Evaluating the Vulnerabilities Equities Process and Policy

As 2017 draws toward an end, we are reminded of the large-scale cyber attacks that have affected the government, private business, and consumers. Ransomware strains such as WannaCry and NotPetya are particularly memorable for their destructive capabilities and rampant propagation through a Microsoft Windows vulnerability. In response, the United States government has been compelled to strike a balance between the open flow of data and responsible disclosure—all the while maintaining a high level of cybersecurity. The recent release of the Vulnerabilities Equities Process and Policy, which serves as a charter for the previously-established Vulnerabilities Equities Process (VEP), is the latest development in the government’s fight against unknown and unpublished cyber vulnerabilities. By providing increased visibility into the VEP, the charter offers a new level of insight into how the government addresses and prioritizes disclosure.

The VEP is an unprecedented step toward transparency that rivals what partner nations and foreign adversaries are doing. The charter explains the steps that the government has taken toward defining the criteria for disclosing unpublished and unknown vulnerabilities. The process supersedes the 2010 Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy. While the previous process was not totally broken, it lacked sufficient insight into the framework that determined disclosure criteria.

According to government officials, the default position for any zero-day vulnerability trended toward disclosure for products developed in the U.S. and friendly nations. However, there were cases of retention of seemingly unusable vulnerabilities that were defined by technical obscurity or complexity, and relative intelligence value. The policy was loosely defined by policymakers, and the final decision for retention or disclosure was considered part of executive privilege. This policy, while providing an edge in offensive and defensive cyber operations, drew suspicion from private enterprise, which regularly deals with patch management as part of its business operations.

The vulnerability discovery process includes government agencies, contractors, and security researchers. This is done in contrast to malicious actors on the Deep & Dark Web who are actively looking to exploit unknown vulnerabilities for personal short-term gain and future profits through the sale of zero-days. While there aren’t sufficient metrics to support the exploitation of these vulnerabilities, there is still potential for future harm and financial loss.

Commercial industry is a key consideration for the new charter, weighing factors such as government potential for harm if a zero-day vulnerability is exploited against the private sector. The future working relationship with the government is also a key consideration. While vulnerabilities discovered within U.S.-manufactured products are a concern, foreign products could also be exploited. Unfortunately, the U.S. can not always maintain a working relationship with foreign companies. This reality is of particular concern given that the discovery and disclosure of vulnerabilities may cause tensions among rival foreign adversaries, some of whom have been known to attempt to exploit unpublished vulnerabilities for operational value.

Commercial equity is preceded by defensive and operational considerations. While certain unpublished and undiscovered vulnerabilities exist in the wild, there has to be a potential for exploitation by threat actors. When considering a potential vulnerability for equity, other factors such as access and existing safeguards play key roles. Additionally, the ubiquity of the product and impact of exploitation are considerations for disclosure.

Regardless of the factors for disclosing vulnerabilities, private businesses need to be diligent about maintaining their information technology systems. While the aforementioned ransomware strains WannaCry and NotPetya resulted in financial harm, the vulnerabilities that they targeted had been patched and made universally available prior to the respective ransomware attacks. Regardless of the process through which vulnerabilities will be disclosed, businesses need to remain diligent in the protection of their internal networks through administrative processes and active patch management. While the U.S. government process will deliver a new sense of transparency, the process of vulnerability discovery by threat actors and foreign adversaries remains shrouded in obscurity.