Trump Likely to Retain Hacking Vulnerability Program

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Joyce E. Cutler

Dec. 8 — An obscure U.S. government program that can opt to inform companies about software and hardware vulnerabilities will likely continue under the incoming Trump administration.

Companies may need a more transparent support system to address cybersecurity vulnerabilities in the exploding world of web-connected devices, something that was exploited in a widespread denial of service attack in mid-October that shut down numerous websites, including Netflix Inc. and Twitter Inc. Continuing debates over law enforcement access to encrypted consumer devices is also at issue.

The low-profile vulnerabilities equities process (VEP), which gathers federal government officials under the auspices of the National Security Agency to discuss cybersecurity exploits and whether to inform affected companies, may need to be higher profile to be effective, analysts said. But it is unclear whether companies may benefit from a more open process or other modifications President-elect Donald Trump may bring.

Whether Trump specifically supports the VEP is unknown. Analysts said that although the benefits of the largely opaque VEP process are in dispute, the fact the VEP was started under President George W. Bush and continued by President Barrack Obama makes it likely Trump will continue the cybersecurity program, they said.

The program requires more definition, explanation and disclosure of vulnerabilities the government discovers, Timothy C. Summers, director of innovation, entrepreneurship and engagement at the University of Maryland’s College of Information Studies, told Bloomberg BNA. The VEP isn’t codified in law, rules or executive order. It was established and continues through more informal administration memos. Trump may issue an executive order on the program, Summers said.

Dave Aitel, CEO of security research firm Immunity Inc., told Bloomberg BNA, that Trump may change perspectives on cybersecurity well beyond whether to formalize, expand or end the VEP. “Like it or not we’re about to get four years of something different, which I think is great for security because it is time to make a choice one way or the other” on issues such as whether to hack back against cybercriminals.

The Trump transition team didn’t immediately respond to Bloomberg BNA e-mails requesting comment.

Secretive Program

How many vulnerabilities that are stockpiled in the program, meaning those flaws the government is aware of and yet not informed either the manufacturers to fix or the public to warn, isn’t clear as those involved in VEP don’t discuss them. Nor is it known who sits on the panel of government agency representatives where zero day vulnerabilities—those weaknesses the developer has zero days to fix and users zero days to patch—are presented and decisions made whether to withhold disclosure for security or investigative reasons or disclose in order to patch and fix.

The VEP’s existence was disclosed in a 2014 blog post by White House Cybersecurity Coordinator Michael Daniel on the Heartbleed open-source software vulnerability that left hundreds of thousands of servers and routers vulnerable to attack.

The door cracked open a little more when the Electronic Frontier Foundation obtained redacted documents in a Freedom of Information Act lawsuit.

Larry Clinton, president of the Internet Security Alliance, whose members include Raytheon Corp., BNY Mellon and Qualcomm Inc., told Bloomberg BNA that greater transparency in the VEP program isn’t “as high-value because obviously when you’re dealing with adversaries, they’re not being transparent.”

Skepticism About Effectiveness

What is known about VEP is that there is skepticism about the process and its benefits.

“The VEP as it exists is little comfort to companies concerned that information about serious vulnerabilities in their software is being retained instead of disclosed for patching,” Andi Wilson, a policy analyst at New America’s Open Technology Institute, said Dec. 6.

Ari Schwartz, cybersecurity services managing director at Venable LLP in Washington, said at a Stanford Law School event that it is “very difficult to gauge VEP’s impact because companies don’t specifically disclose when they are patching a vulnerability provided to them by the government or immediately patch a system after a vulnerability has been shared with them.”

Nor does the government share “even an aggregate count of vulnerabilities that have gone through the process,” Schwartz, a former White House advisor and National Security Council cybersecurity policy senior director, said.

Wilson said that government investigations reveal flaws when they hack software and hardware, such as the FBI’s work to access the encrypted iPhone of one of the San Bernardino, Calif., terrorists and child pornography investigations involving e-mails and other systems. Yet the government refused “to disclose information about those security flaws so that they can be fixed—which is supposed to be the job of the VEP,” Wilson said.

“Asking companies with tens of millions of American customers to trust that such an opaque process is reviewing potentially serious vulnerabilities in their products and disclosing 91 percent of them for patching is a stretch. For a VEP to be effective, it needs to be reliable and transparent,” Wilson said.

Heather West, Mozilla Inc. senior policy manager for the Americas, said at the Stanford Law School event that the VEP “only sees a fraction of the vulnerabilities held by the government. Specifically, as we move into the connected world more agencies are going to come into contact with more exploits.”

Mozilla recommended specific VEP reforms, including having all security vulnerabilities go through the VEP with all relevant agencies involved working together to evaluate set criteria in a process that should have oversight and transparency. The VEP should be codified to ensure compliance and permanence for the program that should live within the Department of Homeland Security.

Part of the problem is that technology companies “don’t want to get calls from the NSA. A lot of technology companies aren’t as comfortable working with the intelligence community as they are with DHS,” which runs the U.S. Computer Emergency Readiness Team, West said.

To contact the reporter on this story: Joyce E. Cutler in San Francisco at JCutler@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security