The Vulnerabilities Equities Process (VEP) has been subject to policy debates over the last few years, but this fall Congress may act on the topic for the first time. Discussed in detail in this report by former National Security Council staffers, the VEP is a White House-convened process for deciding whether the government will keep vulnerabilities for its own use, or notify companies of their existence so they can be patched. Despite making incredibly important decisions, the VEP has generally been ignored by Congress, but two new legislative proposals would provide oversight, and in one case, light reforms.
Congress is inquiring about the VEP now in response to high-profile leaks of government-held hacking tools and questions about whether the government should have disclosed the vulnerabilities so they could be patched. Despite some claims by those who wish to keep the VEP in its current form, the debate is not about whether all vulnerabilities should be disclosed regardless of circumstance. Instead, the question is whether the right people are in the room considering the right factors, and making decisions that both secure the internet ecosystem and allow targeted law enforcement or intelligence investigations.
Introduced by a bipartisan group of Representatives and Senators, the PATCH Act takes a very soft touch to VEP oversight and regulation. While leaving most implementation questions up to the executive branch, the PATCH Act would:
- Establish the process in law. Right now, the VEP is not governed by statute or executive order, and could be changed in significant ways without Congress or the public knowing.
- Move the nominal head from the NSA to DHS. Right now the NSA operates as secretariat by convening meetings, retaining records, and holding the vulnerabilities.
- Require written policies. To the extent they can be declassified, they shall be and released to the public.
- Create considerations for participants. There is no publicly available list of factors the VEP considers as a group. The PATCH Act would not require an outcome on any specific case, but instead make sure all equities are on the table as decisions are made.
- Provide for congressional and public oversight. The VEP Board, the relevant agencies’ Inspectors General, and the Privacy and Civil Liberties Oversight Board shall write reports for Congress, with declassifications where possible.
For the most part, the modest approach taken by the PATCH Act should not be controversial. Some will object to even basic oversight of the VEP because they fear it will lead to the government being stripped of hacking tools in favor of “defensive” measures that are designed to secure systems as a whole. While there is a continual debate about the current balance of offense and defense, it largely does not rely on any hard evidence about real programs and governmental decisions —which is why the transparency provided by the bill is so important.
An interesting new comment on VEP implementation and this offense/defense balance came from Melissa Hathaway during a presentation to the American Bar Association this summer. Speaking as a cybersecurity official who served both the Obama and Bush administrations, she said it does not have a “rigorous process associated with it” and is still “weighted in favor of intelligence purposes.” The VEP “very rarely” declassifies and shares zero-days for defensive purposes, and should be more aggressively disclosing vulnerabilities to companies who are at the core of the US economy. Indeed, we have we have few other primary documents or commentary from people actually involved with the process. The first is a somewhat redacted memo obtained by the Electronic Frontier Foundation that generally outlines the process. The second is the abovementioned paper with recommendations about codifying and amending the process. The third is a blog by President Obama’s Cybersecurity Coordinator discussing his personal considerations when he reviews vulnerabilities. All considered, VEP transparency and oversight must be addressed in the near future.
The PATCH Act isn’t the only legislative proposal out there, though. A provision in the 2018 Intelligence Authorization Act has flown under the radar, and would require the Intelligence Community Inspector General to conduct a thorough review of the last three years of VEP decisions and file the resulting report with Congress. The report would be instructive, and provide not only the numbers of vulnerabilities kept and shared, but important context surrounding VEP decisions. Hopefully, as the bill moves forward, this section will be amended to require a declassified summary of the findings.
Ideally, Congress will return from recess and take up the PATCH Act, or at the very least ensure that the reporting requirement stays in the Intelligence Authorization bill. Incredibly important decisions are made through the VEP, and Congressional overseers and the public have a right to know more about how the process is working.