Trump administration releases rules on disclosing security flaws

The White House's cybersecurity coordinator said the rules are "vital" to ensuring a balance between public disclosure and retaining flaws for intelligence operations.
Written by Zack Whittaker, Contributor

(Image: file photo)

The Trump administration has released an unclassified set of rules for deciding if a security vulnerability should be shared or kept private.

Rob Joyce, the White House cybersecurity coordinator, said at an event in Washington DC on Wednesday that the rules would end years of secrecy about the so-called vulnerabilities equities process (VEP), and calm rumors that the government has a "vast stockpile" of vulnerabilities it can use for offensive attacks.

The move is seen as a rare act of transparency by the government, which has kept the rules secret since they were first formed under the Obama administration.

The rules were posted on the White House website an hour after Joyce's talk. A fact-sheet was also released.

Under the Obama administration, the government created the multi-agency review board to weigh if a flaw discovered by the intelligence community should be disclosed privately to tech companies, or kept a secret so that they can be used for carrying out intelligence operations, such as hacking and network exploitation.

Critics argue that the government can put individual and business cybersecurity at risk by stockpiling vulnerabilities, and not disclosing them to industry partners who can fix them before criminals find and begin exploiting them.

But the government contends that the process balances the needs of law enforcement and intelligence agencies while ensuring that the larger, more dangerous vulnerabilities are disclosed and later patched.

In a blog post, Joyce said that transparency is "critical" and that the release of the rules is "important to establish confidence" in the process, including the agencies involved.

Joyce confirmed that the agencies include the Dept. of Commerce, Defense, and Energy; Homeland Security; the Secret Service; and the Office of Director of National Intelligence, including the National Security Agency and the Central Intelligence Agency; the Treasury, the State Department, and the White House.

The newly-revealed rules show that if the board decides to keep a vulnerability private, the board must reassess its decision every year.

And Joyce said that the government will issue an annual report that provides information on the VEP's work.

The security community, which has been calling on the government to release the details of this process for years, has long believed that the government was holding onto more exploits than it was disclosing. The NSA isn't just tasked with finding vulnerabilities; reports show that the agency spent $25 million on buying details of previously-undisclosed vulnerabilities from third-parties in one year alone.

Joyce reaffirmed from earlier comments that more than 90 percent of vulnerabilities are disclosed to partners, but wouldn't say if that was an immediate process or an eventual one.

"The charter includes a clear statement that vulnerabilities cannot be stockpiled and that disclosure should be the presumption," said Michelle Richardson at the Center for Democracy & Technology, in an email.

"It is incredibly important and beneficial that this be the official public policy of the US government," she said.

The unclassified report comes less than a year after a set of NSA hacking tools were stolen, and used to launch a large scale, global ransomware attack. The stolen tools enabled hackers to silently infect Windows computers with a backdoor to then launch the WannaCry ransomware. Other tools allowed NSA analysts to break into a range of systems, network equipment, and firewalls, and most recently, Linux servers, and a range of Windows operating systems. Companies scrambled to fix the vulnerabilities in the aftermath the WannaCry attack.

Hackers associated with North Korea were blamed for the attack, despite denials from Pyongyang.

The move prompted Congress to announce legislation aimed at preventing the government from stockpiling vulnerabilities, hacking tools, and cyber-weapons.

Editorial standards