INFRA
INFRA
INFRA
White House releases process used to consider revealing security vulnerabilities
The Trump Administration has released the previously secret rules used by the government to decide on whether to disclose cybersecurity vulnerabilities or keep them secret.
The interagency Vulnerabilities Equities Policy, created by the Obama administration, details the processes involved in classifying and managing discovered vulnerabilities among different government bodies such as the National Security Agency, Central Intelligence Agency and Department of Homeland Security. The document describes the grounds as to why some vulnerabilities should not be disclosed and also when they should.
The policy is said to be designed to balance the needs of law enforcement to hack into devices and the need to warn manufacturers of vulnerabilities that have been discovered so they can patch them before criminals and foreign governments take advantage of them.
“While not infallible, these processes ensure rigorous consideration of all factors vital to our national security,” White House Cybersecurity Coordinator Rob Joyce said in a statement. “The Federal Government also has an important responsibility to closely guard and protect vulnerabilities as carefully as our military services protect the traditional weapons retained to fight our nation’s wars.”
The process involves an agency that discovered discovered a vulnerability submitting it to VEP review board, which includes representatives from key government stakeholders. The board then considers the vulnerability based on four criteria.
The first is how much of a threat the vulnerability is, followed by consideration as to whether the U.S. government itself could use the vulnerability for its own purposes. Perhaps the most interesting revelation, particularly following the ongoing leaks of NSA hacking tools that were used in attacks including WannaCry, is that the third and fourth review stages consider risks the country would face should companies and other countries later discover that the government knew of the specific vulnerability all along — the public relations angle, so to speak.
While reaction to the public release of the previously secret policy was mostly welcomed by the security community, some such as Stephen Cobb at ESET Security noted that serious questions remain, in particular suggesting that if the government doesn’t release some vulnerabilities, regardless of the reasoning, it may put internet security at risk.
Photo: djc/Flickr
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
