In the past year, a spate of catastrophic cyberattacks have resulted from hacking groups like the Shadow Brokers stealing NSA hacking tools and exploiting the agency’s secret stash of documented software vulnerabilities. Following revelations of leaks and breaches at the government agency, new rules for how to handle cybersecurity vulnerabilities have been issued, in a bid for greater transparency.
As new bugs are discovered and not yet in the public domain, they roll into a federal interagency process known as the Vulnerabilities Equities Process (VEP). Now, as Lily Hay Newman reports in Wired, in the process of clarifying its position, “the White house released details for the first time on Wednesday about how the government decides which software vulnerabilities it discloses, and which ones it withholds for its own use in espionage, law enforcement, cyber warfare, and general intelligence-gathering.”
A recent blog post by White House Cybersecurity Coordinator Rob Joyce outlines several key principles in framing a new approach:
- Improved transparency is critical.
- The interests of all stakeholders must be fairly represented.
- Accountability of the process and those who operate it is important to establish confidence in those served by it.
- Our system of government depends on informed and vigorous dialogue to discover and make available the best ideas that our diverse society can generate.
Some have concluded that that this new approach is not dramatically different from what has already existed, however, any attempt to be more transparent is lauded. “Analysts largely agree that there is a true national security need to retain and exploit some vulnerabilities. But as WikiLeaks, the Shadow Brokers, and other revelations have shown, tempering the intensity that drives intelligence hacking is also in the national security interest, given the very real threat those vulnerabilities pose. More visibility into the VEP will hopefully lead to more accountability, but ultimately it’s still the officials in the negotiating room who will decide how the charter is used in practice,” writes Hayman.
Read the full story at Wired.