Making Sense of the U.S. Policy on Disclosing Computer Vulnerabilities

Alex Grigsby is the assistant director for the Digital and Cyberspace Policy program at the Council on Foreign Relations. 

Late last year, I wrote that the United States should consider publishing its policy on zero-day disclosures as a confidence-building measure. The logic with my proposal was simple. Publishing the process by which the United States evaluates computer vulnerabilities would demonstrate to China and Russia that it is not stockpiling computer flaws for later use. Over time, as the United States became more open about the vulnerabilities it disclosed to vendors, it could reduce misperceptions or tensions among rivals and hopefully prevent escalatory activity.

Thanks to the Electronic Frontier Foundation (EFF), we now have a bit more insight into the U.S. government’s decision-making process. As a result of a Freedom of Information Act request, EFF was able to obtain a heavily redacted copy of the government’s vulnerabilities equities and policy process (VEP). It sets out the process the U.S. government uses to determine whether it will notify a vendor of a security vulnerability.

Here’s what we now know of the process:

• When a U.S. department, agency, or contractor discovers a vulnerability not yet known to the public, that agency will notify something called the VEP executive secretariat, housed within the NSA. The executive secretariat notifies other departments and agencies of the vulnerability.
• Once department and agencies are notified, subject matter experts discuss the vulnerability. Presumably, they discuss the seriousness of the vulnerability, the ease with which an exploit can be developed, and the likelihood of others having discovered it among other things. It’s unclear exactly what criteria subject matter experts must consider because they seem to be redacted despite the fact that Michael Daniel seems to have discussed them in a April 2014 blogpost. Subject matter experts then provide a recommendation on disclosure to something called the equities review board (ERB).
• The ERB, comprised of "senior level department/agency representatives," then decides whether to ratify the recommendation.  The policy notes that ERB decisions should be made by consensus but that if impossible, a decision will be made by majority vote. That decision is pushed out to departments or agencies via the VEP executive secretariat.
• Any one department or agency can appeal an ERB decision, though to whom is redacted. In an interview last year with Wired, White House Cybersecurity Coordinator Michael Daniel said that the White House would play a larger role in the process, possibly making it the final arbiter on disclosure decisions.
• The VEP executive secretariat is required to draft an annual report that includes a host of information, such as which parties obtained information about a vulnerability and the use of the vulnerability in cybersecurity sensors.

While it’s great to know about these procedures, there are still huge gaps in our understanding. First, it’s a mystery which departments or agencies take part in the VEP. The document notes that "other" departments such as State, Justice, Homeland Security, Energy and others "may" participate in the process, suggesting they’re not the primary actors. The process is likely dominated by the security and intelligence agencies that probably send multiple representatives (e.g. the counterintelligence and cybercrime divisions of the FBI would each want to be represented, same with the SIGINT and information assurance directorates at the NSA), each arguing their specific equities. It’s impossible to know that for sure as the paragraph spelling this out is redacted despite being marked as unclassified. While the dominance of the intelligence community isn’t necessarily surprising--they would be most likely to discover and use new vulnerabilities after all--it isn’t reassuring given its track record of deliberately introducing vulnerabilities in widely used cryptography. It makes one wonder whether they’re going to favor the offense over the defence unless organizations with solely defensive cyber-related missions like Homeland Security, which houses US-CERT, or the NSA’s information assurance directorate are consistently part of the decision-making process.

Second, it’s unclear the extent to which the United States’ Five Eyes allies (Australia, Canada, New Zealand and the United Kingdom) are integrated into the process. The Five Eyes’ intelligence collection activities are arguably the most integrated in the world. Often, Five Eyes officials will work together to solve an problem, like breaking into a particular device or developing new techniques to collect intelligence, that can involve discovering new vulnerabilities. Say a U.S.-led team that includes Brits and Canadians finds a new vulnerability, what happens then? Are UK and Canadian law enforcement or intelligence agencies able to make their case in the equities process? Would the United States make a equities decision that would run counter to the interests of its closest allies that played a role in the vulnerability’s discovery? It’s a hypothetical scenario, but I’d be surprised if a case like this hasn’t come up in the past five years.

I believe Michael Daniel when he asserts that the United States discloses the majority of the vulnerabilities that it discovers. Thanks to Edward Snowden, a lot of people in the cybersecurity community don’t. The Obama administration could rebuild some of that trust if it was more transparent on the process. One easy step is to release some of the annual reports that the VEP requires. Obviously some classification issues would need to be worked out but they are not insurmountable. The administration could release a range of the percentage of vulnerabilities it has disclosed, similar to what already exists for tech companies that want to disclose government surveillance requests. Not only will that help rebuild the trust between security researchers and the U.S. government, but provide tangible proof to U.S. rivals that its vulnerabilities stockpile isn’t as big as they think it is.