Monthly Archives: August 2016

What is the Vulnerability Equities Process?

The Vulnerability Equities Process or VEP was designed by the Obama administration in an effort to ensure that the government react appropriately if and when it discovers vulnerabilities in the products made by technology manufacturers. While the guidelines were an attempt to find an ideal compromise among contradictory values, many technology, industry and security experts have condemned the VEP as a failure.

Dave Aitel and Matt Tait, for example, said last week that “the US has confused a public relations strategy with a security strategy, to the detriment of the nation.”

vepThe VEP hosts a handful of major weaknesses, the first and most important of which is perhaps the fact that it’s not actually a binding order. In fact, because the VEP is technically contained under the umbrella of administration policy as opposed to being a law or executive order, the next president can decide whether or not he or she even wants to continue it.

That’s just fine with Aitel and Tate. According to them, the next administration should just devise a completely new strategy, preferably one that’s actually effective.

So what is the VEP? Briefly, the Obama administration hashed out and later revised the VEP as an internal framework for ascertaining whether the US government should publicly disclose discoveries it might make regarding hardware and software vulnerabilities in tech products. These discoveries could be discovered independently by government agencies or by third-party contractors. How exactly the government determines the applicability of situations that merit disclosing or covering up vulnerabilities remains classified. However, intelligence and defense agencies seem to do work where issues regarding discovery and disclosure would be most relevant.

vep2Given the basis of US intelligence, the VEP would provide a fundamentally flawed and confusing framework for deciding whether or not to inform a company of its products’ vulnerabilities. Given intelligence equities, clearly the most advantageous situation is one in which the government develops, stockpiles, and utilizes vulnerabilities for as long as they can get away with it, disclosing vulnerabilities as little as possible.

This agenda clearly butts heads with that which would form given an operational standpoint. It takes at least two years to make full use of and integrate a discovered vulnerability; if an intelligence officer is given the task of managing an offensive security process, the VEP requires that inexpert intergovernmental oversight be maintained over these actions. That means that certain bugs are going to be doomed to eventual public exposure, regardless of strategic management by whatever experts are involved.

Whether the government published the VEP in an effort to ultimately make the vulnerabilities process transparent is rather unlikely. As prominent tech blogger Michael Daniel noted about Heartbleed, “this case has re-ignited debate about whether the federal government should ever withhold knowledge of a computer vulnerability from the public.”

The argument will likely be hashed out yet again as a result of the recent NSA hack and the consequential leak of important and highly confidential hacking tools created by the US government. Now that these powerful methods will be made available to malevolent hackers through a black market auction, a case can be made that the government should inform manufacturers as opposed to documenting and exploiting vulnerabilities.