The White House released a charter Wednesday publicly describing the principles, aims and values of the secretive process it uses to decide what hacking tools to keep in its arsenal and which it would report to tech companies to allow them to fix.
It marked the first time cybersecurity and policy professionals had a chance to investigate what had been a shadowy system.
The transparency and policies were largely met with positive reviews.
For years, the cybersecurity community tried to piece together how that system — known as the vulnerabilities equity process (VEP) — worked, through Freedom of Information Act requests, innuendo and complex modeling of what little information had been shared with the public.
The Obama administration made clear the VEP existed and involved some sort of executive office panel to weigh whether the benefits of using a particular vulnerability for espionage would outweigh the potential damage that would occur if criminal hackers or foreign spies exploited the same vulnerability for their own gain.
One fear had been that the VEP would be too heavily weighted toward the intelligence community’s demands.
But a big reveal of the VEP charter was how many civilian agencies and interests are represented.
There are so many agencies in the room that, at a early Wednesday event, White House cybersecurity czar Rob Joyce needed to read it from a list.
{mosads}In addition to the Office of the Director of National Intelligence, Department of Justice, FBI, National Security Agency, Cyber Command Department of Defense and CIA — all of whom have interests in adding new tools to the arsenal — the VEP contains representatives from the Office of Management and Budget (representing defensive security interests of government systems), the Treasury Department (banks), the Energy Department (the power grid), the Commerce Department (private sector firms, including tech companies), the State Department (foreign interests) and the Homeland Security Department (critical infrastructure).
“What’s most important is the recognition that all agencies have equities in the VEP,” said Heather West, senior policy manager at Mozilla, the maker of the Firefox web browser.
West added she felt Mozilla’s interest was “absolutely” represented by the VEP’s construction.
Michelle Richardson, deputy director of the Center for Democracy and Technology’s Freedom, Security and Technology Project, said she was impressed that the VEP charter was formally designating a policy to disclose vulnerabilities to tech firms by default.
Former cybersecurity czar Michael Daniel had publicly claimed this was the official policy, but Richardson did not feel that it had been properly written in an official capacity.
“There’s a balance in the need to disclose that was really missing from files that were released in the [Freedom of Information Act requests],” she said, adding, “It means a lot for it to be formalized.”
Richardson also backed increased transparency measures, including regular reports sharing statistics about how often the VEP kept or disclosed security bugs.
Joyce said the VEP ultimately discloses more than 90 percent of vulnerabilities to manufacturers for repair. But there had been no official statistics or public accounting in any form.
The VEP drew increased attention from Congress, advocacy groups and tech firms in recent months after two malware outbreaks in rapid succession used vulnerabilities allegedly leaked from the NSA.
WannaCry and NotPetya caused havoc internationally, forcing British hospitals to cancel surgeries, a massive shipping firm to temporarily shut down and outages at several other businesses and government agencies around the world.
Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas), responded to the outbreaks with the PATCH Act, a bill that would codify the VEP and place it under the auspices of Homeland Security.
Richardson said the Center for Democracy and Technology supported the PATCH Act, including its elevating the civilian, defense-focused Homeland Security role in the process.
“But, with the transparency in VEP now available, Homeland Security’s lead is not as important,” she said.
The VEP charter shined some light on controversial aspects of the process in a way that may be unsatisfactory to some stakeholders.
Richardson still hopes that the VEP will be in some way codified.
After the San Bernardino terrorist attacks, the FBI purchased use of a vulnerability from a contractor to unlock a suspect’s iPhone. That vulnerability never went through the VEP because it was purchased under a nondisclosure agreement.
There were fears from some digital rights quarters that nondisclosure agreements could be used as a loophole to prevent agencies from needing to go through the VEP. The charter leaves in an exemption for vulnerabilities acquired under such agreements.
The VEP charter does not answer one of the primary concerns of Katie Moussouris, chief executive of LutaSec and an expert in vulnerability disclosure strategies.
The VEP, Moussouris noted, is based on the idea that government agencies would be able to accurately assess the risk of different vulnerabilities.
“Agencies might not be able to determine that threat without industry assistance, which they can’t get without tipping the industry off,” she said.
But all experts agreed the public charter gave more insight into a process whose secrecy was counterproductive to its mission.
“It’s a significant step forward in transparency,” said West, of Mozilla.