This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on the rewrite, for continuing to pay attention to this important issue. As we’ve said before, we all have a shared responsibility to protect the entirety of the online ecosystem. The increased transparency around this process will help to foster that shared commitment to securing the internet.
The VEP is how the U.S. government reviews and coordinates the disclosure of security vulnerabilities that it learns about. Proper handling of vulnerabilities clearly benefits both the government and the health of the internet, because the underlying tools, platforms and services are widely used in both the public and private sectors.
Mozilla has been pushing for concrete and meaningful change in how the U.S. government handles security vulnerabilities. We have been working with a bipartisan, bicameral group of legislators in Congress on the PATCH Act, which we believe to be an incredibly positive step. We’re happy to see the White House take similar action.
We’ve been working to reform and codify the VEP for over two years – so we’re excited to see the White House make progress on this important issue. What we saw from the White House today includes welcome developments. We are evaluating this updated information against five criteria we released last year, all of which Joyce discussed:
- All vulnerabilities and exploits should go through the VEP. Joyce mentioned a lot of agencies with interests in software and vulnerabilities – but that doesn’t mean that they have to use the process. The White House – or Congress – should require that all vulnerabilities go through the process. Joyce, and the charter, seem to imply that all vulnerabilities need to go through the VEP – and that any exceptions need to be made clear to the cyber coordinator at the White House, who can veto that exception – which would be an excellent development. The exceptions process itself is classified, so we don’t know what that entails.
- All relevant federal agencies should apply a standard set of criteria in their review, to ensure all relevant risks and interests are considered. Joyce outlined the now-public list of agencies that are involved in the process. While there isn’t a lot of change from what we believe the list of agencies was in the past, it’s excellent to make that list public – and to clearly say that other agencies can participate when they have equities (assuming that they have folks with clearance). The list: the Department of Homeland Security (represented by the National Cybersecurity and Communications Integration Center), the Office of the Director of National Intelligence, the Department of Treasury (both the Secret Service and representing the banking industry), the Department of State (to represent diplomatic and non-US interests), Department of Justice (both Justice and the FBI), Department of Energy (for critical infrastructure), Office of Management and Budget, the Department of Defence (including CYBERCOM, the policy development office, the Cyber Crime Center, and the NSA – intending to include both offensive and defensive missions), the Central Intelligence Agency, and the Department of Commerce.
- There should be public timelines, both for reviewing vulnerabilities and re-reviewing decisions to delay disclosure. Joyce talked about a six month window for retaining a vulnerability (the charter itself says a year), and a quicker reconsideration for a particularly sensitive vulnerability or one that there isn’t broad agreement about retaining. This reconsideration is critical: just because something is useful today doesn’t make it useful in six months – and indeed, the longer that it is kept, the more likely that someone else has discovered it too.
- Independent oversight and transparency into the procedures of the VEP should be created. Joyce mentioned both classified reporting to Congress and an annual unclassified report for the public. This will significantly help us understand how the process works – including whether or not the government is stockpiling vulnerabilities. While Congress is not involved in the individual decisions that are made, they have a critical role in the oversight of the process itself.
- The VEP should use existing disclosure mechanisms, including those at DHS, and coordinate disclosure in line with industry best practices. Joyce did not talk about how disclosure works, operationally. This is important: a good disclosure makes the difference. The charter requires the board to agree on guidelines about how to disclose – and we hope that they lean on the established expertise at DHS to put those together. No need to reinvent the wheel.
We’re pleased to see many of the goals of the PATCH Act covered in this process release. Our overarching goal in codifying the VEP in law to ensure compliance and permanence cannot be met by unilateral executive action, but each of these process clarifications makes a difference. We look forward to continuing to work with Congress and the White House on these reforms.