INFRA
INFRA
INFRA
White House releases process used to consider revealing security vulnerabilities
The Trump Administration has released the previously secret rules used by the government to decide on whether to disclose cybersecurity vulnerabilities or keep them secret.
The interagency Vulnerabilities Equities Policy, created by the Obama administration, details the processes involved in classifying and managing discovered vulnerabilities among different government bodies such as the National Security Agency, Central Intelligence Agency and Department of Homeland Security. The document describes the grounds as to why some vulnerabilities should not be disclosed and also when they should.
The policy is said to be designed to balance the needs of law enforcement to hack into devices and the need to warn manufacturers of vulnerabilities that have been discovered so they can patch them before criminals and foreign governments take advantage of them.
“While not infallible, these processes ensure rigorous consideration of all factors vital to our national security,” White House Cybersecurity Coordinator Rob Joyce said in a statement. “The Federal Government also has an important responsibility to closely guard and protect vulnerabilities as carefully as our military services protect the traditional weapons retained to fight our nation’s wars.”
The process involves an agency that discovered discovered a vulnerability submitting it to VEP review board, which includes representatives from key government stakeholders. The board then considers the vulnerability based on four criteria.
The first is how much of a threat the vulnerability is, followed by consideration as to whether the U.S. government itself could use the vulnerability for its own purposes. Perhaps the most interesting revelation, particularly following the ongoing leaks of NSA hacking tools that were used in attacks including WannaCry, is that the third and fourth review stages consider risks the country would face should companies and other countries later discover that the government knew of the specific vulnerability all along — the public relations angle, so to speak.
While reaction to the public release of the previously secret policy was mostly welcomed by the security community, some such as Stephen Cobb at ESET Security noted that serious questions remain, in particular suggesting that if the government doesn’t release some vulnerabilities, regardless of the reasoning, it may put internet security at risk.
Photo: djc/Flickr
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
