The U.S. government Wednesday introduced greater transparency into its Vulnerabilities Equities Policy (VEP) program. This is the process by which government agencies decide whether to disclose or stockpile the cyber vulnerabilities they discover.
In a lengthy statement, White House Cybersecurity Coordinator Rob Joyce explained why not all discoveries are disclosed. That will not change; but in introducing greater transparency into the process of decision-making, he hopes “to demonstrate to the American people that the Federal Government is carefully weighing the risks and benefits as we carry out this important mission.”
The extent to which the government agencies use cyber vulnerabilities to further their own overseas missions became known with Edward Snowden’s leaked documents. This sparked greater discussion over the morality of government collection and use of vulnerabilities without disclosing the existence of those vulnerabilities to the product vendors concerned.
Microsoft, for example, developed detailed proposals for introducing international norms of cyber behavior that would rely on no government keeping private supplies (hoarding) of undisclosed 0-day vulnerabilities; and also called for a digital Geneva Convention that would “mandate that governments report vulnerabilities to vendors rather than stockpile, sell or exploit them.” This is unlikely to happen. “Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. Those exploits produce intelligence for attribution, evidence of crimes, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities,” said Joyce in his statement.
The theft and release of ‘Equation Group’ (generally considered to be the NSA) tools and exploits by the Shadow Brokers (generally considered to be ‘Russia’) brought new emphasis to the issue. These tools included the EternalBlue exploit soon used by hackers (quite probably nation-state affiliated hackers) in the worldwide WannaCry and NotPetya ransomware outbreaks.
Joyce formerly served as head of the NSA’s Tailored Access Operations (TAO) unit—an offensive hacking team tasked with breaking into systems of foreign entities.
The unproven implication is that if the NSA had disclosed their vulnerabilities, the worldwide disruption caused by WannaCry and NotPetya might not have happened. There is, however, little mention of the danger of theft inherent in any store of vulnerabilities in this week’s VEP transparency announcement, beyond two considerations in the decision process: “If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG relationships with industry?”, and “If USG knowledge of this vulnerability were to be revealed, what risks could that pose for USG international relations?”
The full unclassified VEP process document (PDF) “describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies.”
In short, it explains the process without altering the policy. Its purpose is to introduce transparency and reassure the public that the government will weigh the offensive advantages obtained against the threat of public disruption if used by third-parties, for each 0-day vulnerability it discovers.
That transparency is valuable, but there remain numerous concerns. One is that the VEP continues to be an administrative exercise not enshrined in law. It can be changed at any time without public or legislative overview.
In May 2017, Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) introduced the ‘Protecting Our Ability to Counter Hacking Act of 2017’ — the PATCH Act.
Its purpose is to promote the transparency introduced this week, but make it a legal requirement rather than an administrative choice. The Patch Act appears to have stalled, with no real progress since its introduction in May.
Other concerns appear in the Exceptions section of the VEP process document. For example, “The United States Government’s decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations.” This will exclude 0-days discovered by, say, GCHQ and disclosed to the NSA under an effective non-disclosure agreement; and it could also exclude 0-days expected to be used in potential operations (such as Stuxnet).
It has long been suspected that members of the Five Eyes surveillance alliance share intelligence on each other’s nationals to circumvent individual laws forbidding surveillance of own subjects. If this happens in practice, a similar arrangement between each members’ intelligence agencies would exclude shared vulnerabilities from the VEP process. Both exclusions will undoubtedly be used by the more offense-driven agencies (the NSA and the CIA) to both hold and keep secret their most ‘valuable’ exploits.
Nevertheless, the purpose of declassifying the VEP process is primarily to reassure the American people that the secretive intelligence agencies do not have free rein in the vulnerabilities they keep and the vulnerabilities they use — and to that extent it will probably succeed.