White House increases #transparency around #cybersecurity flaw #disclosure

Dive Brief:

  • The White House released the charter for the Vulnerabilities Equities Process (VEP), an interagency operation assessing whether the federal government should disclose cyber vulnerabilities it finds to vendors of a technology or whether it should “restrict” the finding in light of national security or law enforcement considerations, according to Rob Joyce, White House cybersecurity coordinator, in an announcement Wednesday.
  • The VEP assesses four equities when deciding whether to disclose a vulnerability: defensive, commercial, international partnership and intelligence, law enforcement and operational.
  • The process was criticized for a lack of transparency in the past. Criticism mounted following the discovery that the NSA knew about a flaw in Microsoft’s Windows software, which was capitalized upon by the WannaCry ransomware attackers yet the agency chose not to disclose the vulnerability and instead built a hacking tool of its own, according to Reuters.

Dive Insight:

Under the charter, agencies that do inform vendors of a flaw have to follow up to ensure the vendor took actions to address the vulnerability. If a vendor decides not to handle the flow, or fails to act in a timely manner, the government may take further action.

But what happens when a company knows of a vulnerability yet fails to properly address it? If you’re Equifax and you failed to patch the Apache Struts vulnerability, then it meant compromising more than 145 million consumers’ private information.

More than 90% of detected cyber vulnerabilities are reportedly disclosed by government agencies to vendors, said Joyce, according to Reuters. While less than 10% are thereby restricted, the secrecy surrounding this small group of hacks is certain to incur trepidation following knowledge of the WannaCry incident.

Many critics maintain that the government does not disclose in a timely enough manner. The body of the charter does not set strict time requirements for disclosure, calling only for dissemination “in the most expeditious manner and when possible within 7 business days.”