Experts at RSA Conference 2017 suggested that the Vulnerabilities Equities Process should be codified into law....
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
How important is the Vulnerabilities Equities Process for enterprises? What are the pros and cons of formalizing this process?
The Vulnerabilities Equities Process (VEP) is important for enterprises to understand in order to react to vulnerability disclosure coming from the government.
The Vulnerabilities Equities Process was created to guide government agencies through the decision-making process of releasing or withholding vulnerabilities they've discovered. This answer isn't as black and white as it sounds, and it's a complex issue that can be polarizing for those who deal with the issue directly. The call to codify the VEP, or to formalize the process into law, has both pros and cons.
The pros of creating a formalized Vulnerabilities Equities Process are that it would add more transparency to the process, and would prevent agencies from acting on their own, without oversight. Right now, the process is in place, but not all government agencies are following it completely, and there's no true penalty for them if they fail to adhere.
The majority of the vulnerabilities found are either disclosed to the vendor or weaponized for offensive measures. Enforcing law and oversight with the VEP would reduce the capability for government agencies to use these vulnerabilities in inappropriate ways or without permission.
The executive secretariat, or the role that would supervise the process, is a point of contention, but it is needed. When a law is created, it would need to be run within one of these agencies, and letting one agency be the forerunner – say, the Department of Homeland Security over the National Security Agency (NSA) -- could cause tension between departments.
Creating a law with interagency oversight that would report to the Equities Review Board would be in everyone's interest to enable transparency. This, along with the continued review of reports and metrics on the disclosure and use of vulnerabilities, would hold our government accountable.
The cons of the Vulnerabilities Equities Process becoming codified would be that the process could become burdensome, as agencies wouldn't be acting on their own with vulnerability disclosure. This would limit their ability to move fast in the name of national security, and would hold them back from creating technology for offensive measures. I'm a personal fan of privacy and transparency, and agree that VEP should be codified, but this is a valid argument from a different viewpoint.
The major issue of having no codified law for VEP is that a singular agency decides the intent of a vulnerability. Should they disclose it or should they use it? Certain agencies have a better reputation in relation to this than others and, without codifying this into law, they each run in their own silos.
It should also be made known that these agencies are running with autonomy to a point and, recently, both the NSA and CIA had their hacking tools released to the internet after being breached. This is dangerous, and, by adding oversight to the process, a direct action item would include the protection of these vulnerabilities that have been turned into tools. In my opinion, the lack of oversight and protection of this data is neglectful.
There are many different viewpoints on this topic, and most of them are polarizing to the other side. Even with the Vulnerabilities Equities Process, there is still the potential for government agencies to purchase vulnerabilities from other third parties that can bypass this entire process.
In my opinion, adding transparency and oversight to this process would benefit the enterprise, the country and citizens for the long term.
Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Learn more about the confusion around WikiLeaks' release of government documents
Take a look as the identity of things moves beyond manufacturing
Read about a former White House official's view on cyberweapons, the VEP and more
Dig Deeper on Government information security management
Related Q&A from Matthew Pascucci
A new version of the Ursnif Trojan uses mouse movements to bypass security efforts by beating sandbox detection. Expert Matthew Pascucci explains how...continue reading
Adobe Flash's end of life is coming, and it includes an incremental removal method, allotting security teams enough time to adjust. Matt Pascucci ...continue reading
Explore the differences of public versus private bug bounty programs, as well as the benefits of each one. Expert Mathew Pascucci explains the risk ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.