The Trump administration’s rules for deciding when to reveal cyber security flaws to private companies provides more clarity on procedures introduced by the Obama administration and will expedite the entire process, say experts.
But they also warn the protocols’ effectiveness will become clear only after they have been implemented, and further modification may be needed.
The U.S. government had already created an interagency review, the Vulnerability Equities Process, to determine how to handle security flaws during the Obama administration.
The approach had come under criticism, however, because the WannaCry ransomware attack was caused by a flaw in Microsoft’s Windows software that the National Security Agency had used to build a hacking tool for its own use.
The policy issued last week, “Vulnerabilities Equities Policy and Process for the United States Government,” outlines the factors to be considered in deciding whether to release information, including whether and how widely the product is used, how much users rely on the product’s security, and whether the product can be configured to mitigate the vulnerability.
It also lists considerations by parties including intelligence, law enforcement, industry and international partnerships.
The protocols state information on vulnerabilities will be disseminated within seven days, if possible. It also calls for an annual report to be written “at the lowest classification level permissible” that includes, at a minimum, an unclassified executive summary as well as statistical data that is “deemed appropriate.”
Kenneth K. Dort, a partner with Drinker Biddle & Reath L.L.P. in Chicago, said the new protocols permit faster release of information and provide a clearer set of guidelines to use in making that decision.
“The frustration with the prior set of protocols was that while most of the identified defects ultimately would be distributed to the commercial sector … the defects weren’t being distributed soon enough to basically give private entities essentially enough time to react and prevent bad things from happening. The poster children for that” would be the organizations affected by WannaCry, he said.
The new rules “would appear to be more promising in that regard,” Mr. Dort said. “It would seem that the tone, and the reason for issuing the revised protocols, would be to permit governmental entities that were in control of knowledge regarding those defects to more rapidly process their analysis and distribute that information to the private sector more quickly than had been done in the past.”
The new protocols, he added, provide more clarity on the criteria that will be considered by governmental entities. There is a “bit more transparency into the process than there was before,” he said.
Ari Schwartz, managing director of cyber security services at Venable L.L.P. in Washington, who was formerly special assistant to President Barack Obama and senior director for cyber security policy at the White House National Security Council, said, “It’s a similar policy to what we had before, but it goes into a lot more detail. There were a lot of things that were somewhat vague about the policy,” and the new protocols reflect and implement what has been learned.
“This is a major step forward in terms of building trust between companies and the government on how the government deals with vulnerabilities,” Mr. Schwartz said.
“Without a doubt, the major improvement is transparency,” said Matthew McCabe, New York-based senior vice president with Marsh L.L.C.’s cyber practice. “It’s a great example of government building on its initiative” and “improving the government process” as administrations change.
“You’re not going to see a huge difference” as a result, he added, however, “because the government was already making known most of the vulnerabilities they were aware of.”
“It isn’t so much a fix” as it is the establishment of a structured process to resolve potential disagreements on disclosure, said Michael R. Overly, a partner with Foley & Lardner L.L.P. in Los Angeles. “They’re not trying to take giant steps here,” he said.
“Overall, it shows that there continues to be a focus on cyber security and understanding the need to balance law enforcement interests and the interests of the private sector,” said Scott N. Godes, a partner at Barnes & Thornburg L.L.P. in Washington.
Being “able to stay up to date on, and continuing to re-evaluate, that balance is good and a helpful sign overall,” he said.
Joshua Gold, a shareholder with Anderson Kill P.C. in New York, said, however, he does not think the document “really alters the formula at all.”
“It’s still the balancing act between privacy and security,” he said. “As far as I can tell, it is still very much a classified process” that is ultimately left up to government officials.
Further modification may be needed. “The structure’s not that bad. It’s just that we haven’t seen it in use yet,” said Michael Born, Kansas City, Missouri-based vice president of the global technology and privacy practice at Lockton Cos. L.L.C.
“It looks OK on paper,” but “a plan only survives until first contact. When we try to apply it, then we’ll see how it works,” he said, adding “It undoubtedly will have to be changed and modified and adapted if it’s going to work at all.”