Page 69 - Cyber Defense eMagazine - December 2017
P. 69

the  VEP  council  does  not  include  any  representation  from  either  commercial  or
               international entities.

               Under the VEP, vulnerabilities are reviewed by the Equities Review Board. The Board is
               comprised  of  folks  from  the  Departments  of  Homeland  Security,  Energy,  State,
               Treasury, Justice, Defense, and Commerce. The CIA and FBI are also on the Board,
               and  the  National  Security  Agency  serves  as  the  Board’s  executive  secretariat.
               Commercial and international entities are noticeably missing from this list.

               This is an obvious exclusion for national security purposes. However, it also closes the
               door  on  external  oversight  of  decisions  deemed  in  the  interest  of  national  security.
               Commercial and international entities should have a place on the council if vulnerability
               disclosure decisions are being made on their behalf.

               The  loopholes  are  also  cause  for  concern.  The  VEP  charter  limits  the  scope  of
               vulnerabilities  addressed  by  the  council  to  certain  classes,  thus  allowing  reporting
               entities to report as they see fit any vulnerabilities that fall outside the scope of the VEP.


               In addition, the VEP does not address vulnerabilities that are discovered and shared by
               international partners. Granted, this so-called non-disclosure agreement (NDA) loophole
               is necessary for the U.S. government to continue operations with its allies. Without it,
               our  allies  would  fear  that  sharing  vulnerability  information  with  us  could  compromise
               their own national security operations. However, like the previous loophole, this could
               allow participating entities to bypass the controls of the VEP and report a vulnerability
               as they see fit.

               While  the  push  for  transparency  is  great,  we  shouldn’t  hold  our  breath  waiting  for
               change.  Legislation  like  the  Protecting  Our  Ability  to  Counter  Hacking  Act  of  2017
               (PATCH Act) and, now, the VEP charter are intended to appease the public rather than
               cause change. And, to some extent, it has done just that.

               It is worth noting that vulnerabilities such as those used in WannaCry never would’ve
               been  released  through  VEP  due  to  their  usefulness  in  providing  access  to  remote
               systems for collection purposes. And we all know how that turned out.



               About the Author


               Willis McDonald, is Threat Research Manager and Senior Threat Researcher at Core
               Security,  a  leader  in  Vulnerability,  Access  Risk  Management  and  Network  Detection
               and Response.




                   69    Cyber Defense eMagazine – December 2017 Edition
                         Copyright © 2017, Cyber Defense Magazine,  All rights reserved worldwide.
   64   65   66   67   68   69   70   71   72   73   74