Trump Administration Makes the Rules by Which Government Decides to Disclose Cyber Flaws Public

Trump Administration Makes the Rules by Which Government Decides to Disclose Cyber Flaws Public

On November 15, 2017, the Trump administration publicly released the Vulnerabilities Equities Policy and Process for the United States Government (VEP).  This was the first time the government has publically disclosed how it makes the determination about disclosure of potential cyber security flaws that can be turned into cyber weapons.^[1] Some consider the decision to publish an unclassified charter responds to years of criticism that the process was unnecessarily opaque, which fueled suspicion that it cloaked a stockpile of software flaws that the National Security Agency (NSA) was hoarding to go after foreign targets, but that put American’s cyber­security at risk.^[2]

The document describes the VEP for departments and agencies of the United States Government (USG) to “balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies.”^[3] The policy states that its primary focus is to prioritize the public’s interest in “cybersecurity, to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy” through disclosing vulnerabilities discovered by the USG, when possible.^[4]  It limits that disclosure to when there is not a “demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.”^[5]

The Fact Sheet, which was released along with the VEP charter, succinctly lays out four major groups of equities to consider when dealing with disclosure or retention to, “help standardize the process by which decision-makers weigh the benefit to national security and the national interest when deciding whether to disclose or restrict knowledge of a vulnerability.”^[6] Each category also poses relevant questions to consider under each evaluation.^[7] The Fact Sheet makes a point to mention that this list of considerations was not exhaustive, but that those four highlighted the general concerns of the Administration and that they should be considered, along with others.^[8]

White House cyber security coordinator Rob Joyce, who issued a blog post pertaining to the charter, stating that “[t]his is a really big improvement and an outstanding process.”^[9] Joyce also added that, “we hope to demonstrate to the American people that the federal government is carefully weighing the risks and benefits as we carry out this important mission.”^[10] Numerous former critics of the process, from Tech companies to security experts at the Center for Democracy & Technology,  have reacted favorably to the new transparency and believe it will be beneficial moving forward.^[11] With the current landscape of cyber security flaws and threats, protection of important government and personal data is paramount.  The more transparency and cooperation between the public and private sectors is a move in the right direction and will likely be the most effective way to protect the data and privacy security of the American people.