The White House has a new leader of a largely secretive government group that decides whether software and hardware vulnerabilities should be withheld from the public to help the government conduct cyber operations.
Grand Schneider, the federal chief information security officer and senior director at the National Security Council, was named head of the Vulnerabilities Equities Process (VEP) board.
The group determines if the government should withhold so-called zero day flaws, which are previously undiscovered security bugs that have not yet been patched. The government uses the board to decide which flaws it can use to conduct surveillance -- or to disclose to the public.
But, in withholding the flaws for cyber-operations, companies and citizens can be left vulnerable if the vulnerabilities are discovered by others.
The personnel shift, first revealed by Cyberscoop, comes after Rob Joyce, who previously oversaw the group, left his position to return to the National Security Agency.
His role, the White House cybersecurity coordinator, was subsequently dissolved.
It's been long believed that the government has been stockpiling software and hardware vulnerabilities, allowing the nation's intelligence agencies to remotely break into other computers, collect surveillance data, or to conduct espionage. Those suspicions were confirmed in 2016, when a Freedom of Information Request by the Electronic Frontier Foundation revealed the program.
But the very existence of the process has been controversial. The Trump administration cast new light on the board's work after a cache of government hacking tools were stolen in 2016.
The stolen tools enabled hackers to launch the wide-scale WannaCry ransomware attack. Other tools allowed NSA analysts to break into a range of systems, network equipment, and firewalls, and most recently, Linux servers, as well as a range of Windows operating systems. Companies scrambled to fix the vulnerabilities in the aftermath the WannaCry attack.
Schneider has a long career history in government as a defense cybersecurity expert, said one former NSA staffer, but warned the VEP process requires an "offensive" security mindset.
"If the default behavior of the VEP is to disclose a discovered vulnerability, I think we need someone at the helm that has offensive cyber experience advocating for the outliers," said Jake Williams, now principal consultant at Rendition Infosec.
"The reality is that foreign intelligence shapes national policy -- and in many cases prevents conflicts. We need to use some vulnerabilities discovered to get that intelligence," he said in a tweet. "Offensive cyber experience is hard to come by, particularly at the senior levels."