SAN FRANCISCO -- A panel of experts at RSA Conference 2017 suggested the process by which federal agencies decide whether to disclose or withhold software vulnerabilities should be codified into law.
The National Security Agency has come under fire this past year about its vague policy to disclose vulnerabilities or retain them for intelligence gathering purposes, and experts said that is because the Vulnerabilities Equities Process is currently voluntary, not mandatory.
The Vulnerabilities Equities Process was designed to help government agencies decide if a vulnerability it has obtained or discovered should be disclosed to the developer for patching, or withheld for exploitation by intelligence agencies, law enforcement or other for other purposes.
Heather West, senior policy manager and Americas principal at Mozilla, said the process has been successful.
"There are very well-established norms around vulnerability disclosure and they are evolving. A lot of people are talking about them -- DHS, private industry, CERT -- and following those best practices really makes sense," West told the crowd at RSAC 2017. "We don't need to reinvent the wheel around disclosure; we just need to make sure things are getting disclosed."
Rob Knake, senior fellow at the Council on Foreign Relations, said codifying the Vulnerabilities Equities Process into law wouldn't lead to a substantial change in how it works, "but it would increase the level of trust in the process."
"There's a lot of doubters out there that this process is in place," Knake said. "I think making it a law, making it a requirement is a lot harder to argue that the federal government and federal employees are going to violate those laws and run those penalties. Right now, there are no penalties for an agency or for an individual who holds back that information. So, I don't think it would have a substantial change, but it would increase the level of trust in the process."
West said trust, congressional oversight and other "fringe benefits" would come from an official law.
"Right now the process is voluntary on the part of the federal agency. Some agencies take the position that all vulnerabilities they know of ought to go through the VEP, and I applaud that. Other agencies, in particular the FBI has been a little more reticent to put things through the VEP because they want to hold on to them," West said. "From my perspective, the VEP process works so well because it is balancing a broad set of equities across the government -- defensive, offensive -- and if you're deciding that on your own, I'm a little more concerned about it."
Susan Hennessey, fellow and governance studies and managing editor at Lawfare, noted that the elephant in the room is that a law would not only increase transparency and accountability, but could address the "concern about how his particular administration is going to wield the powers of the national security apparatus."
"I don't think that's a controversial statement to make; there are concerns. So now, I think there is potentially an additional appetite for some of the things that are working, wanting to place that additional protection of there being an actual law that means there's not discretion within the federal government, there's external accountability," Hennessey said. "And so to [confirm] that the process is working and what really matters is additional public legitimacy, going to Congress is the only way we're going to get that for this very strange political moment we're in."
Vulnerabilities Equities Process oversight
However, the experts could not come to a consensus about where the Executive Secretariat of the process should reside in government. The Executive Secretariat is responsible for overseeing the process, including notifying point of contact when it is determined a vulnerability should be disclosed and compiling year-end reports. The position currently is part of the NSA's Information Assurance Directorate, but Hennessey and Knake thought it should be moved to the Department of Homeland Security.
"There has been a really strong reliance, particularly over the past few years on the DHS, because the DHS has a really good relationship with the public, has a really good relationship with the public sector, has a reputation for prioritizing privacy," Hennessey said. "NSA has ... struggled a little bit on some of those, admittedly."
Knake said, "If you've got DHS, which is growing capability in vulnerability research, which is oriented toward defense, if you're saying this is severely biased toward the defense, it makes more sense to put it at DHS than NSA."
But Neil Jenkins, director of the enterprise performance management office at the Department of Homeland Security -- who declined to officially comment on codifying the Vulnerabilities Equities Process into law -- thought oversight for the process should take a different approach.
"I feel uncomfortable with DHS in that role as well. If we are going to be forward leaning into the vulnerabilities that we release ... it puts us in a bad position if we're the Executive Secretariat over the process. We want to maintain the trust relationship we have with our partners," Jenkins told the audience. "If we want to move away from the NSA in that position, I think we should look at a more interagency approach. But I think putting the Executive Secretariat role in any place that has a default position on this then puts them in a bad position going forward."
Learn more about the Vulnerabilities Equities Process from the former White House policy director.
Find out why government compliant-based vulnerability remediation is failing.
Get info on why Americans are split on government security and encryption.