New White House Announcement on the Vulnerability Equities Process

The White House has released a new version of the Vulnerabilities Equities Process (VEP). This is the inter-agency process by which the US government decides whether to inform the software vendor of a vulnerability it finds, or keep it secret and use it to eavesdrop on or attack other systems. You can read the new policy or the fact sheet, but the best place to start is Cybersecurity Coordinator Rob Joyce's blog post.

In considering a way forward, there are some key tenets on which we can build a better process.

Improved transparency is critical. The American people should have confidence in the integrity of the process that underpins decision making about discovered vulnerabilities. Since I took my post as Cybersecurity Coordinator, improving the VEP and ensuring its transparency have been key priorities, and we have spent the last few months reviewing our existing policy in order to improve the process and make key details about the VEP available to the public. Through these efforts, we have validated much of the existing process and ensured a rigorous standard that considers many potential equities.

The interests of all stakeholders must be fairly represented. At a high level we consider four major groups of equities: defensive equities; intelligence / law enforcement / operational equities; commercial equities; and international partnership equities. Additionally, ordinary people want to know the systems they use are resilient, safe, and sound. These core considerations, which have been incorporated into the VEP Charter, help to standardize the process by which decision makers weigh the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.

Accountability of the process and those who operate it is important to establish confidence in those served by it. Our public release of the unclassified portions Charter will shed light on aspects of the VEP that were previously shielded from public review, including who participates in the VEP's governing body, known as the Equities Review Board. We make it clear that departments and agencies with protective missions participate in VEP discussions, as well as other departments and agencies that have broader equities, like the Department of State and the Department of Commerce. We also clarify what categories of vulnerabilities are submitted to the process and ensure that any decision not to disclose a vulnerability will be reevaluated regularly. There are still important reasons to keep many of the specific vulnerabilities evaluated in the process classified, but we will release an annual report that provides metrics about the process to further inform the public about the VEP and its outcomes.

Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate. This publication of the VEP Charter will likely spark discussion and debate. This discourse is important. I also predict that articles will make breathless claims of "massive stockpiles" of exploits while describing the issue. That simply isn't true. The annual reports and transparency of this effort will reinforce that fact.

Mozilla is pleased with the new charter. I am less so; it looks to me like the same old policy with some new transparency measures -- which I'm not sure I trust. The devil is in the details, and we don't know the details -- and it has giant loopholes that pretty much anything can fall through:

The United States Government's decision to disclose or restrict vulnerability information could be subject to restrictions by partner agreements and sensitive operations. Vulnerabilities that fall within these categories will be cataloged by the originating Department/Agency internally and reported directly to the Chair of the ERB. The details of these categories are outlined in Annex C, which is classified. Quantities of excepted vulnerabilities from each department and agency will be provided in ERB meetings to all members.

This is me from last June:

There's a lot we don't know about the VEP. The Washington Post says that the NSA used EternalBlue "for more than five years," which implies that it was discovered after the 2010 process was put in place. It's not clear if all vulnerabilities are given such consideration, or if bugs are periodically reviewed to determine if they should be disclosed. That said, any VEP that allows something as dangerous as EternalBlue -- or the Cisco vulnerabilities that the Shadow Brokers leaked last August -- to remain unpatched for years isn't serving national security very well. As a former NSA employee said, the quality of intelligence that could be gathered was "unreal." But so was the potential damage. The NSA must avoid hoarding vulnerabilities.

I stand by that, and am not sure the new policy changes anything.

More commentary.

Here's more about the Windows vulnerabilities hoarded by the NSA and released by the Shadow Brokers.

EDITED TO ADD (11/18): More news.

EDITED TO ADD (11/22): Adam Shostack points out that the process does not cover design flaws or trade-offs, and that those need to be covered:

...we need the VEP to expand to cover those issues. I'm not going to claim that will be easy, that the current approach will translate, or that they should have waited to handle those before publishing. One obvious place it gets harder is the sources and methods tradeoff. But we need the internet to be a resilient and trustworthy infrastructure.

Posted on November 17, 2017 at 6:02 AM • 24 Comments

Comments

Homeland Security On The RangeNovember 17, 2017 6:29 AM

Between 10 and 250 vulnerabilities were retained for operational purposes after the reporting period.
- The next US Transparency Report

Ollie JonesNovember 17, 2017 7:04 AM

Huh. The country's citizens don't count as an "equity," whatever that is, eh?

I guess I knew that. But still, I wish these people who sit near the seats of power would remember to whom their first duty of loyalty is owed.

NickieNovember 17, 2017 8:06 AM

@Ollie Jones:

That would be to the one who is actually in the seat of power who gave them that job.

Those in the seats of power owe their loyalty to the party leaders and the donors who bought the seat for them.

Loyalty to the citizens and the Constitution? That's just mouth noises during their oath of office.

fredNovember 17, 2017 8:14 AM

WTF is trust today?

When you get updates for you phone/ laptop is it a security fix to a new data miner? "Bad guys" don't have to hack anymore, just buy every detail they need to from data farmers.

Anything you've done over the past 30 years can and will be used against you if the need arises.

Big Brother SUCKS!

MaxNovember 17, 2017 8:19 AM

Reminder: all the damage caused by EternalBlue came *after* it was patched. This is hardly evidence that disclosure is helpful. I would even dare to suggest that disclosing specific details of bugs (as opposed to a general class of bugs) is anti-social, except in the special case where eliminating ALL similar bugs is a realistic goal.

Who?November 17, 2017 10:34 AM

This one is the way I see the [currently broken] Vulnerability Equities Process:

  1. The US Government has easier access to the source code of products manufactured by U.S.-based corporations (by means of agreements, NSLs or other deals) than to the source code of non-U.S. ones.
  2. The US Government looks for vulnerabilities in these products.
  3. Instead of fixing them, they (usually) collect these vulnerabilities for future use.
  4. Sometimes these bugs are released in the wild (by means of leaked documentation or exploits) or rediscovered by a third party.

VEP makes non-US products safer, as these are only exposed to the usual threats (e.g. accidental discovery by crackers, industrial espionage done by the IC) to which US products are equally exposed.

It is time for the US IC to drop the offensive part of cybersecurity —enough wealthly right now— and improve the defensive one. It means not only fixing bugs in US products but also in products designed and manufactured by allies, as these are usually found in US networks too.

There is no way to achieve security through insecurity.

WaelNovember 17, 2017 10:46 AM

@who?

VEP makes non-US products safer

Unless there are NSA counterparts with the same MO in most countries. Counterparts that do the same exact things with non-US products and US products alike. Many exploits come from outside the US, too. Some of these exploits are sold to TLAs, foreign and domestic.

Also I wouldn't limit NSA's work to US products, although they'd have more leverage with local products.

Who?November 17, 2017 12:28 PM

@ Wael

Touché!

I missed the point about NSA counterparts. The world, as we would like it to be, is probably broken beyond any repair. I have, however, not limited NSA's work to US products (I wrote "industrial espionage done by the IC" too) but I understand US corporations are more reachable to IC than foreign ones because they are either more vulnerable to legal threats (NSLs) or share interests with the IC and, in general, the US Government.

WaelNovember 17, 2017 12:35 PM

@Who?

The world, as we would like it to be, is probably broken beyond any repair.

Agreed.

I have, however, not limited NSA's work to US products...

A thousand pardons.

Who?November 17, 2017 2:28 PM

@ Wael

It was shocking to me when, a few years ago, I learned the NSA was doing industrial and technological espionage against allies. I did know there was a huge surveillance network targeting citizens, we all knew about programs like ECHELON and TRANSIENT. It was not exactly what I would call a secret then. Targeted surveillance against political leaders and influential people... sure! But industrial espionage against allies... it was somewhat unexpected to me.

Jonathan WilsonNovember 17, 2017 3:52 PM

Personally, I am not convinced the NSA, FBI, CIA or any other agency should be allowed to horde general vulnerabilities in general purpose software at all for any reason. Nor should they be allowed to do anything that intentionally makes said general purpose software less secure (e.g. forcing companies to insert backdoors).

I dont like the scumbags who distribute child pornography but that doesn't mean the FBI should be allowed to use a secret undisclosed flaw in the TOR browser (or possibly even in the base Firefox codebase) and make everyone vulnerable. If there is no other way to catch the child pornographers then the FBI will have to go without catching these particular criminals. Law enforcement should not be allowed to use secret methods of catching bad guys that can't be disclosed in court.

At the very least, there should be a requirement that when a vulnerability is being exploited by someone else other than the agencies hording that vulnerability (say, cybercriminals or foreign governments), they should be required to disclose that vulnerability.

Also the final decision to horde or share a vulnerability should be made by an independent body who has all the facts (i.e. "if we release this vulnerability, these are the bad guys who would get away" vs "if we horde this vulnerability and it goes unfixed, this is what the bad guys could do when it gets discovered").

WaelNovember 17, 2017 4:20 PM

@Who,

it was somewhat unexpected to me.

Wasn't surprising to me to be honest. Everybody spies on everybody. And there is no "moral" boundaries to observe: in for a penny, in for a pound.

Clive RobinsonNovember 17, 2017 4:35 PM

The priorities are clear, when we read,

At a high level we consider four major groups of equities:

1, defensive equities;
2, intelligence / law enforcement / operational equities;
3, commercial equities;
4, international partnership equities.

Additionally, ordinary people want to know the systems they use are resilient, safe, and sound.

Does anyone see any "lets protect the economy" in that list?

We know full well that "defensive" realy means "offensive". Likewise we also know that "inteligence" realy means spying on the citizens by the way it is given parity with LE. As for "Commercial" that we know is a "back scratching game" which means "we lose". As for "international" thats the FiveEyes and the cosy relationship of you spy on our citizens and we'll spy on your citizens and swap the data, so we can all avoid the laws of our home nations and give politicians "deniability".

Thus the real agenda is protecting the profits of the MIC/IC cartels.

However such profits can only be maintained if the economy remains healthy enough to sustain them as the mainly worthless tax they are.

The MIC/IC cartels are parasitic in that they take and take and take but they give back nothing to those who have to pay for their excesses either directly or indirectly.

It's been noted by several people in several ways that the US economy is dependent on technology. One has noted that it is like a polio victim in an iron lung, the technology helps the US economy draw breath, and the other bodily needs are addressed by a mixture of technology and foreigners who do the basic necessities others will not do.

Thus following that analogy you would think a sensible person would go to some lengths to ensure the iron lung was made of reliable components and maintained with diligence. Not that they would actively sabotage components just to cause the iron lungs in other countries to fail. Nor would they seek to alienate or get rid of those foreigners who do that which those native will not.

You only have to look at two things, the "Cyber-security" policy that is based on "offense" only and secondly the boondoggle that is the "Department of Homeland Security" to realise just what a problem the US is in. Both are an eyewateringly expensive cost on the national purse that do little or nothing for those who pay for them. The US economy can nolonger support such costs and it does not take a great imagination to see what the result will be.

Clive RobinsonNovember 17, 2017 5:07 PM

@ Who?, Wael,

VEP makes non-US products safer, as these are only exposed to the usual threats

Whilst there is a degree of truth in that, the more important take away is that you are actually talking about "Closed Source" software.

The reason there is a degree of truth in the argument is that whilst the NSA and other Intel agencies in the US are some of the largest money pits in the world they are however resource constrained. That is there is only so much they can do, which also is effected by the "The smalest apples fall further from the tree"[1]. So the further away the software company is and the smaller it's market share the less likely it is to be subject to NSA scrutiny.

However I'm in favour of Open Source, not least because it puts things out in the open where they more or less always have been in history. If you build a mechanical device the customer can pull it apart and see how it works. They may not learn all the secrets but they will see all of them.

Further people tend to put their best work on show historicaly. When a house was built the good bricks faced outwards. The damaged or even broken bricks went inside where they would get hidden by render/plaster. The outer walls were built by the "masters" the inner walls by those not yet as skilled.

Closed source is at best the inner wall, whilst Open Source tends to be the outer wall.

[1] This is actually true and there are various sound reasons for it to be so, not least that branches are thinner the further they are from the trunk, and the weight of the fruit pulls the branches down.

Mike BarnoNovember 17, 2017 6:11 PM

@Who?, Wael,

The world, as we would like it to be, is probably broken beyond any repair.

Oh, just wait until you see it three years from now...
Every USAn executive-branch policy has been changed by political appointees to Rush to break it quicker.

WaelNovember 17, 2017 8:55 PM

@Clive Robinson,

Closed source is at best the inner wall, whilst Open Source tends to be the outer wall.

I like the analogy!

@Mike Barno,

Oh, just wait until you see it three years from now...

I'll remind you three years from now (if I'm still alive and kicking.)

It's Tricky Tricky TrickyNovember 18, 2017 12:25 AM

I wonder what the modus operandi is should a vulnerability in Kaspersky software be found, as if I recall the code is to be laid open to the US.

The US claim that Kaspersky - and no doubt other vendors - have ill will, but play the hypocrisy card themselves. This is the epitome of exceptionalism. The same people then wonder why countries such as Russia want to move towards sovereignty of their data infrastructure.

All in all of course, everyone's playing the same game, it's just that the US appear to be the most vocal about it - "not fair!" like a whiny child.

Before anyone mentions the "T-word", this is regardless of who is POTUS, as the foundation of security always survives elections and the majority of today's operations have accumulated long ago. Perhaps the practice of instituting security "immortals" should change in every country. But one wish at a time.

It needs to be understood that maintaining holes in defences will come to bite those in the know and/or their populations. You'd think defence people would understand that... After all, arrows fired in modern times are for spear-phishing and it's only a matter of time before they catch another big 'un and reel in the succulent data.

Clive RobinsonNovember 18, 2017 11:25 AM

@ Wael, Mike Barno,

I'll remind you three years from now (if I'm still alive and kicking.

How are you going to kick anyone with those new improved "parole anklets" for every one who is not a 1% of the 1%, with those shaped charges to blow your foot off should you violate the rules, including moving to quickly[1]?

[1] Running away will be a new crime after all those donut buckets in blue don't want to raise a sweat having to pull out a gun to take aim to shoot you...

Douglas CoulterNovember 18, 2017 11:37 AM

It seemed to me on a quick skim (but also looking at events) that a big deal is what is proactive.

If they keep a vuln, they then use it proactively to hack supposed "adversaries".
EG effort is expended to exploit it.

If not, they "reveal"' the vuln - and effort stops right there. No effort is made to protect the citizens and so on. That's a really big difference. As usual, the lie is right out in front, people just miss it. This is how the pols and bureaucrats hide things in plain sight. That whole half of the mandate is effectively ignored.

We all know that simply revealing something doesn't create a patch, and further doesn't get that patch installed. Revealing could be in that mythical basement lavatory in a locked file cabinet behind a sign saying beware of the leopard, after all. Even if not, the effect is pretty iffy - there are too many "WONTFIX" or "CANTFIX" things out there as is, and we know Equifax was a result of not patching known stuff (well, that's what "they" tell us, believable enough). I don't see how they can know fully in all cases when even attribution is hard.

Further, I'm amazed (amazed, I tell you) that not one peep has been emitted about what seems obvious to me. If you get access to some huge important database - especially with root access so you can wipe logs, change timestamps and cover your tracks - why do we never hear that someone with such access didn't just read the big DB, but WROTE into it???

Can't anyone see the obvious value of being able to write into OPM's db - and give or cancel access to secrets - even mark someone as employed by .gov already - or Equifax's - to get or remove credit ratings? Hard to believe anyone at even a minor level of expertise would miss that possibility and the likely payoffs for being able to do that.

But then we pretend that the ability to gather data on everyone includes those who write the IC and MIC paychecks, who are more vulnerable to blackmail than almost anyone else. I'd be surprised if that idea didn't occur to even a brain-dead bureaucrat.

Clive RobinsonNovember 18, 2017 5:27 PM

@ Douglas Coulter,

We all know that simply revealing something doesn't create a patch, and further doesn't get that patch installed.

Lets assume that they do reveal, you'll not that the "commercial equities" is number three on the list. Which almost certainly means thay any reveal they do make will not be public but to the commercial entity which has made the code eyc error.

This means there will be no incentivisation for the company to do anything unlike the "responsible disclosure" process. Further they might only release an interim work around to major contracts in the US to "keep the secrecy" etc. Which is almost certainl not going to include the majority of users world wide. But just as likely, is the company when it does release a patch to the world will tuck it away as part of something else like upgraded telemetry and not mention it's criticality again to "keep the secrecy".

Further as we know from Equifax, even large organisations can be very tardy with applying patches. Especially if there is no apparent urgency...

So the chances are the attack will still work against many persons of interest for a long time to come. So the NSA et al get the best of both worlds. They get an exploit they can use against quite a few unwary targets, further they can hold their hand up and say "we disclosed as required" it's not down to us that half the mom and pops stores have had their bank accounts cleared out or held to ransom etc etc etc. The companies will say they issued a patch so it must be the customers fault...

Yes I can see them playing this like a cheap fiddle down at the local Irish or Country night down at the local emporium. As Terry Pratchett used to put in his books "The leopard never changes it's shorts".

PeaceHeadNovember 21, 2017 9:38 PM

We, the people, are drowning in internet vulnerabilities.
There are so many holes it's become ridiculous.
And to make matters worse, the default configurations and designs of so many softwares and firmwares and operating systems are de facto set up for total cascade failure in terms of both security and privacy.

A lot of the modular accessories claiming to provide enhanced security and/or privacy are merely cosmetic since we are compromised at every level of the software/hardware/distribution/IO chain and signal flow.

This worries me more during times such as these, when geopolitical tensions are high, and when milint/humint/sigint procedures need to stay hidden.

I'm just a civilian, yet it gradually becomes evident, that we are being undermined in a myriad of ways and it will likely cause harms which could otherwise be avoided. Count me in with Snowden on the preference for stability and infrastructural neutrality/stability. I can relate to and comprehend the preference for non-aggressiveness instead of rampant incursions into everyone's data and everything happening. It's hard for me to express what I'm trying to explain. I don't talk about this much.

But the main idea is that safety should be the main concern instead of competitiveness which just drags us all down in the accurate yet cliche' term "race to the bottom".

Peace be with you.

justina colmenaNovember 26, 2017 8:51 PM

At a high level we consider four major groups of equities: defensive equities; intelligence / law enforcement / operational equities; commercial equities; and international partnership equities. Additionally, ordinary people want to know the systems they use are resilient, safe, and sound.

The interests of "ordinary people," never mind ordinary U.S. people are not at a "high level" to the Trump administration. That should be more that enough to convict the President, but it gets even worse.

Equities. International equities. Yes, that would be stocks. Shares of publicly traded corporations, bought and sold on the stock market. And the "stakeholders" of whom the New World Order regime speaks are none other than major shareholders of major multi-national corporations, and their power is proportional to their wealth.

The ordinary people of the United States are of no interest whatsoever to the executive branch of the New World Order regime. There is no "transparency" here except that the executive branch scarcely even bothers any longer to conceal what has become a complete and total coup d'état of the United States of America.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.