Vulnerabilities Equities Process

Last updated

The Vulnerabilities Equities Process (VEP) is a process used by the U.S. federal government to determine on a case-by-case basis how it should treat zero-day computer security vulnerabilities: whether to disclose them to the public to help improve general computer security, or to keep them secret for offensive use against the government's adversaries. [1]

Contents

The VEP was first developed during the period 2008–2009, but only became public in 2016, when the government released a redacted version of the VEP in response to a FOIA request by the Electronic Frontier Foundation. [2] [3]

Following public pressure for greater transparency in the wake of the Shadow Brokers affair, the U.S. government made a more public disclosure of the VEP process in November 2017. [1] [4]

Participants

According to the VEP plan published in 2017, the Equities Review Board (ERB) is the primary forum for interagency deliberation and determinations concerning the VEP. [4] The ERB meets monthly, but may also be convened sooner if an immediate need arises.

The ERB consists of representatives from the following agencies:

The National Security Agency serves as the executive secretariat for the VEP. [4]

Process

According to the November 2017 version of the VEP, the process is as follows:

Submission and notification

When an agency finds a vulnerability, it will notify the VEP secretariat as soon as is possible. The notification will include a description of the vulnerability and the vulnerable products or systems, together with the agency's recommendation to either disseminate or restrict the vulnerability information.

The secretariat will then notify all participants of the submission within one business day, requesting them to respond if they have an relevant interest. [4]

Equity and discussions

An agency expressing an interest must indicate whether it concurs with the original recommendation to disseminate or restrict within five business days. If it does not, it will hold discussions with the submitting agency and the VEP secretariat within seven business days to attempt to reach consensus. If no consensus is reached, the participants will suggest options for the Equities Review Board. [4]

Determination to disseminate or restrict

Decisions whether to disclose or restrict a vulnerability should be made quickly, in full consultation with all concerned agencies, and in the overall best interest of the competing interests of the missions of the U.S. government. As far as possible, determinations should be based on rational, objective methodologies, taking into account factors such as prevalence, reliance, and severity.

If the review board members cannot reach consensus, they will vote on a preliminary determination. If an agency with an equity disputes that decision, they may, by providing notice to the VEP secretariat, elect to contest the preliminary determination. If no agency contests a preliminary determination, it will be treated as a final decision. [4]

Handling and follow-on actions

If vulnerability information is released, this will be done as quickly as possible, preferably within seven business days.

Disclosure of vulnerabilities will be conducted according to guidelines agreed on by all members. The submitting agency is presumed to be most knowledgeable about the vulnerability and, as such, will be responsible for disseminating vulnerability information to the vendor. The submitting agency may elect to delegate dissemination responsibility to another agency on its behalf.

The releasing agency will promptly provide a copy of the disclosed information to the VEP secretariat for record keeping. Additionally, the releasing agency is expected to follow up so the ERB can determine whether the vendor's action meets government requirements. If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the secretariat, and the government may take other mitigation steps. [4]

Criticism

The VEP process has been criticized for a number of deficiencies, including restriction by non-disclosure agreements, lack of risk ratings, special treatment for the NSA, and less than whole-hearted commitment to disclosure as the default option. [5]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cyber security, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

<span class="mw-page-title-main">Australian Signals Directorate</span> Australian signals intelligence agency

The Australian Signals Directorate (ASD), formerly the Defence Signals Directorate (DSD), is the federal statutory agency in the Australian Government responsible for foreign signals intelligence, support to military operations, cyber warfare, and information security. ASD is part of the Australian Intelligence Community. ASD's role within UKUSA Agreement is to monitor signals intelligence ("SIGINT") in South and East Asia. The ASD also houses the Australian Cyber Security Centre.

<span class="mw-page-title-main">Classified information</span> Material that government claims requires confidentiality

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know. Mishandling of the material can incur criminal penalties.

<span class="mw-page-title-main">United States Intelligence Community</span> Collective term for US federal intelligence and security agencies

The United States Intelligence Community (IC) is a group of separate United States government intelligence agencies and subordinate organizations that work both separately and collectively to conduct intelligence activities which support the foreign policy and national security interests of the United States. Member organizations of the IC include intelligence agencies, military intelligence, and civilian intelligence and analysis offices within federal executive departments.

<span class="mw-page-title-main">Freedom of Information Act (United States)</span> 1967 US statute regarding access to information held by the US government

The Freedom of Information Act, 5 U.S.C. § 552, is the United States federal freedom of information law that requires the full or partial disclosure of previously unreleased or uncirculated information and documents controlled by the U.S. government, state, or other public authority upon request. The act defines agency records subject to disclosure, outlines mandatory disclosure procedures, and includes nine exemptions that define categories of information not subject to disclosure. The act was intended to make U.S. government agencies' functions more transparent so that the American public could more easily identify problems in government functioning and put pressure on Congress, agency officials, and the president to address them. The FOIA has been changed repeatedly by both the legislative and executive branches.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic of classified information beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.

<span class="mw-page-title-main">CERT Coordination Center</span>

The CERT Coordination Center (CERT/CC) is the coordination center of the computer emergency response team (CERT) for the Software Engineering Institute (SEI), a non-profit United States federally funded research and development center. The CERT/CC researches software bugs that impact software and internet security, publishes research and information on its findings, and works with businesses and the government to improve the security of software and the internet as a whole.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

<span class="mw-page-title-main">Sensitive security information</span>

Sensitive security information or SSI is a term used in the United States to denote sensitive but unclassified information obtained or developed in the conduct of security activities, the public disclosure of which would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to the security of transportation. It is not a form of classification under Executive Order 12958 as amended. SSI is not a security classification for national security information. The safeguarding and sharing of SSI is governed by Title 49 Code of Federal Regulations (CFR) parts 15 and 1520. This designation is assigned to information to limit the exposure of the information to only those individuals that "need to know" in order to participate in or oversee the protection of the nation's transportation system. Those with a need to know can include persons outside of TSA, such as airport operators, aircraft operators, railroad carriers, rail hazardous materials shippers and receivers, vessel and maritime port owners and operators, foreign vessel owners, and other persons.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

<span class="mw-page-title-main">Ari Schwartz</span>

Ari M. Schwartz is an American cybersecurity and technology policy expert. He is the former Special Assistant to the President and senior director for cybersecurity on the United States National Security Council Staff at the White House, having left the role in October 2015. Previously, Schwartz worked in both the Executive Branch and civil society as on cybersecurity, privacy, civil liberties, and policy. He is an advocate for vulnerability disclosure programs.

<span class="mw-page-title-main">Department of Defense Whistleblower Program</span>

The Department of Defense Whistleblower Program in the United States is a whistleblower protection program within the U.S. Department of Defense (DoD) whereby DoD personnel are trained on whistleblower rights. The Inspector General's commitment fulfills, in part, the federal mandate to protect whistleblowers. It also administers the Defense Intelligence Community Whistleblower Protection Program (DICWP), as a sub-mission for the intelligence community. The Inspector General's Defense Criminal Investigative Service also conducts criminal investigations which rely, in part, on Qui Tam relators.

<span class="mw-page-title-main">Whistleblower protection in the United States</span>

A whistleblower is a person who exposes any kind of information or activity that is deemed illegal, unethical, or not correct within an organization that is either private or public. The Whistleblower Protection Act was made into federal law in the United States in 1989.

<span class="mw-page-title-main">Intelligence Authorization Act for Fiscal Year 2014</span> United States Law

The Intelligence Authorization Act for Fiscal Year 2014 is a U.S. public law that authorizes appropriations for fiscal year 2014 for intelligence activities of the U.S. government. The law authorizes there to be funding for intelligence agencies such as the Central Intelligence Agency or the National Security Agency, but a separate appropriations bill would also have to pass in order for those agencies to receive any money.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit. As technology and encryption advance, entities around the globe are gravitating towards common platforms and systems, such as Microsoft, Linux, and Apple. This convergence in usage creates a conflict between patching system vulnerabilities to protect one's own information, and exploiting the same system vulnerabilities to discover information about an adversary. To handle this conflict, the NSA developed the NOBUS system in which they evaluate the likelihood that an adversary would be able to exploit a known vulnerability in a system. If they determine the vulnerability is only exploitable by the NSA for reasons such as computational resources, budget, or skill set, they label it as NOBUS and will not move to patch it, but rather leave it open to exploit against current or future targets. Broadly, the concept of NOBUS refers to the gap in signals intelligence (SIGINT) capabilities between the US and the rest of the world. Critics believe that this approach to signals intelligence poses more of a threat to the US than an advantage as the abilities of other entities progress and the market for buying vulnerabilities evolves.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers, and the operating systems of most smartphones, as well as other operating systems such as Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

Government hacking permits the exploitation of vulnerabilities in electronic products, especially software, to gain remote access to information of interest. This information allows government investigators to monitor user activity and interfere with device operation. Government attacks on security may include malware and encryption backdoors. The National Security Agency's PRISM program and Ethiopia's use of FinSpy are notable examples.

References

  1. 1 2 Newman, Lily Hay (November 15, 2017). "Feds Explain Their Software Bug Stash—But Don't Erase Concerns". WIRED. Retrieved November 16, 2017.
  2. Electronic Privacy Information Center. "Vulnerabilities Equities Process". epic.org. Retrieved November 16, 2017.{{cite web}}: |author= has generic name (help)
  3. "Vulnerabilities Equities Process (VEP)". Electronic Frontier Foundation. January 18, 2016. Retrieved November 16, 2017.
  4. 1 2 3 4 5 6 7 "Vulnerabilities Equities Policy and Process for the United States Government" (PDF). whitehouse.gov . November 15, 2017. Retrieved November 16, 2017 via National Archives.
  5. McCarthy, Kieren (November 15, 2017). "The four problems with the US government's latest rulebook on security bug disclosures". The Register. Retrieved November 16, 2017.

See also