White House Opens Up About How It Assesses Cyberthreats

The White House has opened up about the so-called Vulnerabilities Equities Process (VEP) established during the Obama administration, providing its first public explanation of how the government goes about determining whether to disclose cybersecurity flaws or keep them secret.

The Trump administration released the unclassified charter for the equities process Wednesday in the face of growing concerns surrounding the government's hoarding of exploits and the related security risks, particularly in light of losing control of classified hacking tools subsequently used to wage wide-scale cyberattacks recently affecting victims in the U.S. and abroad.

Published on the White House website, the charter shows for the first time the government agencies that participate in the equities process and the criteria used when deciding whether to disclose otherwise unknown security vulnerabilities -- laws colloquially called "zero days," because there's been zero days to patch them.

Federal authorities have exploited zero day in digital products during the course of pursuing law enforcement and national security matters, perhaps most notably evidenced by Stuxnet, a malicious computer worm reportedly created by U.S. and Israeli intelligence that sabotaged Iran's contentious nuclear program by harnessing several unpatched security flaws.

By keeping these vulnerabilities private, however, critics argue that the government keeps vendors from securing their products and consequently make their customers prone to hacking.

Indeed, Microsoft vulnerabilities previously hoarded by the National Security Agency (NSA) were leaked online and ultimately weaponized into WannaCry, a ransomware strain that crippled computers systems in more than 150 countries earlier this year and briefly sidelined the United Kingdom's National Health Service (NHS), among others victims.

Any decision to withhold security bugs must be revisited one year later, and the government must issue an annual report providing information on the equities process, according to the charter published Wednesday.

The agencies that participate in the equities process include the Departments of Commerce,...

Comments are closed.