White House discloses secretive decision process for growing hacking toolkit

White House discloses secretive decision process for growing hacking toolkit

The White House on Wednesday lifted the veil on the secretive executive branch process used to determine which computer security flaws it can use in surveillance and which it will report to tech firms to allow them to patch.

The Trump administration published a first-ever charter for that system, known as the vulnerability equity process (VEP), on Wednesday morning.

Congress, the private sector and public advocacy groups have recently pushed for a more transparent version of the VEP — with more consideration of the potential danger of keeping vulnerabilities secret. By keeping these security bugs quiet, they note, criminal or foreign espionage hackers can potentially discover and use them.


‌At a speaking engagement that served as the de facto launch event for the charter, White House cybersecurity czar Rob Joyce said the secrecy surrounding the VEP left that debate at least partially uninformed.

"There was a proposal to add [the Department of] Commerce to the process. Commerce was already there," he said during an onstage interview at The Aspen Institute.

The Obama administration created the VEP, but only publicly discussed its broad outlines. While the public knew the VEP required intel and law enforcement agencies to argue in front of an executive branch panel, the public did not know who was in the room for the deliberations.

The charter for the first time outlines the agencies represented in the conversation. They include the Homeland Security Department (DHS), Secret Service, Office of the Director of National Intelligence, Treasury Department, State Department, Justice Department, FBI, Energy Department, Office of Management and Budget (OMB), Defense Department, National Security Agency (NSA), Commerce Department and CIA.

That list contains far more voices speaking on behalf of disclosing vulnerabilities to manufacturers than previously thought.

DHS's focus is on protecting public systems. Treasury represents the banking system's interest in maintaining systems safe from hackers. Energy represents the same role for the power grid and OMB for government systems. And Secret Service looks to maintain secure communications channels for the president.

The Secret Service can be a "loud voice," said Joyce.

He emphasized that the government takes the importance of protecting the public seriously in its deliberations.

"So much of the fabric of our society relies on the bedrock that is [information technology]," he said, later adding "If there is a flaw in those systems, there's an imperative to make sure that flaw is not exploited." 

"Both sides have to come away from that table a little unhappy," he said.

One new addition to the VEP will be an annual public report on how many vulnerabilities were discovered and were kept secret. Joyce said the rate of notifying tech firms has historically been above 90 percent.

The VEP entered the public debate in recent months after two malware outbreaks within a matter of weeks used allegedly-leaked NSA hacking tools. Those malware outbreaks, known as WannaCry and NotPetya, caused international disruptions to major business and government systems. 

Sens. Brian SchatzBrian Emanuel SchatzDem senator: 'Stop pretending' law banning separation of migrant families is hard to pass Hillicon Valley: Judge approves AT&T-Time Warner deal in blow to DOJ | Dems renew push to secure state voting systems | Seattle reverses course on tax after Amazon backlash | Trump, senators headed for cyber clash | More Tesla layoffs Dems question FCC's claim of cyberattack during net neutrality comment period MORE (D-Hawaii), Ron JohnsonRonald (Ron) Harold JohnsonSenate probes FBI's heavy-handed use of redactions to obstruct congressional investigators Hillicon Valley: DHS gets new cyber chief | White House warns lawmakers not to block ZTE deal | White nationalists find home on Google Plus | Comcast outbids Disney for Fox | Anticipation builds for report on FBI Clinton probe Graham jokes about Corker: GOP would have to be organized to be a cult MORE (R-Wis.) and Cory GardnerCory Scott Gardner13 GOP senators ask administration to pause separation of immigrant families Sessions floats federal law that would protect states that decriminalize marijuana RNC mum on whether it will support Trump-backed Corey Stewart MORE (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake FarentholdRandolph (Blake) Blake FarentholdSenators introduce bill to overhaul sexual harassment policy Freedom Caucus bruised but unbowed in GOP primary fights Five races to watch in the Texas runoffs MORE (R-Texas), quickly introduced a bill codifying and tweaking the process known as the Protecting Our Ability to Counter Hacking Act. That legislation, still under consideration, would appoint DHS as the head of the table for VEP deliberations.

Microsoft responded to those malware attacks by asking governments to notify manufacturers of all vulnerabilities. 

— Updated at 1:29 p.m.