What to do with cyber vulnerabilities?

To tell or not to tell? That is the question facing a little-known, highly secretive U.S. government entity that examines cyber holes and decides whether they should be fixed, monitored or exploited. Known as the Vulnerabilities Equities Process, or VEP, this bureaucratic-sounding process is complex and consequential. The VEP could help prevent a Colonial Pipeline shutdown from happening or let it occur to learn more about perpetrators bent on disrupting the U.S. and its economy. But the VEP process is so shrouded in secrecy that there is no public scrutiny to ensure decisions adequately weigh all security and non-security equities necessary for our democracy.

Congress and the Biden administration play important roles in increasing public confidence that the VEP threads the needle of maintaining security and protecting our liberties. In a recent report, we suggest a host of fixes needed to improve the VEP.

The VEP is the U.S. government’s process for determining when and how to disclose unknown cyber vulnerabilities to relevant companies or withhold them for government purposes. Disclosing vulnerabilities gives industry the chance to fix holes in its software and reduce the exploit space for hackers and ransomware attackers. Holding onto exploits can be a boon to intelligence, law enforcement, and defense communities who might be able to use these vulnerabilities to penetrate adversary networks or track criminal organizations.

Disclosing or holding on to vulnerabilities carries a host of direct and unintended consequences. Keeping an exploit open could leave U.S. critical infrastructure or individual personal data open to attack because those same exploits often are available on the black market at the same time governments discover them.

Closing an exploit could mean losing an opportunity to break into the communications of an extremist organization plotting violence in the homeland, or the chance to listen in on the secret communications of a hostile foreign power targeting our military personnel overseas.

It’s dicey: Decisions on disclosure matter for protecting both the privacy and civil liberties of the American people. Law enforcement has a decidedly mixed record respecting legal and normative lines on what it collects, collates, and retains on the activities of the citizenry. Government retention of vulnerabilities in software means more federal power to potentially commit expansive searches of personal data normally understood to be private and non-accessible.

Industry, too, has a host of competing pressures for knowing what the government will do with the information it has found about a known exploit. Software providers want to fix holes as quickly as they can, but they do not want disclosures shared with other vendors or the public unless necessary. And what if the government decides the exploit is so valuable that industry should not be told?

A company could suffer great reputational and financial harm if a known exploit leads to a major attack, as in 2017 when the Russian government exploited a vulnerability to launch the NotPetya ransomware that forced global companies like Fed-Ex and Merck to shutter their operations and lose millions of dollars. Further, as the NotPetya case illustrates, the exploits that the government creates for these vulnerabilities can be stolen and used for malign actions.

The Vulnerabilities Equities Process was established in 2010 to bring federal stakeholders to the table for understanding the range of national interests. A VEP Charter was established in 2017 to give the public more confidence in government approaches for this consequential activity.

The current charter falls short in some key areas, most of which are fixable by the administration and expressions of congressional intent. We identify several areas needing improvement with better transparency, transferring process coordination leadership and increasing representation of privacy and civil liberties on the VEP as especially important.

1. Transparency. The government has not disclosed unclassified, public information on VEP decisions despite a requirement in its existing framework. Transparency on the number of cases, frequency of meetings, and broad evaluation criteria can be disclosed to the public without harming sensitive information that must remain classified and highly controlled. Appropriate transparency is vital for sustaining public trust.
2. Coordination. The National Security Agency (NSA) coordinates the VEP, leading to speculation that the VEP favors retention decisions over disclosures. The VEP began before the Cybersecurity and Infrastructure Security Agency (CISA) or the National Cyber Director (NCD) were statutorily created, both of which have and will engage a variety of private, local, and international stakeholders that the NSA has traditionally not partnered with. Both are designed to have a fulsome perspective of national equities and would be more appropriate owners of the VEP coordination process.
3. Privacy/Civil Liberties. Privacy and civil liberties have insufficient representation in the VEP’s Equities Review Board — the body that consists of several federal entities that debate their equities in disclosing or retaining a vulnerability. The administration should add entities that begin with the perspective of advocating for civilian privacy, data protection, and other privacy/civil liberties equities.

The VEP can be strengthened in several other ways by (1) barring vulnerability brokers from imposing non-disclosure agreements that at present could prevent government sharing vital information about vulnerabilities with key vendors; (2) establishing timelines for ensuring action is taken on vulnerabilities as expeditiously as possible; (3) having Congress build on existing legislative proposals to codify the process in law; and (4) encouraging like-minded international partners to establish similar processes as the VEP.

At its core, the VEP decides whether the government prefers cyber defense or offense, which has massive societal implications. Yet, the public and vendors also need voice and confidence that decisions about vulnerabilities are made in the best interest of the nation as a whole. The VEP is a strong starting point, but it needs to be improved if we are to counter the prolonged cyberattacks on Americans and the homeland.

Todd Rosenblum is a former senior US Government defense and homeland security official and Senior National Security Fellow at Third Way, a center-left think tank.