Attacks/Breaches

11/15/2017
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

White House Releases New Charter for Using, Disclosing Security Vulnerabilities

Updated Vulnerability Equities Process provides transparency into how government will handle new vulnerabilities that it discovers in vendor products and services.

Technology experts and others have been demanding greater transparency on the US government's practices for handling security vulnerabilities that it learns about, especially after the Shadow Brokers group leaked a tranche of top-secret National Security Agency attack tools and exploits last year.

On Wednesday, the Trump administration responded to those calls with a new version of the so-called Vulnerability Equities Process (VEP) governing the use and disclosure of software vulnerabilities that the NSA and other government agencies might discover.

The VEP charter provides fresh details on the process the government uses to determine whether to notify a private company about a security flaw in its products or services or to exploit it for intelligence gathering and other purposes.

The document — released by White House cybersecurity coordinator Rob Joyce — addresses several of the questions that people have asked in recent months about how VEP works, oversight, the agencies involved in the process, and other aspects. It also promised annual statistics on the number of vulnerabilities the government retains for later exploitation and the number disclosed to affected vendors — another major demand from industry stakeholders.

"It's good to see the White House releasing this document publicly without redactions," says Andrew Crocker, staff attorney at the Electronic Frontier Foundation (EFF).

The rights group had previously filed a Freedom of Information Act lawsuit against the government for its failure to release adequate details on VEP. "The revised VEP is a step forward on transparency — it makes public a good deal of information that the government withheld throughout EFF's lawsuit over the previous version of the VEP."

The US government, like many other governments worldwide, routinely stockpiles vulnerability information and exploits that it discovers so the information can be used later for surveillance, intelligence gathering, and law enforcement purposes. As Joyce noted in his announcement Wednesday, the exploits can produce valuable intelligence for attribution, evidence of crimes, enable investigations and help build better cyber offensive capabilities.

But many cybersecurity experts have said that indiscriminately withholding vulnerability and exploit data from affected technology vendors is extremely dangerous and could expose organizations using products from these vendors to devastating attacks. Several of the NSA attack tools that Shadow Brokers leaked last year, for instance, exploited zero-day flaws in widely used systems from major vendors such as Cisco and Microsoft. One of the leaked tools, code-named Eternal Blue, was used in the WannaCry ransomware attacks that ravaged computers worldwide earlier this year.

The argument has been that if the US government can find these flaws, others, including cybercriminals and nation-state actors, can as well. It's only by disclosing vulnerabilities in a timely manner that vendors have a chance to fix flaws before exploitation by adversaries.

Joyce acknowledged such concerns in spelling out how the VEP works and in describing the process the government will now use to handle information pertaining to new and previously unknown vulnerabilities.

Under the process, most new and unknown vulnerabilities that federal agencies might discover have to go through the VEP.  A board comprised of representatives from 10 agencies including the CIA and the Departments of Defense, State, Justice, and Treasury will meet monthly to review the vulnerabilities. The board is responsible for determining whether the government should disclose the vulnerabilities to the respective technology vendors so the flaws can be patched or to restrict dissemination of the information.

Among the factors the board will consider are how broadly an affected product is being used, how easily discoverable and exploitable a flaw might be, the impact of exploitation and how easy or not it is to mitigate. From an intelligence and operational standpoint the board will consider how useful a flaw might be in supporting intelligence collection and whether it provides any operational value against cyber actors or their infrastructures.

In some cases, the government might decide to release mitigation information without releasing vulnerability details. Or it might restrict how the vulnerability can be used and by which agencies. The goal in all cases is to ensure a balance between the need to properly secure systems versus the need for government to maintain and edge in cyberspace. Under the new charter, agencies do not always have to go through VEP. But requests for exceptions will have to go through the White House's National Security Council.

Importantly, the charter creates an annual classified and unclassified reporting requirement on VEP to Congress to ensure proper oversight.

Crocker says the charter makes public a good deal of information that the government had previously withheld. That includes details like the list of agencies that participate in the decision to retain or disclose vulnerabilities and the list of considerations the group will use to reach decisions. Crocker says he is also pleased that the document contains explicit acknowledgement that exploiting vulnerabilities poses potential harm to individual privacy, the economy, and national security.

"However, we remain concerned about potential loopholes allowing vulnerabilities to avoid entering the VEP at all," Croker notes. "Exceptions for vulnerabilities obtained under non-disclosure agreements are problematic because NDAs are reportedly very common in this area."

Daniel Castro, vice president of the Information Technology and Innovation Foundation, said the White House has addressed many of the transparency concerns heads on with the new VEP charter.

"The information put out today by the White House is a huge positive step forward on transparency in the Vulnerabilities Equities Process," he said. In crafting the new process the administration appears to have clearly heard the requests for transparency and oversight from many stakeholders, he said.

"Now that we have a fully documented process and commitments to publish annual metrics, we can start to have a productive debate about how to assess and improve that process."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Diversity: It's About Inclusion
Kelly Jackson Higgins, Executive Editor at Dark Reading,  4/25/2018
Coviello: Modern Security Threats are 'Less About the Techniques'
Kelly Sheridan, Staff Editor, Dark Reading,  4/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.