White House discloses secretive decision process for growing hacking toolkit

The White House on Wednesday lifted the veil on the secretive executive branch process used to determine which computer security flaws it can use in surveillance and which it will report to tech firms to allow them to patch.

The Trump administration published a first-ever charter for that system, known as the vulnerability equity process (VEP), on Wednesday morning.

Congress, the private sector and public advocacy groups have recently pushed for a more transparent version of the VEP — with more consideration of the potential danger of keeping vulnerabilities secret. By keeping these security bugs quiet, they note, criminal or foreign espionage hackers can potentially discover and use them.

{mosads}

‌At a speaking engagement that served as the de facto launch event for the charter, White House cybersecurity czar Rob Joyce said the secrecy surrounding the VEP left that debate at least partially uninformed.

“There was a proposal to add [the Department of] Commerce to the process. Commerce was already there,” he said during an onstage interview at The Aspen Institute.

The Obama administration created the VEP, but only publicly discussed its broad outlines. While the public knew the VEP required intel and law enforcement agencies to argue in front of an executive branch panel, the public did not know who was in the room for the deliberations.

The charter for the first time outlines the agencies represented in the conversation. They include the Homeland Security Department (DHS), Secret Service, Office of the Director of National Intelligence, Treasury Department, State Department, Justice Department, FBI, Energy Department, Office of Management and Budget (OMB), Defense Department, National Security Agency (NSA), Commerce Department and CIA.

That list contains far more voices speaking on behalf of disclosing vulnerabilities to manufacturers than previously thought.

DHS’s focus is on protecting public systems. Treasury represents the banking system’s interest in maintaining systems safe from hackers. Energy represents the same role for the power grid and OMB for government systems. And Secret Service looks to maintain secure communications channels for the president.

The Secret Service can be a “loud voice,” said Joyce.

He emphasized that the government takes the importance of protecting the public seriously in its deliberations.

“So much of the fabric of our society relies on the bedrock that is [information technology],” he said, later adding “If there is a flaw in those systems, there’s an imperative to make sure that flaw is not exploited.” 

“Both sides have to come away from that table a little unhappy,” he said.

One new addition to the VEP will be an annual public report on how many vulnerabilities were discovered and were kept secret. Joyce said the rate of notifying tech firms has historically been above 90 percent.

The VEP entered the public debate in recent months after two malware outbreaks within a matter of weeks used allegedly-leaked NSA hacking tools. Those malware outbreaks, known as WannaCry and NotPetya, caused international disruptions to major business and government systems. 

Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), quickly introduced a bill codifying and tweaking the process known as the Protecting Our Ability to Counter Hacking Act. That legislation, still under consideration, would appoint DHS as the head of the table for VEP deliberations.

Microsoft responded to those malware attacks by asking governments to notify manufacturers of all vulnerabilities. 

— Updated at 1:29 p.m.