Vulnerabilities Equities Process Revisited

Shadowy cyber figure. Photo Credit: Getty Images.

By: Daniel Zhang, Columnist

Publicly released in 2017 under the Trump administration, the Vulnerabilities Equities Process (VEP) is an interagency framework used to determine whether the United States government should withhold or disclose zero-day vulnerabilities – unpatched software or hardware vulnerabilities often exploited by criminals, militaries, or governments in cyber operations.[I] Developed during the Obama administration in 2014, the VEP came under criticism due to concerns that the US government is exploiting vulnerabilities it found or acquired instead of notifying vendors to fix them. Although the latest release in 2017 won praise for its much-improved transparency and judging criteria relative to the previous version,[II] there is still much room for enhancement. The US government must codify an improved and expanded VEP into law with greater transparency and grant the private sector a bigger role in the decision-making process.

Governments often discover, purchase, or use zero-day vulnerabilities for law enforcement and national security purposes without disclosing them to their manufacturers or developers who could fix the vulnerabilities in time to protect consumers’ interests.[III] Such practices could render society defenseless, as potential hackers discover the same vulnerabilities and initiate attacks. Private companies are usually the ones left to face the damage if the US government fails to disclose or delays disclosing zero-day vulnerabilities that are subsequently exploited by the hackers. If the government notified vendors of these issues, the costs of patching the vulnerability, drawn-out legal battles, and reputational damage could be avoided.

The WannaCry ransomware attack in 2017 showed the downside of not disclosing a vulnerability discovered by the government. The National Security Agency (NSA) decided to retain a vulnerability for its own intelligence collection purposes rather than report it to its developer, Microsoft.[IV] It was not until hackers exploited the vulnerability that the NSA notified Microsoft, which subsequently sent out a fix. But most organizations or individuals failed to apply it before the attack took place.[V] Private sector companies lost billions of dollars as a result. This is not to say that government agencies should not use or withhold valuable zero-days in intelligence and criminal operations.[VI] For the purpose of national security, withholding certain vulnerabilities grants US government agencies an upper hand in offensive cyber operations and criminal investigations.

But while the current VEP aims to unify government agencies in working to disclose vulnerabilities if they pose significant risks, the framework presents loopholes and partiality in favor of government interests, hindering transparency and efficiency. Although the document lists questions to consider when deciding if a zero-day should be disclosed, it is almost impossible to answer some of them without a certain degree of speculation. In the section where VEPs are considered for either offensive or defensive uses, guidelines include “How likely is it that threat actors will discover or acquire knowledge of this vulnerability?” or “Can exploitation of this vulnerability by threat actors be detected by [the US government] or other members of the defensive community?”[VII] The fact that answering those two questions requires a substantial amount of assumption might lead the government agencies who are making the decisions to favor offensive use over defensive use. More importantly, there is no rating mechanism to determine whether to disclose or withhold vulnerabilities based on the answers to those questions and the weight that is assigned to each question asked.

There also does not seem to be an adequate amount of involvement from the private sector built into the VEP. Offering greater input to government agencies that focus on civilian consumer security and protection, such as the Federal Trade Commission, would ensure broader interests are considered. Despite the participation of ten agencies on the Equities Review Board, six of the ten positions, including the Office of the Director of National Intelligence and Department of Defense (including NSA),[VIII] are charged with military, intelligence, or law enforcement missions compared to the minority with civilian missions, such as Department of Commerce.[IX] It is reasonable to assume that the interests of the private sector would not be adequately protected, as its advocates could easily be outvoted. Offering private sector representatives seats at the table should, therefore, be considered so both the voices of the private sector and its consumers can be heard.It is also important to note that only vulnerabilities discovered by the government are subject to the VEP. The government has no obligation to follow the VEP for purchased zero-days, meaning the non-disclosure agreement of the purchase supersedes the VEP.[X] It is unknown how many vulnerabilities the US government purchases on a yearly basis, but according to Slate, the budget for the NSA to purchase zero-days in 2013 was $25.1 million.[XI] A Rand report in 2017 puts the average price for exploits on the market at around $50,000 to $100,000, with some going up to $300,000.[XII] Therefore, using the most conservative projection, the NSA purchases and possibly uses more than 150 zero-day vulnerabilities per year without a process for considering whether such operations would cause damages to civilians.

Currently, the VEP is neither issued through an executive order nor part of any bill. It is instead simply a matter of administrative policy.[XIII] In other words, there is no legal obligation for the government to share the zero-days it has discovered, nor must it submit a zero-day to the VEP process in a timely fashion. Given that the security of millions of internet users in the US is at stake, this is unacceptable. Codifying the VEP into law would increase the level of public and private sector trust in the system. The transparency and consistency that comes with a bill or even just an executive order could ensure a robust VEP that considers all interests and risks. Moreover, it will allow government agencies to weigh defensive and offensive cyber capabilities against other national security priorities.

Given the need for clandestine cyber operations to protect US interests, full transparency of the VEP is neither required nor realistic. However, a consistent application of an improved process embedded in US law can guarantee the equities of the government, the private sector, and individual consumers.