White House Update on Cyber Vulnerabilities Policy
While unpatched cyber vulnerabilities in software and hardware can be risky to the security and privacy of Americans, they can also be a valuable tool in intelligence collection and defense. The government has a responsibility to both protect its people and its homeland security, and the possibility to withhold discovery of cyber vulnerabilities for later use against enemies is where complications arise.
Today, the White House released two documents that address this critical cybersecurity issue. The first publication, “Vulnerabilities Equities Policy and Process for the United States Government,” is the Vulnerabilities Equities Policy (VEP) Charter. The purpose of this document is to promote the American public’s awareness of cybersecurity issues and government efforts to protect critical cyber infrastructure. The charter further explains:
“The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.”
The White House also released a corresponding Fact Sheet that outlines the four core considerations that the government takes into account when determining whether a discovered vulnerability has enough operational value and importance to withhold. These four areas of concern are defensive equity considerations; intelligence, law enforcement, and operational equity considerations; commercial equity considerations; and international partnership equity considerations.
White House Cybersecurity Coordinator Rob Joyce wrote a White House blog post titled “Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do,” that provides his insight on the VEP and increased government transparency regarding cybersecurity issues and policy:
“Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use. […] The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”