The National Security Council’s release of a new charter for the Vulnerabilities Equities Process (VEP) drew praise from U.S. Rep. Jim Langevin (D-RI) on Wednesday for bolstering transparency and for bringing diverse stakeholders into the conversation.
Cybersecurity Advisor Rob Joyce announced that the revamped VEP process would bolster transparency, diverse stakeholder interests, accountability and dialogue as priorities in managing the cyber-vulnerabilities of software through the VEP process.
Under VEP processes, new cyber vulnerabilities that are not in the public domain are submitted into an interagency process. VEP is then tasked with weighing whether or not to disclose a software vulnerability with the expectation that a security patch will be created. It uses a risk/benefit analysis to weigh those decisions.
“Closing security vulnerabilities in software is fundamental to building a free, open, interoperable global Internet and improving stability in cyberspace,” Langevin said. “The United States government has a responsibility to disclose such vulnerabilities when it discovers them in order to protect U.S. citizens and the broader Internet ecosystem. However, there are rare cases when national security and law enforcement needs mean disclosure should be delayed. Weighing these equities is an enormous responsibility, as a decision not to disclose leaves certain users at risk.”
Langevin said he was grateful that the new charter continues to support the engagement of diverse stakeholder within the government, including those who focus on defensive cybersecurity and commerce.
“There is a reason that the default treatment of a vulnerability is disclosure, as recent cybersecurity incidents have demonstrated the damage that can be caused by unpatched software,” Langevin said. “By including a broad array of perspectives as part of the Equities Review Board, the National Security Council will be able to take as holistic a view as possible before making a decision. I also look forward to reviewing the annual reports called for in the new charter, and I am pleased that the document makes specific reference to congressional partners.”
Langevin added that members of Congress also owe the intelligence committee “rigorous oversight” to ensure that tools they develop remain secure.
“I believe that the VEP is an appropriate process for selecting the very few vulnerabilities where disclosure will be delayed,” Langevin continued. “However, that process falls apart if the exploits cannot be kept in government hands, and Congress must do more to ensure those safeguards are in place.”