White House discloses secretive decision process for growing hacking toolkit

White House discloses secretive decision process for growing hacking toolkit

The White House on Wednesday lifted the veil on the secretive executive branch process used to determine which computer security flaws it can use in surveillance and which it will report to tech firms to allow them to patch.

The Trump administration published a first-ever charter for that system, known as the vulnerability equity process (VEP), on Wednesday morning.

Congress, the private sector and public advocacy groups have recently pushed for a more transparent version of the VEP — with more consideration of the potential danger of keeping vulnerabilities secret. By keeping these security bugs quiet, they note, criminal or foreign espionage hackers can potentially discover and use them.


‌At a speaking engagement that served as the de facto launch event for the charter, White House cybersecurity czar Rob Joyce said the secrecy surrounding the VEP left that debate at least partially uninformed.

"There was a proposal to add [the Department of] Commerce to the process. Commerce was already there," he said during an onstage interview at The Aspen Institute.

The Obama administration created the VEP, but only publicly discussed its broad outlines. While the public knew the VEP required intel and law enforcement agencies to argue in front of an executive branch panel, the public did not know who was in the room for the deliberations.

The charter for the first time outlines the agencies represented in the conversation. They include the Homeland Security Department (DHS), Secret Service, Office of the Director of National Intelligence, Treasury Department, State Department, Justice Department, FBI, Energy Department, Office of Management and Budget (OMB), Defense Department, National Security Agency (NSA), Commerce Department and CIA.

That list contains far more voices speaking on behalf of disclosing vulnerabilities to manufacturers than previously thought.

DHS's focus is on protecting public systems. Treasury represents the banking system's interest in maintaining systems safe from hackers. Energy represents the same role for the power grid and OMB for government systems. And Secret Service looks to maintain secure communications channels for the president.

The Secret Service can be a "loud voice," said Joyce.

He emphasized that the government takes the importance of protecting the public seriously in its deliberations.

"So much of the fabric of our society relies on the bedrock that is [information technology]," he said, later adding "If there is a flaw in those systems, there's an imperative to make sure that flaw is not exploited." 

"Both sides have to come away from that table a little unhappy," he said.

One new addition to the VEP will be an annual public report on how many vulnerabilities were discovered and were kept secret. Joyce said the rate of notifying tech firms has historically been above 90 percent.

The VEP entered the public debate in recent months after two malware outbreaks within a matter of weeks used allegedly-leaked NSA hacking tools. Those malware outbreaks, known as WannaCry and NotPetya, caused international disruptions to major business and government systems. 

Sens. Brian SchatzBrian Emanuel SchatzOvernight Energy: Warren bill would force companies to disclose climate impacts | Green group backs Gillum in Florida gov race | Feds to open refuge near former nuke site Warren wants companies to disclose more about climate change impacts Congress just failed our nation’s veterans when it comes to medical marijuana MORE (D-Hawaii), Ron JohnsonRonald (Ron) Harold JohnsonKavanaugh, accuser to testify publicly on Monday Kavanaugh furor intensifies as calls for new testimony grow House panel advances DHS cyber vulnerabilities bills MORE (R-Wis.) and Cory GardnerCory Scott GardnerSome employees' personal data revealed in State Department email breach: report Colorado governor sets up federal PAC before potential 2020 campaign Hillicon Valley: Trump signs off on sanctions for election meddlers | Russian hacker pleads guilty over botnet | Reddit bans QAnon forum | FCC delays review of T-Mobile, Sprint merger | EU approves controversial copyright law MORE (R-Colo.), as well as Reps. Ted Lieu (D-Calif.) and Blake FarentholdRandolph (Blake) Blake FarentholdAP Analysis: 25 state lawmakers running in 2018 have been accused of sexual misconduct Ex-lawmakers see tough job market with trade groups Republican wins right to replace Farenthold in Congress MORE (R-Texas), quickly introduced a bill codifying and tweaking the process known as the Protecting Our Ability to Counter Hacking Act. That legislation, still under consideration, would appoint DHS as the head of the table for VEP deliberations.

Microsoft responded to those malware attacks by asking governments to notify manufacturers of all vulnerabilities. 

— Updated at 1:29 p.m.