Full disclosure: Trump administration’s new take on cyber flaws and threats

If a United States government agency discovers a vulnerability that could impact national defense and global economics, should it keep that exploit secret or release this knowledge to the public? That’s the question the White House is trying to tackle with the Vulnerabilities Equities Policy and Process for the United States Government (VEP).

The policy was released this Wednesday after an anonymous source told media outlets about the Trump administration’s plans Nov. 14. The VEP clarifies the process for what vulnerabilities will be exposed or kept from public knowledge for as long as possible.

Rob Joyce, the White House cyber security coordinator, introduced the rule at an Aspen Forum in Washington D.C. as one of the “most sophisticated” in the world. He also said VEP was an effort to improve government transparency, even though there is still the option for the government to withhold information about a vulnerability from the public.

In Joyce’s blog post published Wednesday, he defends the option as one that many other nations exercise routinely. “The challenge,” Joyce goes on to say, “is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace. This is the root of the tension that exists between the desire to publicize every vulnerability discovered and the need to preserve some select capability for action against extremely capable actors whose actions might otherwise go undiscovered and unchecked.”

That’s where the VEP comes in. The policy outlines the use of an Equities Review Board (ERB) that will meet monthly to review submitted vulnerabilities. It can convene faster if there’s an active attack situation using a previously unknown exploit.

Multiple agencies will have representatives that make up the ERB, from sectors such as financial, economic, defense and security, justice, energy and the CIA. The policy also outlines that the ERB will submit an annual report on vulnerabilities it has found, and during this time it will review vulnerabilities it has voted to keep secret.

According to a flowchart within the document, government agencies will submit new and unknown vulnerabilities to the ERB where the representatives will vote on how to handle the threat. Vulnerabilities should be submitted within a day of their discovery, and the ERB will have five days to review their threat capacity and impact on government equities.

Vulnerability Equities Process Overview

There are three main points the ERB will consider before voting:

  1. How much of a threat is the vulnerability? This examines how widespread the affected product or service is, and how easily that product can be hacked. This is a basic threat assessment at this stage.
  2. How can the government potentially use this vulnerability for national security purposes? This is important for the ERB to consider, though it potentially faces backlash as was seen with the leak of the NSA’s known exploits that resulted in the WannaCry ransomware threat.
  3. What risks would the U.S. face with companies and other national interests if it’s revealed that the government chose to suppress information concerning the vulnerabilities? Microsoft openly critiqued NSA’s part in the WannaCry attack when the agency withheld information on an SMB exploit in Windows devices. It’s important to analyze whether holding back on making the vulnerability public will cause more harm than good.

Many of these questions, located at the very end of the policy document, are useful for any cybersecurity response team. You can adapt them easily for your own company. Just substitute the references for the United State government and you have an outlined response plan.

There are several exemptions for vulnerabilities that should be submitted to the ERB. Those include:

  • vulnerabilities found by cybersecurity researchers
  • misconfiguration or poor configuration of a device that sacrifices security in lieu of availability, ease of use or operational resiliency
  • misuse of available device features that enables non-standard operation
  • misuse of engineering and configuration tools, techniques and scripts that increase/decrease functionality of the device for possible nefarious operations, and
  • discovering that a device, service or system has no inherent security features by design.

And finally, the document contains a list of glossary terms. Words having multiple definitions, or instances where multiple words are used to describe the same event, has been an ongoing issue in the cybersecurity field.

The VEP arises from earlier instances of government accountability, such as when Microsoft criticized the NSA, a federal agency, for withholding information on exploits that private companies could have patched. WannaCry’s attack took down multiple hospitals in the UK and disrupted other global operations while the U.S. remained relatively unscathed.

The policy also comes just before the House of Representatives is to have a hearing on Maximizing the Value of Cyber Threat Information Sharing, where VEP will no doubt be brought up. This hearing will be held Nov. 15 at 2 P.M. EST.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy