After a hacker stole cyber tools from an NSA “stockpile” to carry out the WannaCry cyberattack, the White House is now revealing how and when the government decides to disclose vulnerabilities or keep them secret.
On Wednesday, the White House published a charter that details the Vulnerabilities Equities Process (VEP), which was established under former President Barack Obama to determine whether disclosing a vulnerability was in the government’s best interest.
The revised rules say that in the “vast majority of cases,” disclosing a vulnerability is “clearly in the national interest.” However, the White House said that the government can use the previously unknown vulnerabilities to support military, intelligence, and law enforcement activities.
“Often taking a considered risk to restrict knowledge of a vulnerability is the only way to discover significant intrusions that are compromising security and privacy,” the White House said.
Previously unknown vulnerabilities are also called “zero-day vulnerabilities” because the developer has “zero days” to patch the vulnerability before a hacker can exploit it.
The government can obtain these vulnerabilities through discovery or by purchasing them from malware vendors. In 2013, the Washington Post reported that the National Security Agency spent $25 million on zero-day vulnerabilities that year alone.
When a zero-day is discovered, it is submitted to a review board consisting of representatives from 10 agencies for oversight. The inter-agency Equities Review Board (ERB) then discusses if the vulnerability should be disclosed or retained. When a consensus is reached, the ERB then votes to either disclose or restrict the vulnerability.
If one agency does not concur with the rest of the ERB, they can contest the determination by notifying the VEP Executive Secretariat at the National Security Agency (NSA) with the reason.
The White House said that the agency with the most knowledge about the the zero-day exploit will disclose it within seven days “when possible.”
However, the charter says the government’s decision to disclose vulnerabilities could be subject to restrictions such as nondisclosure agreements, memoranda of understanding, or other agreements from private sector or foreign partners.
NSA whistleblower Edward Snowden said the provision was an “enormous loophole” that would allow digital arms brokers to exempt “critical flaws in US infrastructure from disclosure no matter the cost to our security.”
Journalists writing up the VEP plan today: most important revelation was enormous loophole permitting digital arms brokers to exempt (via routine NDAs used when proliferating bugs to >1 buyer) critical flaws in US infrastructure from disclosure no matter the cost to our security.
— Edward Snowden (@Snowden) November 15, 2017
If a vulnerability is found in NSA equipment, the charter states that it must be reported to the NSA, which will assume responsibility for the vulnerability.
The NSA serves as the Executive Secretariat for the VEP to produce classified annual reports to Congress and unclassified reports on how many vulnerabilities were disclosed and how many were retained.
The charter also says that the decision to keep a vulnerability secret is not always binary. The government does a risk analysis and sometimes decides to limit their use of the vulnerability, or tell other allied governments about the vulnerability, or use “indirect means” to tell vendors about the vulnerability. The vendors are the ones who sell, distribute or supply a product, component, system or program that can be exploited.
After hackers stole the WannaCry cyberattack from the NSA and used it to cripple 200,000 computers in 150 countries earlier this year, Microsoft president Brad Smith blamed the NSA for “stockpiling” vulnerabilities.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Speaking at an event at the Aspen Institute in Washington DC on Wednesday, White House Cybersecurity Coordinator Rob Joyce dispelled the “rumors” that the government was hoarding vulnerabilities.
Joyce said that there is no “lifetime waiver” for the government to retain vulnerabilities, adding that every zero-day retained is re-reviewed every six months “to be sure the conditions are still the same or similar to when we made that decision.” More than 90 percent of vulnerabilities are disclosed through the VEP, Joyce said.
Under Obama, Joyce said that the VEP was solely run out of the White House and there “wasn’t a lot of detail about the considerations that went into those decisions.”
“There wasn’t a lot of information about who was in the room participating, and there wasn’t a lot of transparency in just the whole way it was run,” Joyce said.
The cyber tsar said that while the process “didn’t change substantially” with the release of the new charter, there are now “a wide variety of viewpoints that come in the room.”
Joyce said that the rules are the “most sophisticated” in the world, adding that private companies “are not getting tips from China, Russia, North Korea, Iran” about the vulnerabilities.
“I also don’t know of any other nation that has this sophisticated discussion and is passing who has these sophisticated capabilities and is passing vulnerabilities to vendors to be fixed,” Joyce said.