White House Speeds Up Decisions on Disclosing Dangerous Software Bugs

The White House is speeding up and bringing more agencies into the discussions about what to do when NSA or CIA finds a vulnerability in software. Announced Nov. 15, the new approach is being praised by cyber security experts and lawmakers as a better way to share such information both internally and with the private sector.

But White House Cybersecurity Coordinator Rob Joyce acknowledged that the government has a long way to go in predicting which bugs it discovers criminals will be most likely to use, and which ones will cause the most havoc.

Contrary to popular belief, intelligence agencies like the NSA and CIA don’t just hoard vulnerabilities that they find in software systems. Curtis Dukes, the NSA’s former deputy national manager, has estimated that NSA discloses more than 80 percent of vulnerabilities. (Joyce put the number closer to 90 percent at last week’s Defense One Summit.)

The method the government uses to decide what to do about a newly discovered vulnerability — disclose it so that companies can patch the security hole? Conceal it so that CIA or NSA can hack their targets? – is called the Vulnerabilities Equities Process. This has been a somewhat shadowy affair that gathers a few people from the White House, intelligence community, and elsewhere every three months or so to consider what to do about bugs old and new. (Disclosure is pretty certain if a bug is found to be in use by malicious hackers, Dukes says.)

Under the new process, more government agencies will be included, and discussions will begin within five days of a bug’s discovery — or as soon as 24 hours if adversaries or others are using it.

Joyce also promised a yearly report about these vulnerability reviews that includes “statistical information as deemed appropriate” and any changes to the review group, NextGov’s Joe Marks reported Wednesday.

Previously, he said, the process was run out of the White House, and subject to executive privilege.

“It wasn’t always clear to the public who was in the room and participating. We have tightened and improved the charter. It lists the departments and agencies that participate. There are the folks that are entirely defensive like DHS. There’s the folks like NSA and CIA that are doing hardcore exploit,” Joyce told Defense One in an email. “There are people who don’t have cyber operation missions but have equities in the space. This was part of the fog of war before that that people didn’t really understand.”

In a Wednesday blog post, Joyce laid out some of the criteria against which the board judges the potential costs and benefits of disclosing or concealing each bug. “Evaluation by the VEP is not a mathematical formula. It’s not a plug in vulnerability values, turn the crank type of formula,” he said. “The good news for us is we have a body of expert knowledge from working with exploits for a number years. We have a fair sense of what people have been able to re-discover and a fair sense of things that have stood the test of time. Part of the art and science of the discussion in that room is…if we found it, how likely is it that someone else will find it.”

Joyce, who formerly ran NSA’s hack-anything Tailored Access Operations group, is now playing catch-up on defense. He said government doesn’t yet have a good handle on defending its eclectic mix of systems, which range from the frighteningly modern to the ridiculously old.

“Having a plan to modernize, to keep track of vulnerabilities and eliminate those known risks, that’s all really important,” he said. “The Departments and agencies have a lot of shadow IT, things that are connected that we just don’t know about.”