Cybersecurity professionals in government face a common conundrum: They would like to publicize when they discover a system vulnerability and punish the criminals; however, they do not want to increase the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace. In response, the White House Wednesday disclosed that newly-discovered cyber vulnerabilities that are not yet in the public domain are to be submitted into an interagency process known as the Vulnerabilities Equities Process (VEP).
Unauthorized disclosures undermine public confidence and damage the ability to carry out intelligence missions. The new VEP Charter will open a dialogue and shed light on some exploits while continuing to safeguard the most vital pieces of sensitive information.
The role of the VEP is to determine whether to disclose vulnerability information to the vendor with the expectation that they will patch the vulnerability, or temporarily restrict knowledge of the vulnerability so that it can be used for national security or law enforcement purposes. While no nation discloses every vulnerability it discovers, Rob Joyce, White House Cybersecurity Coordinator wrote in his blog on WhiteHouse.gov that the Federal Government is acting in a way that considers improved transparency to be critical. It also noted that the government has a responsibility “to closely guard and protect vulnerabilities as carefully as our military services protect the traditional weapons retained to fight our nation’s wars.”