Yesterday, the White House launched a new vulnerabilities equities process (VEP) policy, which sets out how the U.S. government will disclose computer vulnerabilities it finds or acquires to vendors. When I first read it, I panicked for a minute. It looked like the Trump administration had done pretty much everything a bunch of policy weenies from the Obama administration had proposed. I had two fears.
The first was that after the beating the NSA has been taking over disclosures of their operations and low morale, now was not the time to be tightening the restraints placed on intelligence collectors.
The second fear I had was that if a policy seems too good to be true, it probably is. After all, Matt Damon in Rounders teaches us that “if you can’t spot the sucker in your first half hour at the table, then you're the sucker.”
But then I realized something. Rob Joyce wouldn’t do either of those things. As the former head of the NSA’s elite Tailored Access Operations, Rob is well positioned to judge whether the VEP is hurting operations. He’s also honest, straightforward, and trustworthy. The kind of guy who will tell the world how to stop his organization, and then lament when nobody listens.
So, with that out of the way, let’s cheer on the comity and bipartisanship that continues on cybersecurity.
Having run the VEP process in the Obama administration, Ari Schwartz and I made seven public recommendations when we left. Here’s how the new VEP stacks up against our recommendations:
Issue an executive order to formalize and require government-wide compliance with the VEP. While I applaud making the charter public, it’s an agreement among agencies. An executive order has the weight of law. Fail.
Make public the high-level criteria that will be used to determine whether to disclose a zero-day vulnerability to a vendor, or to retain it for government use. I would have liked to see a more explicit list included in policy along the lines of Michael Daniel’s blogpost (but in policy, not a blogpost) but the criteria are embedded in the document and in Rob Joyce’s statement. Pass.
Clearly define the process to be followed in making a disclosure decision with respect to a zero-day vulnerability. Well done on this one. It even includes a handy workflow diagram. Pass
Ensure that any decision to retain a zero day vulnerability for government use is subject to periodic review. The policy calls for annual review of any retained vulnerability. I would have liked every six months but no need to get nitpicky. Pass
Prohibit agencies from entering into non-disclosure agreements with vulnerability researchers and resellers. The policy doesn’t get into specifics, but it does admit that disclosure could be subject to restrictions “by partner agreements.” The details on this remain classified. Fail.
Transfer the executive secretary function from NSA to the Department of Homeland Security. The policy keeps the function at NSA, a bad public relations move given that the information assurance division of the NSA no longer exists as a separate entity. Still, the policy lets the White House cyber coordinator move the responsibility. Fail.
Direct the executive secretary to issue a public report on an annual basis on the status of the program. I would have liked to see the first public report issued on the last twelve months but the commitment is a start. Pass.
My biggest complaint is the issue of non-disclosure agreements. I have never bought the logic on why a vendor should be able to tell the U.S. government it can’t disclose a zero-day vulnerability it has bought. If the U.S. government just bought a true zero-day (i.e. a vulnerability unknown to a vendor and not being resold to other customers), a seller should have no stake in what the purchaser does with it.
The best argument against this position is that a disclosure could lead a vendor to discover what kinds of vulnerabilities researchers are looking for, and defend against them. That may be true, but it is also exactly the kind of consideration the VEP was established to address.