The White House has a new leader of a largely secretive government group that decides whether software and hardware vulnerabilities should be withheld from the public to help the government conduct cyber operations.
The group determines if the government should withhold so-called zero day flaws, which are previously undiscovered security bugs that have not yet been patched. The government uses the board to decide which flaws it can use to conduct surveillance -- or to disclose to the public.
But, in withholding the flaws for cyber-operations, companies and citizens can be left vulnerable if the vulnerabilities are discovered by others.
The personnel shift, first revealed by Cyberscoop, comes after Rob Joyce, who previously oversaw the group, left his position to return to the National Security Agency.
It's been long believed that the government has been stockpiling software and hardware vulnerabilities, allowing the nation's intelligence agencies to remotely break into other computers, collect surveillance data, or to conduct espionage. Those suspicions were confirmed in 2016, when a Freedom of Information Request by the Electronic Frontier Foundation revealed the program.
But the very existence of the process has been controversial. The Trump administration cast new light on the board's work after a cache of government hacking tools were stolen in 2016.
"If the default behavior of the VEP is to disclose a discovered vulnerability, I think we need someone at the helm that has offensive cyber experience advocating for the outliers," said Jake Williams, now principal consultant at Rendition Infosec.
"The reality is that foreign intelligence shapes national policy -- and in many cases prevents conflicts. We need to use some vulnerabilities discovered to get that intelligence," he said in a tweet. "Offensive cyber experience is hard to come by, particularly at the senior levels."