Eight months ago, the White House released a charter for the Vulnerabilities Equities Process (VEP), the interagency mechanism by which the federal government decides whether to inform a company about a flaw in its technology product or retain the vulnerability for future hacking purposes– which we know includes law enforcement and intelligence agencies exploiting flaws to surreptitiously spy on people.While the process operated secretly for several years, it was revived and publicly discussed for the first time towards the end of the Obama administration. Concerns about whether the VEP was striking the right balance led to legislation, and ultimately to the publication of the charter that offered unprecedented transparency into important government decisions.
The charter reflects a thoughtful list of considerations, and in theory should drive good policy decisions. But Congress and the public still have questions about how these determinations have been made in practice. The VEP charter itself requires an annual internal audit that “may” be shared with Congress, and it is not clear whether the first report this fall will make it to the Capitol Hill. Cue the annual intelligence authorization bills: Congress is proposing legislation that would mandate certain disclosures regarding the VEP. Both the House and Senate versions of the Intelligence Authorization Act for FY 2018 and 2019 impose basic reporting requirements that should become law as the first step towards a more holistic understanding of how government vulnerability disclosure and hacking operate.
While the authorization bills have discrepancies that will need to be resolved, they both include the same VEP reporting language. Section 1510 of H.R. 6237 and section 721 of S. 3153 start by taking a step back and mandating disclosure about how each agency chooses what vulnerabilities make it to the VEP in the first place. While the charter lays out what happens to vulnerabilities after they are submitted to the interagency process in some detail, it is silent on how each agency determines whether a vulnerability triggers the threshold for VEP review. The legislation therefore fills an important gap. This information is crucial—the VEP can only function properly if agencies are operating with reasonable interpretations of their responsibilities.
Remember, agencies only submit to the VEP process vulnerabilities that are newly discovered and not publicly known. And even more importantly, the charter recognizes three exceptions to the duty to submit vulnerabilities to the VEP: 1) vulnerabilities “subject to restrictions by partner agreements and sensitive operations,” 2) vulnerabilities “identified through security researcher activity and incident response that are intended to be disclosed in a rapid fashion,” and 3) exploits of poorly configured devices, or devices that are insecure by design. If there is going to be mischief in the VEP process, it will be in the overuse of these exceptions to divert hacking tools away from the VEP review. If the reports do not include a meaningful description of how these exceptions are exercised, Congress should send them back with instructions to try again. Because these agency reports are to be unclassified with a classified annex, it is possible that the public gets meaningful information too.
In addition to this substantive reporting, the Director of National Intelligence would be required share quantitative data with the intelligence committees on an annual basis. The statistics would contain the number of vulnerabilities submitted to the VEP, the number of disclosures to vendors or the public, and the number vulnerabilities determined to be excepted from the VEP, broken down by the categories listed above. Regrettably, the numbers of exceptions may be submitted in classified format so that data point may not be available outside of the intelligence committees. It will be incumbent upon the committees to act on any confidential information they receive that indicates a failure of the VEP process.
It’s important to note that the Trump administration objected to the VEP reporting mandates in its statement of administration policy on H.R. 6237. It found the requirements “duplicative” and yet also to impose new responsibilities on the Director of National Intelligence as the statistical clearing house. It is not clear whether this objection is enough to ultimately strip the section from the bill. It should not be; this reporting would provide important new information about the government’s vulnerability management process. Besides, this language is already much narrower than what the intelligence committees pursued last year. While some of the 2017 authorization hitched a ride on an omnibus spending bill, the VEP reporting requirements did not. For example, last year’s Senate Intelligence Authorization Act would have required additional reporting on whether and when vendors patched their systems after a vulnerability notification. The House bill went even further – it would have required the Intelligence Community Inspector General to audit the previous three years of VEP decisions, including whether any government retained vulnerabilities were exploited.
The modest reporting in the 2018-19 Intelligence Authorization Act should become law. And since this bill only applies to the intelligence community agencies, the civilian agencies that participate in the Vulnerabilities Equities Process, like the Commerce Department, should voluntarily report the same information that the intelligence agencies would be required to report. The decisions made in the VEP—and the decisions it doesn’t get to make due to individual agency decisions to avoid the VEP— can have profound impacts on the security of the internet and all of its users. It’s time that Congress and the public better understand how the process is working.
Photo by Chip Somodevilla/Getty Images