The White House wants to be more transparent around how it discloses security vulnerabilities, releasing an unclassified charter on Wednesday that outlines how the government determines which software flaws it keeps secret.
The 14-page document, available as a PDF, provides details around the Vulnerabilities Equities Policy and Process (VEP) for departments and agencies of the U.S. government.
According to White House Cybersecurity Coordinator Rob Joyce, the last few months have been spent reviewing the existing VEP in order to improve transparency and standardize the process. By publishing the unclassified portions, the government hopes to “shed light on aspects of the VEP that were previously shielded from public review, including who participates in the VEP’s governing body, known as the Equities Review Board.”
The unclassified charter clarifies what categories of vulnerabilities are submitted to the process. The government also promises to release an annual report that provides metrics about the process to “further inform the public about the VEP and its outcomes.”
Public interest in the way the public sector handles security vulnerabilities has grown in the last six months in particular after the WannaCry attack when Microsoft called out the U.S. government for its mishandling of vulnerabilities.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Microsoft president Brad Smith said in May. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."
Joyce said that the annual reports will help dispute claims of “massive” government stockpiles, which he said “simply isn’t true.”
Mark Kuhr, co-founder and CTO of Synack, a security company based in Menlo Park, Calif. that provides crowdsourced penetration testing, vulnerability orchestration and risk reporting, tells ITPro that it seems Joyce has a “clear vision of how to optimize the balance between secrecy and disclosure.”
“There are still very important reasons, such as national security, to keep some of these vulnerabilities private to the government,” Kuhr said. “The transparency in the VEP process will help all stakeholders, commercial and government, understand how the process works and at least formalize the process for keeping vulnerabilities private for the benefit of national security/law enforcement.”
“Transparency in the process is great, and will likely result in more vulnerabilities being disclosed to the public for patching,” Kuhr said. “But, then we need to make sure we are prepared to patch the flaws and patch them quickly ahead of the adversary exploiting them. Speed will become more important in patching in order to prevent the next WannaCry-like attack.”
Still, some remain skeptical that the new VEP will deliver on its promised transparency, based on what EFF calls a “checkered history” of the process. According to EFF, the VEP was started “in 2010 as an attempt to balance conflicting government priorities.” But it wasn’t made public until much later, after the EFF filed a lawsuit under the Freedom of Information Act in order to gain access to the VEP, in response to information concerning the Heartbleed bug. A redacted version was released in January 2016.
Former Cybersecurity Coordinator Michael Daniel said in April 2014, after Heartbleed, that “too little transparency and citizens can lose faith in their government and institutions, while exposing too much can make it impossible to collect the intelligence we need to protect the nation.”