Vulnerabilities Equities Process
The United States government has established a Vulnerability Equities Process (VEP) to determine whether to withhold or disclose information about computer software security vulnerabilities. Under the VEP, the government will evaluate whether to disclose a vulnerability it has obtained or discovered—so that the software developer has a chance to fix the problem—or the government may choose to withhold the information to use it for purposes including law enforcement, intelligence gathering, and “offensive” exploitation.
Computer Exploits and “Zero Day” Vulnerabilities
The term “Zero-Day Vulnerability” refers to a previously unknown computer-software security vulnerability that developers have not yet patched. Zero-days are so named because once they are discovered they may be used immediately to gain access to secure data, thus giving the developer “zero days” to issue a patch or otherwise mitigate the damage of the exploit. There is a growing and lucrative market for the purchase of zero-day vulnerabilities.
The government typically obtains zero-days either by discovering them or by purchasing them from malware vendors. The Washington Post has reported that the NSA spent $25 million dollars on the purchase of zero-days in 2013 alone.
Once the government procures an exploit, the VEP should be triggered to determine what to do with the knowledge of the vulnerability. The government’s use of the VEP remains controversial as the policy gives rise to several security and privacy concerns.
Developing the VEP
The VEP, as it exists today, developed over several years. In 2008, a working group was created to develop a Joint Plan for improving the government’s ability to use offensive capabilities against U.S. adversaries and to protect both government and public information systems. This group subsequently recommended adoption of the VEP.
Between 2008 and 2009, the Office of the Director of National Intelligence led another working group. This group was established with the purpose of addressing the VEP recommendation. During that time, the government produced a document entitled, “Commercial and Government Information Technology and Industrial Control Product or System Vulnerabilities Equities Policy and Process,” later referred to as the VEP. This document created an Executive Secretariat within the NSA’s Information Assurance Directorate, which would oversee the VEP.
In December 2013, the President’s Review Group on Intelligence and Communications Technologies released a report that concluded that the government should not continue to exploit zero-days but instead should disclose all vulnerabilities, except where there is a clear national security need to retain the exploit. These comments by the Review Group were prompted by the fact that the group felt that disclosures were not happening to the degree that they should. In addition, the group indicated that the oversight procedure was flawed. It recommended that the National Security Council take over the zero-day decision-making process. The White House subsequently implemented this recommendation, and Special Assistant to the President and Cyber Security Coordinator Michael Daniel’s office at the National Security Council was selected to oversee the VEP.
Although the VEP existed in some form since 2008, it did not become public until 2016. On May 6, 2014, the Electronic Frontier Foundation filed a lawsuit under the Freedom of Information Act in order to gain access to the VEP. The suit was filed in response to information concerning the Heartbleed bug as well as in response to Daniel’s comments concerning the process. The government released a redacted version of the VEP in January 2016.
The VEP was produced in accordance with the National Security Policy Directive-54/Homeland Security Policy Directive-23. These documents are available to the public as a result EPIC’s successful five-year legal battle to release NSPD-54, the foundational document for U.S. cybersecurity policies.
The process begins when a United States government entity identifies a vulnerability. Once this happens, the entity must classify or designate it for special handling as appropriate. This designation may be changed later in the process. The vulnerability then must meet the “Threshold for Entering” the VEP: the vulnerability must be both newly discovered and not publicly known.
If the government entity determines that the threshold is met, then the Executive Secretariat is notified immediately. The Executive Secretariat is then responsible for notifying all VEP Points of Contact (POCs) of the existence of the vulnerability. The POCs are expected to respond if they believe they have and equity at stake and if they wish to participate in the decision-making process.
Each organization that identifies an equity will then provide subject matter experts (SMEs) to participate in discussions, which are intended to produce a single recommendation to the Equities Review Board (ERB). However, if no consensus is reached, then the participants will provide more than one option to the ERB. The ERB will then take the recommendation(s) and render a decision concerning how the United States government should respond to the vulnerability.
An appeals process is available to any participant with an equity that disputes the ERB’s decision, However, the document is redacted to omit information concerning which entity would hear the appeal. In addition, the timeline for each step in the process is redacted, so it is not clear how long the process takes.
The VEP requires that each Department or Agency keep records sufficient to allow the Executive Secretariat to use them to compile an annual report on the implementation of the VEP.
The Pros and Cons
On April 28, 2014, Cybersecurity Coordinator Daniel discussed the pros and cons of releasing vulnerabilities and announced a bias in the VEP toward responsible disclosure. Daniel released a list of considerations used when applying the VEP:
- How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
Furthermore, Daniel described the VEP as a “disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” He remarked that the VEP is a deliberate process biased toward responsible disclosure
Security Expert Bruce Schneier has discussed the opposing considerations involved in vulnerability disclosure related to the July 2015 breach of Hacking Team, a cyber weapons arms manufacturer. In his article, Schneier considers the reasons why the government might withhold information about vulnerabilities, including for purposes of intelligence gathering and to neutralize various cyber-security threats. However, he ultimately concludes that the U.S. government should “close the vulnerabilities that foreign governments are using to attack people and networks,” as this would make everyone more secure.
General Privacy Implications
If an unpatched exploit remains secret, then it leaves citizens’ data and government systems vulnerable to attack. Thus, if the government does not disclose to software companies the vulnerabilities that it obtains, then both public and private systems will be put at risk. Furthermore, the VEP makes clear that the government may use vulnerabilities for law enforcement purposes, not just for intelligence gathering. [AB1] This is especially concerning in conjunction with the amendments to Rule 41 of the Federal Rules of Criminal Procedure recently issued by the Supreme Court. These amendments would authorize judges to issue “remote access” warrants to search computers, even when the targets are outside the jurisdiction of the court. EPIC criticized the changes in a statement before the Judicial Conference Advisory Committee on Criminal Rules on November 5, 2014. In addition, Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016, which would block the act. However, unless Congress takes action to block the Rule 41 amendments by December 1, 2016, the amendments will significantly expand the government’s surveillance authority.
Issues with Delays in the Equities Process Itself
Much of the timeline in the VEP document has been redacted so it is not clear how long the process will take. Nevertheless, possible delays in disclosure are problematic because the longer the delay, the greater the potential danger arising from the vulnerability.
For example, the Heartbleed Bug, made public in 2014, was a serious vulnerability in the widely-used OpenSSL cryptographic software library. The bug reportedly impacted the security of two-thirds of the world’s websites. Bloomberg reported that the NSA had been exploiting the Heartbleed Bug for two years prior to it being made public. However, Bloomberg’s report was highly disputed. The Office of the Director of National Intelligence issued a statement denying that the NSA had knowledge of the vulnerability before it was publicly disclosed. The White House also denied having prior knowledge of the Heartbleed Bug. This is the type of vulnerability that would have potentially devastating effects if discovered and used by malicious hackers.
More recently, on April 14, 2016, the FBI, for the first time, disclosed to Apple a vulnerability affecting some iPhones and Macs. However, Apple announced later that the problem had already been discovered and repaired nine months prior to the FBI’s disclosure. This delay in disclosure raises questions about the effectiveness of the VEP. Some have also noted that this disclosure was made the day after the FBI announced that it would not be applying the VEP to the vulnerability it used to unlock the iPhone used in the San Bernardino attacks.
Although the VEP documents discuss the “Threshold for Entering VEP,” it is still not entirely clear what triggers the VEP and what types of exploits lie outside its reach. In fact, recent events surrounding the FBI’s hack of the iPhone used in the San Bernardino attacks raise concerns that the VEP might have significant loopholes that would allow the FBI to avoid the process entirely.
In April 2016, FBI Executive Assistant Director for Science and Technology, Amy Hess, said that the FBI cannot submit the method used to open the iPhone used in the San Bernardino attacks to the VEP because it had not purchased the rights to the technical details. The FBI claimed that it therefore did not have enough technical information about the vulnerability to allow any meaningful review under the VEP.
On May 14, 2016, FBI Director James Comey responded to a question about the potential loophole by describing the VEP as an “informal process.” He said that he didn’t think of it as a loophole and that, in any case, the FBI did not shape its investigation so as to avoid the VEP. Nevertheless, this suggests that the VEP is subject to manipulation based on the agencies’ self-interests—the government or malware vendors could intentionally structure these contracts to avoid giving the agencies access to technical components that would trigger the VEP.
In March 2016, EPIC senior counsel Alan Butler urged technologists to work with Apple to ensure that the vulnerability in the iPhone is fixed because the exploit would put at risk individuals whose phones are targeted by criminals. However, in April, Director Comey indicated a desire not to disclose the vulnerability, remarking that if the government were to disclose the vulnerability to Apple, then “they’re going to fix it and then we’re back where we started from.”
Finally, transparency remains a serious concern when it comes to the VEP. Although Daniel has commented that the “vast majority” of zero-days are disclosed, the VEP document itself does not indicate how many vulnerabilities the NSA has disclosed or kept secret over the years. The question remains as to which vulnerabilities enter the process and which don’t. Even if we know that a vulnerability will not be released, it is still impossible to know if it is being withheld because it went through the VEP and that process determined that it should be withheld, or if the vulnerability is being withheld even though it hasn’t gone through the process at all.
In Spring 2016, as part of a child pornography investigation, the FBI used a vulnerability in Mozilla’s Firefox browser to hack into as many as 1,300 computers. The investigation led to the arrest of 135 suspects. Among them was Jay Michaud, who was arrested after the FBI used the vulnerability to seize ‘Playpen,’ a popular child pornography site. Michaud’s case raises two interesting questions related to vulnerability disclosure: whether a third party, such as Mozilla, may intervene in favor of disclosure of the vulnerability, and whether evidence obtained as a result of the vulnerability is admissible absent disclosure. Some courts have answered in the negative to both.
The judge in Michaud’s case rejected Mozilla’s request to intervene. Mozilla cited United States v. Swartz in support of its argument that it intervention was warranted. 945 F.Supp.2d (D. Mass. 2013). In Swartz, the court found that the third parties had an interest in the vulnerability and allowed them to intervene. The court reasoned that this would allow them to review and redact discovery materials concerning vulnerabilities in their computer networks and thus repair them prior to public disclosure. The judge in the Michaud case, however, rejected Mozilla’s argument, commenting, “It appears that Mozilla’s concerns should be addressed to the United States and should not be part of this criminal proceeding.”
Nevertheless, the court found that if the government chose not to release the vulnerability, any evidence obtained as a result of the vulnerability would be inadmissible. This decision leaves the government with little evidence to support its case against Michaud and may require it to choose between releasing the vulnerability and dismissing the case. Judges in Oklahoma and Massachusetts have taken the same position and have suppressed evidence against other “Playpen” defendants.
The government has remained silent on whether the exploit used in the Playpen cases was processed through or will be processed through the VEP. If the government chooses not to disclose the vulnerability, however, it will be impossible to tell if that determination was the result of the VEP or the result of its circumvention. [AB2]
- Related Issues: Private Companies Sharing with the Government - The Cyber Security Information Sharing Act (CISA)
Unlike the VEP, which theoretically encourages the government to disclose information to private companies and the public, recent legislative efforts have focused on encouraging private corporations to send data to the government. These proposals raise several significant issues:
- CISA has been widely criticized due to a lack of privacy, oversight, and legal accountability measures.
- Information disclosed to the government could contain customers’ personal data, access to which would ordinarily require a warrant.
- Because CISA excuses companies that disclose private information to the government from liability for violating privacy laws, it removes important protections that were meant to protect users.
- CISA is not “voluntary” in the traditional sense, as companies would be forced to participate to keep up with the competition.
For more information on CISA see the Resources below.
- The Vulnerabilities Equities Process (VEP).
- Vulnerability Equities Process Highlights.
- EEF v. NSA, ODNI - Complaint,
- Report and Recommendations of the President’s Review Group on Intelligence and Communications Technologies, December 12, 2013.
- National Cyber Initiative, January 2009.
- National Security Presidential Directive-54/Homeland Security Presidential Directive-23, January 8, 2008.
- Director Comey Remarks During May 11 ‘Pen and Pad’ Briefing with Reporters, Federal Bureau of Investigation, May 14, 2016.
- Statement on Bloomberg News Story that NSA Knew About the “Heartbleed Bug” Flaw and Regularly Used It to Gather Critical Intelligence, Office of the Director of National Intelligence, IC on the Record, April 11, 2014.
- Heartbleed: Understanding When We Disclose Cyber Vulnerabilities, White House Blog, April 28, 2014.
- Electronic Frontier Foundation VEP Post, September 4, 2015.
- EFF v. NSA, ODNI - Vulnerabilities FOIA Case.
- Hacking Team, Computer Vulnerabilities, and the NSA, Georgetown Journal of International Affairs, September 13, 2015.
- It’s How Hackers Help That Matters, The New York Times, March 30, 2016.
- NSA Vows to Disclose Zero-Day Vulnerabilities, Electronic Privacy Information Center.
- EPIC v. NSA - Cybersecurity Authority, Electronic Privacy Information Center.
- EPIC v. NSA: Google/NSA Relationship, Electronic Privacy Information Center.
- Cybersecurity Privacy Practical Implications, Electronic Privacy Information Center.
- The Vulnerabilities Market and the Future of Security, Schneier on Security, May 30, 2012.
- U.S. Discloses Zero-Day Exploitation Practices, FCW, January 20, 2016.
- US Used Zero-Day Exploits Before It Had Policies for Them, Wired, March 30, 2015.
- Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA, Wired, April 15, 2014.
- NSA Said to Have Used Heartbleed Bug, Exposing Consumers, Bloomberg Technology, April 12, 2014.
- Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say, The New York Times, April 12, 2014.
- NSA’s Information Assurance Directorate at a Crossroads, FCW, January 26, 2016.
- Apples Says FBI Gave It First Vulnerability Tip on April 14, Reuters, April 26, 2016.
- FBI Doesn’t Have to Give Mozilla Details on Bug It Used to Bust a Child Porn Ring, Newsweek, May 18, 2016.
- FBI: Sorry, But We’re Keeping the iPhone Crack Secret, Fortune, April 27, 2016.
- FBI Will Not Share iPhone Vulnerability in San Bernardino Case, FCW, April 27, 2016.
- The NSA Hacks Other Countries by Buying Millions of Dollars’ Worth of Computer Vulnerabilities, The Washington Post, August 31, 2013.
- FBI Paid Professional Hackers One-Time Fee to Crack San Bernardino iPhone, The Washington Post, April 12, 2016.
- The ‘Heartbleed’ Security Flaw that Affects Most of the Internet, CNN, April 9, 2014.
News Articles on CISA:
- The New US Cybersecurity Bill Will Invade Your Privacy, But It Won’t Keep You Safe, Quartz, November 8, 2015.
- Busting the Biggest Myth of CISA - That the Program is Voluntary, Wired, August 19, 2015.