The Trump administration’s release Wednesday of an updated vulnerability disclosure process may not have won over the staunchest critics of that process, but former cyber officials said it still represents an important step forward. The new charter for the government’s Vulnerability Equities Process lays out how the government chooses whether to alert companies to software flaws or retain them for surveillance purposes.
It’s the first time the government has publicly revealed the VEP charter, giving people an unprecedented look at details like which agencies sit on the decision-making board. “Things that weren’t written down before are now much clearer,” Ari Schwartz, a former White House cyber official who co-wrote a paper on the VEP, told MC in an interview. “It certainly aligns with many of the recommendations that we made,” added Rob Knake, another former White House cyber official and the co-author of the paper. “They’ve put in some timelines in terms of the review process that help streamline it,” said Michael Daniel, former President Barack Obama’s cybersecurity coordinator, who led the last update to the VEP. “But in its fundamental core, it really builds on the policy that we had in place previously.”
There are also now requirements for annual reports to Congress, with accompanying summaries for the public, which former officials said would help the cyber community better understand the process. “I think it really shows that the process is maturing,” Daniel said.
Some lawmakers and technology companies gave the administration credit for improving the public’s understanding of the VEP, but others said they would still push for Congress to enshrine the process in law. “I think it’s a reasonable start. I don’t think it obviates the need for a law,” Sen. Brian Schatz, who introduced a bill to alter and codify the VEP in May, told MC. “It shouldn’t depend on any administration to have a process like this in place.”
During the update process, government officials battled over whether to include a clause that would allow agencies to bypass the normal process if a vulnerability was being used in “sensitive operations,” according to a former government official familiar with the matter. Ultimately, the clause made it into the new charter, as opponents “went with it” to push the update over the finish line, said the former official, who requested anonymity to preserve relationships with current officials. “Every single department and agency is worried about that,” the former official added. “It was a huge sticking point. … Up until [Tuesday], there were secretary-level phone calls being made.”
Top White House cyber adviser Rob Joyce said there were protections in place to prevent abuse of the exception. In the past, “I don’t think everybody felt they understood when the exceptions were being used,” he told reporters after announcing the charter at an event on Wednesday. “The intent is, the exceptions are the rare edge cases, not a mainstream thing.” Daniel told MC, “I can’t ever recall [the provision] being exercised during my tenure.”
HAPPY THURSDAY and welcome to Morning Cybersecurity! The teaming of Republicans and Dungeons & Dragons is now officially a trend. Send your thoughts, feedback and especially tips to email@example.com and be sure to follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.
WE’RE ALL FINE HERE, NOW, THANK YOU. HOW ARE YOU? — American voting machine vendors are confident they are safe from hackers but reluctant to share information about their security practices, according to letters that five of them sent to Sen. Ron Wyden in response to his cybersecurity questions. Three of the companies — behemoths Dominion and Unisyn and the much smaller firm Five Cedars — said they did not have chief information security officers. Dominion and Unisyn also said they did not have processes for handling vulnerability reports from security researchers, with Dominion making the disputed claim that only state officials can access voting machines. Wyden’s office shared the previously unreported voting machine vendors’ letters with MC.