White House discloses secretive decision process for growing hacking toolkit

White House discloses secretive decision process for growing hacking toolkit

The White House on Wednesday lifted the veil on the secretive executive branch process used to determine which computer security flaws it can use in surveillance and which it will report to tech firms to allow them to patch.

The Trump administration published a first-ever charter for that system, known as the vulnerability equity process (VEP), on Wednesday morning.

Congress, the private sector and public advocacy groups have recently pushed for a more transparent version of the VEP — with more consideration of the potential danger of keeping vulnerabilities secret. By keeping these security bugs quiet, they note, criminal or foreign espionage hackers can potentially discover and use them.


‌At a speaking engagement that served as the de facto launch event for the charter, White House cybersecurity czar Rob Joyce said the secrecy surrounding the VEP left that debate at least partially uninformed.

"There was a proposal to add [the Department of] Commerce to the process. Commerce was already there," he said during an onstage interview at The Aspen Institute.

The Obama administration created the VEP, but only publicly discussed its broad outlines. While the public knew the VEP required intel and law enforcement agencies to argue in front of an executive branch panel, the public did not know who was in the room for the deliberations.

The charter for the first time outlines the agencies represented in the conversation. They include the Homeland Security Department (DHS), Secret Service, Office of the Director of National Intelligence, Treasury Department, State Department, Justice Department, FBI, Energy Department, Office of Management and Budget (OMB), Defense Department, National Security Agency (NSA), Commerce Department and CIA.

That list contains far more voices speaking on behalf of disclosing vulnerabilities to manufacturers than previously thought.

DHS's focus is on protecting public systems. Treasury represents the banking system's interest in maintaining systems safe from hackers. Energy represents the same role for the power grid and OMB for government systems. And Secret Service looks to maintain secure communications channels for the president.

The Secret Service can be a "loud voice," said Joyce.

He emphasized that the government takes the importance of protecting the public seriously in its deliberations.

"So much of the fabric of our society relies on the bedrock that is [information technology]," he said, later adding "If there is a flaw in those systems, there's an imperative to make sure that flaw is not exploited." 

"Both sides have to come away from that table a little unhappy," he said.

One new addition to the VEP will be an annual public report on how many vulnerabilities were discovered and were kept secret. Joyce said the rate of notifying tech firms has historically been above 90 percent.

The VEP entered the public debate in recent months after two malware outbreaks within a matter of weeks used allegedly-leaked NSA hacking tools. Those malware outbreaks, known as WannaCry and NotPetya, caused international disruptions to major business and government systems. 

Sens. Brian SchatzBrian Emanuel SchatzLawmakers urge tech to root out extremism after New Zealand Advocate says Trump administration's new proposal would do 'absolutely nothing' to alleviate student debt Hillicon Valley: Huawei official asks US to ease restrictions | Facebook loses top execs | Defense officials hit Google over China | Pro-Trump 'safe space' app pulled over security flaw | Senators offer bill on facial recognition technology MORE (D-Hawaii), Ron JohnsonRonald (Ron) Harold JohnsonSenate GOP eyes probes into 2016 issues 'swept under the rug' Trump UN pick donated to GOP members on Senate Foreign Relations panel Scott Walker considering running for Wisconsin governor or Senate: report MORE (R-Wis.) and Cory GardnerCory Scott GardnerConservation remains a core conservative principle How to stand out in the crowd: Kirsten Gillibrand needs to find her niche Overnight Defense: Trump to reverse North Korea sanctions imposed by Treasury | Move sparks confusion | White House says all ISIS territory in Syria retaken | US-backed forces report heavy fighting | Two US troops killed in Afghanistan MORE (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake FarentholdRandolph (Blake) Blake FarentholdFemale Dems see double standard in Klobuchar accusations Lawmaker seeks to ban ex-members from lobbying until sexual harassment settlements repaid Former Texas lawmaker Blake Farenthold resigns from lobbying job MORE (R-Texas), quickly introduced a bill codifying and tweaking the process known as the Protecting Our Ability to Counter Hacking Act. That legislation, still under consideration, would appoint DHS as the head of the table for VEP deliberations.

Microsoft responded to those malware attacks by asking governments to notify manufacturers of all vulnerabilities. 

— Updated at 1:29 p.m.