Governments rely on flaws in software, hardware, and encryption protocols for espionage and assorted intelligence gathering. And what makes that cyber-sneaking are technical flaws that governments find and keep to themselves. But in the United States, the practice of withholding vulnerabilities such that they can’t be fixed has drawn increasing controversy—especially because of real-world situations where secret government hacking tools have leaked and spread to devastating effect.
In an attempt to clarify and codify the government’s approach to dealing with this problem, the White house released details for the first time on Wednesday about how the government decides which software vulnerabilities it discloses, and which ones it withholds for its own use in espionage, law enforcement, cyber warfare, and general intelligence-gathering. The Trump administration called the unclassified release a “charter” for the so-called “Vulnerabilities Equities Process,” and it sheds new light on how the government weighs withholding advantageous vulnerabilities, versus alerting impacted companies so that they can be fixed before outside hackers use them as well.
A Tangled VEP
The VEP, developed during the Obama administration, has been consistently criticized for its lack of transparency. Before Wednesday, the public information about the program largely came from a Freedom of Information Act release that contained documents from 2010, and a 2014 blog post by then-White House Cybersecurity Coordinator Michael Daniel.
But calls to explicate the VEP have intensified significantly since WikiLeaks and the hacking group Shadow Brokers began releasing alleged CIA and NSA hacking tools, especially after those tools enabled devastating ransomware attacks and more. And while the new VEP publication is a trove of long overdue information, it doesn’t in and of itself solve the problems that led to so many recent failures.
“The reasons you want to patch, you want to disclose are because our society has grown intertwined with our IT technology, so if there’s a flaw in those systems there is an imperative to close that hole and make sure it’s not exploited,” Rob Joyce, the current White house Cybersecurity Coordinator, said at the Aspen Institute on Wednesday morning. “On the other side you’ve got the need to produce foreign intelligence, the need to support war fighters, the need to conduct operations in this new cyber environment. And in fact a lot of the knowledge we get to defend systems is gained…from these same sorts of vulnerabilities. So either extreme isn’t good for the country.”
The new VEP charter does score points for increased transparency, including its detailing of the departments and agencies whose representatives comprise the vulnerability review committee, the criteria used, and the mechanisms for handling situations where that group can’t agree on how to handle a particular bug. The NSA is the “executive secretariat” of the VEP, and most of the representatives come from intelligence community agencies, the Department of Defense, the Department of Homeland Security, and the Department of Justice, including the FBI. But analysts say they were relieved to see groups like the State Department, Treasury, Department of Commerce, and Department of Energy on the list, to represent other priorities and viewpoints.
The charter also promises annual reports—both classified versions for government officials and lawmakers, and an unclassified version—to offer regular updates about the VEP. “I think that this is a huge step forward from almost no documentation to having this charter publicly available,” says Heather West, a senior policy manager at the nonprofit Mozilla Foundation. “This will help people understand what the scope is, which agencies are involved. Whenever the next Shadow Brokers or big hack happens we’ll be able to see, if the VEP broke down where was it? And then we can talk about fixing it instead of just speculating.”
The Shadow Brokers example serves as a worst case scenario of what can occur when government-held vulnerabilities in popular and widely-used software get out and suddenly threaten millions of people’s digital lives. One exploit tool the Shadow Brokers published, Eternal Blue, targeted a common Microsoft Windows vulnerability, and was used to spread malware in both the WannaCry and NotPetya ransomware attacks that swept the world this spring. The NSA has never officially confirmed that Eternal Blue was one of its exploits, it had reportedly been an NSA workhorse for more than five years before the agency finally requested that Microsoft patch it, making it more likely with each passing year that someone else would find it and millions of devices would be caught vulnerable.
Ideally, VEP can mitigate those problems by weighing the benefits and risks of exploiting—and continuing to exploit—a vulnerability instead of disclosing it. The White House’s Joyce declined to comment on Eternal Blue, and whether it was ever vetted by the VEP. He emphasized, though, that under the charter the VEP will consistently re-evaluate vulnerabilities so they don’t languish in the toolbox unchecked for years. “When a vulnerability is retained it’s not a lifetime waiver,” he said.
The administration also pushed back against the characterization that the government “stockpiles” or “hoards” vulnerabilities. Joyce cited a previously touted figure that the government discloses more than 90 percent of the vulnerabilities it finds. But analysts note that percentages can belie the content of what the government chooses to disclose and retain. “The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones,” NSA whistleblower Edward Snowden wrote on Wednesday. “We need to know the severity of disclosed vulnerabilities, not just the number.”
It’s also unclear how different the Trump administration VEP charter is from the previous version.“It didn’t change substantially, but it got a lot tighter,” Joyce said on Wednesday. Some observers also fear that Wednesday’s releases could become a one-time snapshot, without substantive transparency in the future. And since the VEP isn’t currently codified in legislation, administrations can alter it at any time.
“We actually have a lot of information that’s been given to us here, which is great, but I’m worried that this transparent sharing could be seen as the end of the discussion by those who aren’t interested in reform,” says Andi Wilson, a policy analyst at the non-partisan New America Foundation’s Open Technology Institute. “The changes that are listed in these unclassified documents, if there are in fact changes, have been made behind a curtain. Any other changes could be made in the same way.”
A window into the VEP becomes ever more critical, as the government escalates its race against software security teams. “It’s just a fact that the government is going to work to develop vulnerabilities and find them for operations,” says Joyce. “The ecosystem continues to find new and innovative ways to exploit.” As the pace of the discovery, exploitation, and patching cycle speeds up, traffic through the VEP will only increase.
Analysts largely agree that there is a true national security need to retain and exploit some vulnerabilities. But as WikiLeaks, the Shadow Brokers, and other revelations have shown, tempering the intensity that drives intelligence hacking is also in the national security interest, given the very real threat those vulnerabilities pose. More visibility into the VEP will hopefully lead to more accountability, but ultimately it’s still the officials in the negotiating room who will decide how the charter is used in practice.