In response to a Freedom of Information Act request by the Electronic Frontier Foundation, the U.S. government has just released a document detailing its “Vulnerabilities Equities Process (VEP).” It describes how the U.S.G. decides, with input from relevant agencies, whether to use software vulnerabilities for intelligence gathering or to disclosure those vulnerabilities to companies. Unfortunately, the process described in the document has a few problems.
This process is important because, if designed properly and taken seriously by stakeholders, it would allow the U.S.G. to balance national security imperatives against economic and cyber security benefits for average Americans, U.S. companies, and Internet users more generally. Some of these vulnerabilities might be necessary to allow intelligence agencies to gather the information they need against key targets. But using those vulnerabilities instead of disclosing them could also place a lot of people at risk. That is why a process like this is needed—to make sure the U.S.G. balances against these competing goals.
The document, which is heavily redacted, makes for some dry reading. But for those disillusioned by the cyber information sharing debate in Congress, it is worth taking a look to see how this “cyber” stuff might work in practice. Administration officials have made public references to this process before, but, until this week, outside stakeholders had very little information indicating there was anything backing up those references.
There are, however, problems with the process that should leave skepticism about the VEP’s ability to strike the right balance between national security and cyber security.
First, this document appears to describe the process that was in place from 2010 to 2014. During that time, we know from previous Administration statements that the National Security Agency (NSA) ran the vulnerabilities disclosure process. Those statements match the details provided here. The document identifies NSA as the Executive Secretariat responsible for running the process. “Such function [of the Executive Secretariat] will be executed so as to remain neutral and independent of the organization’s equities in any particular case.”
It is somewhat ridiculous to think NSA could have remained neutral and independent, given that it depends on the vulnerabilities in question for its operations. It isn’t therefore surprising that the initial process failed. According to the White House Cybersecurity Coordinator Michael Daniel last year, the initial VEP process “had not been implemented to the full degree that it should have been.” Daniel announced in April 2014 that, “we re-invigorated our efforts to implement existing policy with respect to disclosing vulnerabilities” and indicated that the National Security Council (NSC) would be taking on a more central role in the process. It seems likely that the NSC now serves as the Executive Secretariat.
Second, the VEP appears to lack sufficient representation outside of the intelligence and law enforcement agencies and, as a result, may be too biased in favor of national security and against cybersecurity. The list of standard members in the process is redacted. However, we are told that “Organizational VEP POCs are responsible for ensuring that applicable cybersecurity, cyber defense, information assurance, intelligence, counterintelligence, law enforcement, REDACTED of their organization are appropriately represented in the process.” This would seem to suggest that the VEP pulls is members are intelligence and law enforcement agencies, meaning basically CIA, FBI, and NSA.
Further, we are provided a list of other optional participants in the VEP: “Other participants may include the Departments of State, Justice, Homeland Security, Treasury, Commerce, and Energy, and the Office of the Director of National Intelligence.” (My emphasis added.) For a process that is intended to balance against the competing goals described above, it would seem appropriate that the VEP include agencies that can appropriately represent those competing goals. A minimum, the Department of Commerce should be a standing member. If my reading of this document is correct, that does not appear to be the case today.
And third, this document is over classified and many of its redacted details should be available to the public. Of course, without knowing those details, we can’t know for sure whether their disclosure could jeopardize national security. And yes, the details of what vulnerabilities intelligence agencies use should certainly be classified, as should any analysis of their potential value to intelligence operations. But I can’t think of a good reason why the participants in the VEP or the factors used to decide about disclosure should remain classified. Indeed, if there are a lot of details about this process that are appropriately classified, that would be a further indication that there is something wrong with the process itself.