New rules governing how US agencies disclose cyber security flaws, as the FCC readies net neutrality reversal
The Trump administration has published its disclosure rules in order to clarify how various federal agencies disclose serious cyber security flaws.
Various US intelligence agencies, most notably the National Security Agency (NSA), have been fiercely criticised for “stockpiling” cyber vulnerabilities that can be exploited for offensive cyber warfare purposes.
Months later and the US government said that making its “vulnerability equities process transparent is the right thing to do”.
The revised rules should go some way to explain the process for how various federal agencies weigh the costs of keeping a flaw secret, Rob Joyce, the White House cyber security coordinator was quoted as saying by Reuters.
Joyce was reportedly speaking at an Aspen Institute event in Washington, and he said the rules were the “most sophisticated” in the world and that they set the United States apart from most other nations.
Private companies, he reportedly said, “are not getting tips from China, Russia, North Korea, Iran” about flaws in their technology.
“In recognition of these competing considerations, newly-discovered cyber vulnerabilities that are not yet in the public domain are submitted into an interagency process known as the Vulnerabilities Equities Process (VEP),” said the White House.
VEP was created by the US government under former President Barack Obama, and is essentially an inter-agency review to determine what to do with flaws unearthed (mostly by the NSA).
“At its most basic level, the VEP is charged with balancing whether to disclose vulnerability information to the vendor with expectation that they will patch the vulnerability, or temporarily restrict knowledge of the vulnerability so that it can be used for national security or law enforcement purposes,” said the revised rules.
The new rules stress the critical nature of improved transparency; the e interests of all stakeholders must be fairly represented; there has to be accountability; and vigorous dialogue.
The rules also require an annual report, portions of which will be made public, that provides metrics about the amount of flaws discovered, retained and disclosed.
It comes after the hacker collective ShadowBrokers released stolen code reportedly from the National Security Agency (NSA) in July.
The group last year released a number of NSA hacking tools, and then dumped online a list of vulnerable Sun Solaris and Linux servers that were used by the allegedly NSA-linked Equation Group cyber criminal gang.
The fact that the hackers were able to get their hands on NSA hacking tools infuriated a number of tech giants, angry at the fact that the NSA kept these vulnerabilities secret so they could exploit them.
Indeed, Microsoft President Brad Smith publicly slammed the NSA for the “stockpiling of vulnerabilities” and warned that the attack should be seen as “a wake-up call” for governments.
Meanwhile, another US government agency, this time the Federal Communications Commission, is reportedly set to unveil plans next week for a final vote to reverse the landmark 2015 net neutrality order which safeguards against a two speed Internet.
It comes after the FCC in May voted 2-1 to advance Pai’s plan to withdraw the former Obama administration’s order reclassifying internet service providers as if they were utilities.
In July the tech industry urged Pai to drop plans to rescind the rule change. Earlier in the year, the Internet Association, which represents many leading tech firms, bluntly warned the FCC not to repeal net neutrality rules.