Vulnerability Equities Process Gets A Facelift From The New Administration
from the more-things-change-the-more-they-improve-incrementally dept
The Trump Administration has released a new version of the Vulnerabilities Equities Process — one nominally slanted towards greater transparency and outside participation. The previous process was broken in multiple ways, not the least of which was intelligence oversight’s general belief everything was fine even though the NSA didn’t follow the previous rules, despite statements to the contrary.
It’s unclear why this new VEP is appearing now. The new administration doesn’t seem particularly concerned about surveillance overreach or the legality of tactics deployed by the Intelligence Community. On the other hand, the up-cycling of undisclosed NSA exploits by malicious hackers has probably forced the government’s hand. It’s impossible to get ahead of criticism, especially when so many of the exploited exploits dated back several years. But perhaps it’s possible to head off future criticism with a diplomatic gesture, which is what this appears to be.
The new process does add more transparency, at least theoretically. White House Cybersecurity Coordinator Rob Joyce had this to say in his post announcing the remodeled VEP:
Improved transparency is critical. The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Since I took my post as Cybersecurity Coordinator, improving the VEP and ensuring its transparency have been key priorities, and we have spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public. Through these efforts, we have validated much of the existing process and ensured a rigorous standard that considers many potential equities.
But there’s not much in the underlying documents that indicates how the new process will lend itself to more transparency. The mere existence of these documents is certainly more transparency than we’ve seen previously, which give outsiders a better view of the process. But beyond saying the vulnerabilities review process “may” result in additional reporting to Congress, nothing states definitively that more transparency will result from the new VEP’s implementation.
There are other concerns as well. As Bruce Schneier sees it, the VEP has been improved, but still allows the government to act as it pleases with minimal outside interference.
The devil is in the details, and we don’t know the details — and it has giant loopholes that pretty much anything can fall through…
This is me from last June:
There’s a lot we don’t know about the VEP. The Washington Post says that the NSA used EternalBlue “for more than five years,” which implies that it was discovered after the 2010 process was put in place. It’s not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue — or the Ciscovulnerabilities that the Shadow Brokers leaked last August — to remain unpatched for years isn’t serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was “unreal.” But so was the potential damage. The NSA must avoid hoarding vulnerabilities.
I stand by that, and am not sure the new policy changes anything.
That the NSA and others must make use of software/hardware exploits to gather intelligence is inarguable. The problem isn’t the use of exploits, but rather that the government, almost without exception, sided with itself when balancing intelligence gathering against potential harm to innocent computer users. While the NSA insisted it turned over 90% of everything it found, personnel involved with the NSA’s Tailored Access Operations claimed they’d gone years without seeing a disclosure.
Joyce’s post also takes a swing at those opposed to the current implementation of the VEP. But his blow only hits strawmen.
There are advocates on both sides of the vulnerability equity issue who make impassioned arguments. Some argue that every vulnerability should be immediately disclosed to the vendor and patched. In my view, this is tantamount to unilateral disarmament. Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities.
While it’s true our nation’s enemies don’t participate in vulnerability disclosure, to claim we should act as irresponsibly is basically like saying it should be acceptable for US military forces to use children’s hospitals as operations headquarters just because our opponents have resorted to these tactics.
Vulnerability disclosure isn’t zero sum, no matter what Rob Joyce may imagine. The problems are nuanced. Discussions about solutions should be similarly refined.
Katie Moussouris, CEO of Luta Security Inc., said Joyce’s statement “is a false dichotomy between 100% disclosure versus the current process that puts zero-day vulnerabilities at the heart of the matter.”
“My assertion has always been to err on the side of disclosure to the vendor and seek a mission-focused alternative to using zero-day vulnerabilities in broadly deployed software,” Moussouris told SearchSecurity. “In some cases, not all, the objective of the mission could be completed via other means, such as exploiting misconfigurations or well-crafted phishing attacks, or even via zero-day exploits in localized, country-specific software instead. Exploitation of vulnerabilities for which a patch exists, but hasn’t been applied on the target system yet, is one such alternative.”
Is the new VEP better than the old one? Tough to say. We won’t know until it’s implemented, unfortunately. But the simple fact that there’s more information about the process brings it a step or two ahead of its predecessor.