The White House released a new charter Wednesday detailing the previously classified process federal agencies must use in deciding whether to disclose known software vulnerabilities to the public or use as leverage against potential cyber adversaries.
The National Security Council (NSC) will oversee the updated Vulnerabilities Equities Process (VEP) and determine if the release of known vulnerabilities are in the public’s best interest.
“Obtaining and maintaining the necessary cyber capabilities to protect the nation creates a tension between the government’s need to sustain the means to pursue rogue actors in cyberspace through the use of cyber exploits, and its obligation to share its knowledge of flaws in software and hardware with responsible parties who can ensure digital infrastructure is upgraded and made stronger in the face of growing cyber threats,” said Rob Joyce, the White House’s cyber security coordinator, in a White House blog post following the charter’s release.
Joyce will serve as VEP Director and lead the NSC’s discussion on the potential impacts of releasing knowledge of vulnerabilities to the public.
The charter also establishes an Equities Review Board, which serves as a forum for federal agency representatives to discuss their findings related to software vulnerabilities.
The National Security Agency will serve as VEP Secretariat and is responsible for producing an annual unclassified report on the process and detail potential vulnerabilities.
“The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities,” Joyce said. “There are still important reasons to keep many of the specific vulnerabilities evaluated in the process classified, but we will release an annual report that provides metrics about the process to further inform the public about the VEP and its outcomes.”
The Obama administration previously offered details of the trade-offs made when vulnerabilities are not shared with the public, but this is the first formal indication of who will be involved in the decision-making process.
The new VEP charter is meant to improve transparency, detail the interest of stakeholders in making cyber-related decisions, show accountability for the process and grow the discourse on vulnerabilities, according to Joyce.
“I am grateful that the new charter continues a commitment to bringing all stakeholders within the government, including those with a focus on defensive cyber security measures and commerce, to the table. There is a reason that the default treatment of a vulnerability is disclosure, as recent cyber security incidents have demonstrated the damage that can be caused by unpatched software,” said Rep. Jim Langevin (D-R.I.), co-chair of the House Cybersecurity Caucus, in a statement. “By including a broad array of perspectives as part of the Equities Review Board, the National Security Council will be able to take as holistic a view as possible before making a decision.”
Vulnerability decisions will be focused on the balance of disseminating information to the private sector with the expectation that software will be patched or withholding sensitive data that could be potentially used for national security or law enforcement operations.
In certain cases, the VEP process may involve releasing mitigation information to select private sector entities without disclosing the particular vulnerability.
The VEP policy applies to software related to all government components, including civilian and military contractors, as well as private sector information systems.
Joyce previously described the VEP charter as a step toward finalizing the administration’s impending national cyber strategy (Defense Daily, Nov. 9).
“Vulnerability management requires sophisticated engagement to ensure protection of our people, the safeguarding of critical infrastructure, and the defense of important commercial and national security interests,” Joyce said. “I believe our newly endorsed VEP Charter helps us balance those interests in a way that is repeatable and defensible.”