disproved of an approach that would disclose significant contextual information about the software flaws themselves — including, for example, the name of affected companies or systems impacted by each vulnerability.
“At a certain point, if there’s too much context, then it’s pretty easy to put the puzzle together,” Inglis said.
NSA officials have said in the past that the agency disclosed upwards of 90 percent of all vulnerabilities that went through the VEP. But questions loom over this high benchmark, given that very little is known about the process and whether loopholes exist which could allow for the hoarding of vulnerabilities.
The NSA is far from the only federal agency that discovers and leverages software vulnerabilities in U.S.-backed hacking operations. Other organizations involved in the practice, who are supposedly also responsible for respecting the VEP, includes U.S. Cyber Command, the FBI, DIA and CIA. These organizations are each tasked with acquiring intelligence about threats to the country.
There is currently no legal or administrative policy that compels agencies to adhere to the VEP.
In Mid-May, Senators Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., in addition to Representatives Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, introduced the PATCH Act, a bill designed to codify the VEP into law. The PATCH Act, which had yet to pass either chamber, was intended to similarly shine a light on the VEP by explaining the criteria used, individuals involved and broader objective.
Schatz said he support’s Joyce’s decision to move forward with a public charter, although more needs to be done. He noted that Congress has an important role to play as well.
“While I’m encouraged that the [National Security Council] is taking steps towards making the Vulnerabilities Equities Process more transparent, we can’t stop there,” Schatz said in an emailed statement to CyberScoop. “We need more oversight from Congress, and we need to make sure the process doesn’t change with every administration. That’s why I worked with Senator Johnson on legislation to codify a stronger framework that would do just that.”