![](\"https:\/\/media.wired.com\/photos\/5a0cc8411a385857258c7172\/master\/pass\/WhiteHouse-510269559.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Thu, 16 Nov 2017 00:33:49 +0000<\/strong><\/p>\n Governments rely on <\/span>flaws in software, hardware, and encryption protocols for espionage and assorted intelligence gathering. And what makes that cyber-sneaking are technical flaws that governments find and keep to themselves. But in the United States, the practice of withholding vulnerabilities such that they can\u2019t be fixed has drawn increasing controversy\u2014especially because of real-world situations where secret government hacking tools have leaked and spread to devastating effect.<\/p>\n In an attempt to clarify and codify the government's approach to dealing with this problem, the White house released details<\/a> for the first time on Wednesday about how the government decides which software vulnerabilities it discloses, and which ones it withholds for its own use in espionage, law enforcement, cyber warfare, and general intelligence-gathering. The Trump administration called the unclassified release a \u201ccharter\u201d for the so-called \u201cVulnerabilities Equities Process,\u201d and it sheds new light on how the government weighs withholding advantageous vulnerabilities, versus alerting impacted companies so that they can be fixed before outside hackers use them as well.<\/p>\n The VEP, developed during the Obama administration, has been consistently criticized for its lack of transparency<\/a>. Before Wednesday, the public information about the program largely came from a Freedom of Information Act release that contained documents from 2010, and a 2014 blog post<\/a> by then-White House Cybersecurity Coordinator Michael Daniel.<\/p>\n But calls to explicate the VEP have intensified significantly since WikiLeaks and the hacking group Shadow Brokers began releasing alleged CIA and NSA hacking tools<\/a>, especially after those tools enabled devastating ransomware attacks<\/a> and more. And while the new VEP publication is a trove of long overdue information, it doesn't in and of itself solve the problems that led to so many recent failures.<\/p>\n \u201cThe reasons you want to patch, you want to disclose are because our society has grown intertwined with our IT technology, so if there\u2019s a flaw in those systems there is an imperative to close that hole and make sure it\u2019s not exploited,\u201d Rob Joyce, the current White house Cybersecurity Coordinator, said at the Aspen Institute on Wednesday morning. \u201cOn the other side you\u2019ve got the need to produce foreign intelligence, the need to support war fighters, the need to conduct operations in this new cyber environment. And in fact a lot of the knowledge we get to defend systems is gained\u2026from these same sorts of vulnerabilities. So either extreme isn\u2019t good for the country.\u201d<\/p>\n While the new VEP publication is a trove of long overdue information, it doesn't in and of itself solve the problems that led to so many recent failures.<\/p>\n The new VEP charter does score points for increased transparency, including its detailing of the departments and agencies whose representatives comprise the vulnerability review committee, the criteria used, and the mechanisms for handling situations where that group can\u2019t agree on how to handle a particular bug. The NSA is the \u201cexecutive secretariat\u201d of the VEP, and most of the representatives come from intelligence community agencies, the Department of Defense, the Department of Homeland Security, and the Department of Justice, including the FBI. But analysts say they were relieved to see groups like the State Department, Treasury, Department of Commerce, and Department of Energy on the list, to represent other priorities and viewpoints.<\/p>\n The charter also promises annual reports\u2014both classified versions for government officials and lawmakers, and an unclassified version\u2014to offer regular updates about the VEP. \u201cI think that this is a huge step forward from almost no documentation to having this charter publicly available,\u201d says Heather West, a senior policy manager at the nonprofit Mozilla Foundation. \u201cThis will help people understand what the scope is, which agencies are involved. Whenever the next Shadow Brokers or big hack happens we\u2019ll be able to see, if the VEP broke down where was it? And then we can talk about fixing it instead of just speculating.\u201d<\/p>\n The Shadow Brokers example serves as a worst case scenario of what can occur when government-held vulnerabilities in popular and widely-used software get out and suddenly threaten millions of people's digital lives. One exploit tool the Shadow Brokers published, Eternal Blue, targeted a common Microsoft Windows vulnerability, and was used to spread malware in both the WannaCry and NotPetya ransomware attacks that swept the world this spring. The NSA has never officially confirmed that Eternal Blue was one of its exploits, it had reportedly<\/a> been an NSA workhorse for more than five years before the agency finally requested that Microsoft patch it, making it more likely with each passing year that someone else would find it and millions of devices would be caught vulnerable.<\/p>\n 'The changes that are listed in these unclassified documents, if there are in fact changes, have been made behind a curtain. Any other changes could be made in the same way.'<\/p>\n Andi Wilson, Open Technology Institute<\/p>\n Ideally, VEP can mitigate those problems by weighing the benefits and risks of exploiting\u2014and continuing to exploit\u2014a vulnerability instead of disclosing it. The White House\u2019s Joyce declined to comment on Eternal Blue, and whether it was ever vetted by the VEP. He emphasized, though, that under the charter the VEP will consistently re-evaluate vulnerabilities so they don\u2019t languish in the toolbox unchecked for years. \u201cWhen a vulnerability is retained it\u2019s not a lifetime waiver,\u201d he said.<\/p>\n The administration also pushed back against the characterization that the government \u201cstockpiles\u201d or \u201choards\u201d vulnerabilities. Joyce cited a previously touted figure that the government discloses more than 90 percent of the vulnerabilities it finds. But analysts note that percentages can belie the content of what the government chooses to disclose and retain. \u201cThe public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones,\u201d NSA whistleblower Edward Snowden wrote<\/a> on Wednesday. \u201cWe need to know the severity of disclosed vulnerabilities, not just the number.\u201d<\/p>\n It's also unclear how different the Trump administration VEP charter is from the previous version.\u201cIt didn't change substantially, but it got a lot tighter,\u201d Joyce said on Wednesday. Some observers also fear that Wednesday\u2019s releases could become a one-time snapshot, without substantive transparency in the future. And since the VEP isn\u2019t currently codified in legislation, administrations can alter it at any time.<\/p>\n \u201cWe actually have a lot of information that\u2019s been given to us here, which is great, but I\u2019m worried that this transparent sharing could be seen as the end of the discussion by those who aren\u2019t interested in reform,\u201d says Andi Wilson, a policy analyst at the non-partisan New America Foundation\u2019s Open Technology Institute. \u201cThe changes that are listed in these unclassified documents, if there are in fact changes, have been made behind a curtain. Any other changes could be made in the same way.\u201d<\/p>\n A window into the VEP becomes ever more critical, as the government escalates its race against software security teams. "It\u2019s just a fact that the government is going to work to develop vulnerabilities and find them for operations," says Joyce. "The ecosystem continues to find new and innovative ways to exploit.\u201d As the pace of the discovery, exploitation, and patching cycle speeds up, traffic through the VEP will only increase.<\/p>\n Analysts largely agree that there is a true national security need to retain and exploit some vulnerabilities. But as WikiLeaks, the Shadow Brokers, and other revelations have shown, tempering the intensity that drives intelligence hacking is also in the national security interest, given the very real threat those vulnerabilities pose. More visibility into the VEP will hopefully lead to more accountability, but ultimately it's still the officials in the negotiating room who will decide how the charter is used in practice.<\/p>\n