White House Releases New Charter for Disclosing Private Sector Cybersecurity Flaws

On November 15, 2017, the White House released an updated Vulnerabilities Equities Process (VEP) Charter, which details the process the Federal Government will follow before notifying a private company about a cybersecurity flaw in a product or service.[1] The VEP Charter also indicates certain equities the government may consider when refraining from disclosing a flaw so that it can be used for operational or intelligence purposes. 

In order to trigger the process, “a vulnerability must be both newly discovered any not publicly known.” Agencies that discover a vulnerability, will submit it the VEP Secretariat. At a minimum, the initial submission with include: information describing the vulnerability, identification of the vulnerable products or systems, and a recommendation on dissemination of the vulnerability information.  

Recognizing the public and private sector equities, the Charter states “[v]ulnerabilities can have significant economic, privacy and national security implications when exploited…[and u]npatched vulnerabilities leave not only [United States Government] systems, but also the systems of commercial industry and private citizens vulnerable to intrusion.” However, “[v]ulnerabilites are also used in the course of authorized military, intelligence, and law enforcement activities.” And therefore, “…vulnerability disclosure raises a multitude of considerations that require careful deliberation through an interagency process with a diversity of viewpoints.”

The submission of a flaw triggers an interagency consensus process, managed by the National Security Council (NSC), where Departments and agencies may claim equity and concur or non-concur with the initial recommendation to disseminate or restrict the vulnerability disclosure. Agencies claiming an equity must indicate their position on disclosure within 5 business days. Consensus decisions are reviewed by the Equities Review Board (ERB) on another timeline. The ERB will consist of representatives from multiple federal Departments and agencies and may ratify or vote on the recommendation. As this is an internal government review, private sector stakeholders are not members of the ERB.

A fact sheet on the VEP Charter states that the Government’s decision is based on the consideration of four major groups of equities, including:

1. Defense Equity Considerations (including threat, vulnerability, impact, and mitigation considerations);

2. Intelligence, Law Enforcement, and Operational Equity Considerations (including operational value and operational impact considerations);

3. Commercial Equity Considerations; and

4. International Partnership Equity Considerations.

“At its most basic level, the VEP is charged with balancing whether to disclose vulnerability information to the vendor with the expectation that they will patch the vulnerability, or temporarily restrict knowledge of the vulnerability so that it can be used for national security or law enforcement purposes,” said White House Cybersecurity Coordinator Rob Joyce.  

The NSC, acting as the VEP Executive Secretariat, will manage the process and is tasked with producing an annual report with an unclassified executive summary which may be provided to Congress. Under the VEP Charter, decisions to restrict disclosure of a cybersecurity vulnerability will be reassessed on an annual basis or as required by changing circumstances.

[1] The policy applies to “all USG components and personnel (i.e. civilian, military, and contractors) and includes Government off-the-shelf (GOTS), Commercial off-the-shelf (COTS), or other commercial information systems (to include open-source software), Industrial Control Systems (ICS) or products and associated systems such as Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).”