The Trump administration publicly released on Wednesday its rules for deciding whether to disclose cyber security flaws or keep them secret, in an effort to bring more transparency to a process that has long been cloaked in mystery. The move is an attempt by the US government to address criticism that it too often jeopardizes internet security by stockpiling the cyber vulnerabilities it detects in order to preserve its ability to launch its own attacks on computer systems.
The revised rules, published on whitehouse.gov, are intended to shed light on the process for how various federal agencies weigh the costs of keeping a flaw secret, said Rob Joyce, the White House cyber security coordinator. Speaking at an Aspen Institute event in Washington, Joyce said the rules were the “most sophisticated” in the world and that they set the United States apart from most other nations. Private companies, he said, “are not getting tips from China, Russia, North Korea, Iran” about flaws in their technology.
Under former President Barack Obama, the US government created an inter-agency review, known as the Vulnerabilities Equities Process, to determine what to do with flaws unearthed primarily by intelligence agencies such as the National Security Agency (NSA). The process is designed to balance law enforcement and US intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.
The new Trump administration charter on the process explains how it functions and names the agencies involved in the vulnerability reviews. They include intelligence agencies in addition to several civilian departments, including the Departments of Commerce, Treasury, Energy and State. The NSA is listed as the “executive secretariat” of the inter-agency group, tasked with coordinating debate over flaws submitted by the various agencies if there is disagreement about whether to disclose them. If disagreements are not reconciled the group will vote on whether to disclose or retain the flaw.
The rules also require an annual report, portions of which will be made public, that provides metrics about the amount of flaws discovered, retained and disclosed. Decisions to retain vulnerabilities must be reconsidered every year, according to the charter. The publication of the charter is “a major improvement,” said Ari Scwhartz, coordinator of the Coalition for Cybersecurity Policy and Law and a former Obama administration cyber official. The Obama administration sought to release a similar document before the end of last year but ran out of time, Schwartz said.
Some security experts have long criticized the process as overly secretive and too often erring against disclosure.
Joyce said on Wednesday more than 90 percent of flaws are ultimately disclosed, though some critics say they are not shared quickly enough and that the most severe flaws are too often stockpiled. The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.
The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use. But in a breach US investigators are still working to understand, that tool and others ended up in the hands of a mysterious group called the Shadow Brokers, which then published them online.
Suspected North Korean hackers spotted the Windows flaw and repurposed it to unleash the WannaCry attack, according to cyber experts. North Korea has routinely denied involvement in cyber attacks against other countries. Asked about the WannaCry attack, Joyce declined to say whether the Windows flaw detected by the NSA went through the vulnerability review process.