michelangelus - Fotolia
Federal vulnerability review under new VEP still has questions
Experts are still unsure about the Vulnerabilities Equities Process, but admit the new VEP Charter could be a good step toward improving federal vulnerability review.
Experts said the new Vulnerabilities Equities Process Charter unveiled by the White House should be a good step, but argued the value of VEP overall.
Daniel Castro, vice president for the Information Technology and Innovation Foundation (ITIF), an independent research institute based in Washington, D.C., said the government's overall cybersecurity policy is still flawed, but the new VEP Charter "is exactly the right policy."
"The administration has clearly heard the requests for transparency and oversight from many stakeholders, and it has addressed those concerns head-on. Now that we have a fully documented process and commitments to publish annual metrics, businesses, security experts, academics and government officials can start to have a productive debate about how to assess and improve the disclosure process," Castro said in a statement released by ITIF. "It remains to be seen how receptive the administration will be to reassessing when to share information on vulnerabilities, but its decision today was the right move to build up goodwill among many stakeholders."
Balancing vulnerability disclosure
However, the VEP overall is still divisive, because experts cannot agree on whether to prioritize offensive or defensive cyber capabilities when it comes to federal vulnerability review and disclosure.
In the VEP Charter announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator for the National Security Council, said "conducting this risk/benefit analysis is a vital responsibility of the federal government."
"There are advocates on both sides of the vulnerability equity issue who make impassioned arguments. Some argue that every vulnerability should be immediately disclosed to the vendor and patched," Joyce wrote in the announcement. "In my view, this is tantamount to unilateral disarmament. Our adversaries, both criminal and nation state, are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities."
Katie Moussouris, CEO of Luta Security Inc., said Joyce's statement "is a false dichotomy between 100% disclosure versus the current process that puts zero-day vulnerabilities at the heart of the matter."
"My assertion has always been to err on the side of disclosure to the vendor and seek a mission-focused alternative to using zero-day vulnerabilities in broadly deployed software," Moussouris told SearchSecurity. "In some cases, not all, the objective of the mission could be completed via other means, such as exploiting misconfigurations or well-crafted phishing attacks, or even via zero-day exploits in localized, country-specific software instead. Exploitation of vulnerabilities for which a patch exists, but hasn't been applied on the target system yet, is one such alternative."
J.J. Guy, CTO of JASK, a cybersecurity company based in San Francisco, and former officer in the U.S. Air Force, said it is a flawed argument to claim that vulnerability review and disclosure by the government can keep enterprises safe, because "it assumes vulnerabilities are finite, and if we can simply fix all the vulnerabilities, we will be secure."
"If the federal government is forced to release the details of newly discovered vulnerabilities, they will stop looking for them. To do otherwise is a waste of taxpayer dollars. The other intelligence agencies in the world will not be similarly constrained; they will continue their research and discover new vulnerabilities. They will use those against U.S. interests, including those of U.S. companies, to steal intellectual property and accelerate research and development of their own companies," Guy told SearchSecurity. "For every vulnerability the federal government discovers, there are a dozen others still waiting to be discovered -- and dozens more that will be introduced in new versions of software over the following year. To attempt to control that through the VEP is like using an umbrella in a hurricane."
Experts debate the details of the VEP Charter
Although several experts said the new VEP Charter was a step in the right direction for federal vulnerability review, the document was not perfect.
Willis McDonald, senior threat manager at Core Security, a cybersecurity company headquartered in Roswell, Ga., noted an odd discord in the White House announcement, which claimed to represent the interests of commercial equities and international partnership equities. But the VEP council "does not include any representation from either commercial or international entities."
"For national security purposes, this is an obvious exclusion, but closes the door on external oversight of decisions deemed in the interest of national security. The VEP Charter limits the scope of vulnerabilities addressed by the council to certain classes, which allows the reporting entity to report as they see fit vulnerabilities outside of the VEP scope," McDonald told SearchSecurity. "Vulnerabilities discovered and shared by international partners are not addressed by the VEP, which would allow a participating entity to report the vulnerability as they see fit. The VEP merely expands the agency participants in procedures and councils already in place for making decisions on reporting vulnerabilities."
Amie Stepanovich, U.S. policy manager at Access Now, a nonprofit human rights and public policy group based in New York, said the new VEP Charter "maintains all of the loopholes of the process as it was previously formulated. And, in fact, [it] creates new ones, as well, because of the charter's own recognition of the importance of cybersecurity, which is specifically undermined by unpatched vulnerabilities."
"The VEP appears to apply to any vulnerability that is newly discovered and not publicly known, though third parties can expressly contract or agree that a vulnerability will not go through the process," Stepanovich told SearchSecurity. "There are also other exceptions, which remain classified. Additionally, practically, it will require an agency determination that a vulnerability meets that standard and is unclear if they are required to consider that determination with a vulnerability that they discover."
Early reactions to the VEP Charter said one potential loophole might be with nondisclosure agreements (NDAs) being able to keep a bug out of the federal vulnerability review process, but Moussouris said this reading might not be accurate.
"The NDA mention is likely in reference to the fact that exploit sellers may have terms of service that require their buyers not to disclose the vulnerability, such as providing the sample to the affected vendor. It's not a loophole as characterized, but rather a deliberate commercial term by the exploit vendor to preserve their IP," Moussouris said. "A bug is the weakness that can be exploited. An exploit, in this context, is software written to take advantage of that weakness, and it takes craftsmanship to engineer an exploit that works reliably against a given target. That exploit is something the exploit vendor might not want to get into the hands of the software vendor."
Heather West, senior policy manager and Americas principal at Mozilla, agreed the exceptions process of the VEP needed work and said there needed to be more detail on how disclosures work.
"A good disclosure makes the difference. The Charter requires the board to agree on guidelines about how to disclose -- and we hope that they lean on the established expertise at DHS [the Department of Homeland Security] to put those together. No need to reinvent the wheel," West wrote in a blog post. "Joyce talked about a six month window for retaining a vulnerability, and a quicker reconsideration for a particularly sensitive vulnerability (or one that there isn't broad agreement about retaining). This reconsideration is critical: just because something is useful today doesn't make it useful in six months -- and indeed, the longer that it is kept, the more likely that someone else has discovered it too."
VEP and federal vulnerability review transparency
Willis McDonaldsenior threat manager, Core Security
McDonald said the overall push for transparency with the new VEP Charter could "ultimately be just as effective as policies in place prior."
"Legislation like [the proposed PATCH Act] and the VEP Charter are in place to calm the public and paint a facade of transparency, rather than actually cause change," McDonald said. "Vulnerabilities such as those used in WannaCry would never have been released through VEP due to their usefulness in providing access to remote systems for collection purposes."
West said the annual reports should lead to better oversight of the federal vulnerability review process.
"This will significantly help us understand how the process works -- including whether or not the government is stockpiling vulnerabilities," West wrote. "While Congress is not involved in the individual decisions that are made, they have a critical role in the oversight of the process itself."
Stepanovich agreed "much more remains to be done" with the transparency provisions of the VEP Charter.
"Annual reports should guarantee that they will be made publicly available," Stepanovich said. "Additionally, the charter should specify more about what is included in the report, including not only the number of withheld vulnerabilities, but their severity and potential impact, as well as records of the frequency each agency votes to disclose or retain a vulnerability."