VEP still skeptical about Federal Vulnerability
Federal vulnerabilities are still in question. The new VEP charter takes the initiative to address the flaw and put them on review for the better of all.
Experts said the new Vulnerabilities Equities Process Charter unveiled by the White House should be a good step, but argued the value of VEP overall.
“The government’s overall cybersecurity policy is still flawed, but the new VEP Charter “is exactly the right policy,” said Daniel Castro, vice president for the Information Technology and Innovation Foundation (ITIF), an independent research institute, based in Washington, D.C., said
“The administration has clearly heard the requests for transparency and oversight from many stakeholders, and it has addressed those concerns head-on. Now that we have a fully documented process and commitments to publish annual metrics, businesses, security experts, academics, and government officials can start to have a productive debate about how to assess and improve the disclosure process,” Castro said in a statement released by ITIF. “It remains to be seen how receptive the administration will be to reassessing when to share information on vulnerabilities, but its decision today was the right move to build up goodwill among many stakeholders.”
Balancing vulnerability disclosure
However, the VEP overall is still divisive because experts cannot agree on whether to prioritize offensive cyber capabilities or defensive when it comes to federal vulnerability review and disclosure.
In the VEP Charter announcement, Rob Joyce, special assistant to the president and cybersecurity coordinator for the National Security Council, said that “conducting this risk/benefit analysis is a vital responsibility of the federal government.”
“There are advocates on both sides of the vulnerability equity issue who make impassioned arguments. Some argue that every vulnerability should be immediately disclosed to the vendor and patched,” Joyce wrote in the announcement. “In my view, this is tantamount to unilateral disarmament. Our adversaries, both criminal, and the nation-state are unencumbered by concerns about transparency and responsible disclosure and will certainly not end their own programs to discover and exploit vulnerabilities.”
Katie Moussouris, CEO of Luta Security, Inc., said Joyce’s statement “is a false dichotomy between 100% disclosure, versus the current process that puts 0-day vulnerabilities at the heart of the matter.”
“My assertion has always been to err on the side of disclosure to the vendor, and seek a mission-focused alternative to using zero-day vulnerabilities in broadly-deployed software,” Moussouris told SearchSecurity. “In some cases, not all, the objective of the mission could be completed via other means, such as exploiting misconfigurations, or well-crafted phishing attacks, or even via zero-day exploits in localized, country-specific software instead. Exploitation of vulnerabilities for which a patch exists but hasn’t been applied to the target system yet is one such alternative.”
J.J. Guy, CTO of JASK, a cybersecurity company based in San Francisco, and former officer in the U.S. Air Force, said it is a flawed argument to claim that vulnerability review and disclosure by the government can keep enterprises safe because “it assumes vulnerabilities are finite and if we can simply fix all the vulnerabilities we will be secure.”
“If the federal government is forced to release the details of newly discovered vulnerabilities, they will stop looking for them. To do otherwise is a waste of taxpayer dollars. The other intelligence agencies in the world will not be similarly constrained, they will continue their research and discover new vulnerabilities. They will use those against U.S. interests, including those of U.S. companies, to steal intellectual property and accelerate research and development of their own companies,” Guy told SearchSecurity. “For every vulnerability the federal government discovers, there are a dozen others still waiting to be discovered – and dozens more that will be introduced in new versions of software over the following year. To attempt to control that through the VEP is like using an umbrella in a hurricane.”
Experts discussed the details of the VEP Charter
Experts believe that VEP charter is the right thing at the moment viz-a-viz vulnerabilities, but for some reason, they feel the document was not drafted perfectly.
Willis McDonald, senior threat manager at Core Security, a cybersecurity company headquartered in Roswell, Ga in talks with SearchSecurity said “For national security purposes this is an obvious exclusion but closes the door on external oversight of decisions deemed in the interest of national security. The VEP Charter limits the scope of vulnerabilities addressed by the council to certain classes which allows the reporting entity to report as they see fit vulnerabilities outside of the VEP scope,” McDonald told SearchSecurity. “Vulnerabilities discovered and shared by international partners are not addressed by the VEP, which would allow a participating entity to report the vulnerability as they see fit. The VEP merely expands the agency participants in procedures and councils already in place for making decisions on reporting vulnerabilities.”
The new VEP Charter “maintains all of the loopholes of the process as it was previously formulated, and in fact creates new ones as well because of the Charter’s own recognition of the importance of cybersecurity, which is specifically undermined by unpatched vulnerabilities.” said Amie Stepanovich, U.S. policy manager at Access Now, non-profit human rights and public policy group based in New York.
Stepanovich was telling the SearchSecurity team that “The VEP appears to apply to any vulnerability that is newly discovered and not publicly known, though third parties can expressly contract or agree that a vulnerability will not go through the process,” He added “There are also other exceptions which remain classified. Additionally, practically it will require an agency determination that a vulnerability meets that standard and is unclear if they are required to consider that determination with a vulnerability that they discover.”