How the US decides which security flaws to keep secret
The White House releases its process for alerting companies about previously unknown vulnerabilities and explains why some are kept under wraps.
When the US government discovers a new security flaw, it faces an important question: Who should we tell about this?
The White House released its Vulnerabilities Equities Policy (PDF) on Wednesday, detailing the process it follows to make that decision along with ten agencies, including the CIA, NSA and Homeland Security. It explains why some vulnerabilities are kept secret, while warnings are immediately issued for others.
These decisions are specifically regarding zero-day vulnerabilities, previously unknown security flaws that haven't yet been patched. Government agencies often find these vulnerabilities and sometimes turn them into their own hacking weapons. After the WannaCry ransomware spread thanks to a stolen NSA hacking tool, Microsoft's chief counsel criticized the government for keeping vulnerabilities a secret from companies that can patch them.
White House Cybersecurity Coordinator Rob Joyce said in a blog post Wednesday that it's critical to improve transparency of the process but he defended the government's decisions to keep certain vulnerabilities a secret.
"Although I don't believe withholding all vulnerabilities for operations is a responsible position, we see many nations choose it," Joyce said.
The process starts with finding the vulnerability and submitting it to the VEP's review board, which includes members of the following agencies:
- Department of Defense (including the NSA)
- CIA
- Department of Justice (Including the FBI)
- Department of State
- Department of Homeland Security
- Office of Director of National Intelligence
- Department of Treasury
- Department of Energy
- Department of Commerce
- Office of Management and Budget
A flow chart showing how the VEP review process works.
The board then discusses four main points, starting with how much of a threat the newly discovered vulnerability is. It looks at how widespread the affected product is, how easy the vulnerability is to take advantage of, how much damage it could cause and how easily it could be fixed.
The second consideration is how the government could potentially use the vulnerability for its own purposes. The third and fourth talking points consider what risks the US would face with companies and other countries if it's revealed that the government knew about the vulnerability all along.
This review happens within five days. The process is sped up if there're already attacks going on using the vulnerability. After the discussions, the board reaches a consensus on whether or not to disclose the vulnerability to companies affected.
If the review board votes to disclose the vulnerability, it's responsible for informing affected companies within seven business days. If it chooses to keep the vulnerability a secret, it's reviewed annually by the board until the group changes it mind, or the zero-day becomes public knowledge.
"In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest," according to the policy.
The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.
Special Reports: CNET's in-depth features in one place.