Categories: Security

Trump Clarifies US Government Rules For Cyber Security Flaw Disclosures

The Trump administration has published its disclosure rules in order to clarify how various federal agencies disclose serious cyber security flaws.

Various US intelligence agencies, most notably the National Security Agency (NSA), have been fiercely criticised for “stockpiling” cyber vulnerabilities that can be exploited for offensive cyber warfare purposes.

Months later and the US government said that making its “vulnerability equities process transparent is the right thing to do”.

Revised Rules

The revised rules should go some way to explain the process for how various federal agencies weigh the costs of keeping a flaw secret, Rob Joyce, the White House cyber security coordinator was quoted as saying by Reuters.

Joyce was reportedly speaking at an Aspen Institute event in Washington, and he said the rules were the “most sophisticated” in the world and that they set the United States apart from most other nations.

Private companies, he reportedly said, “are not getting tips from China, Russia, North Korea, Iran” about flaws in their technology.

“In recognition of these competing considerations, newly-discovered cyber vulnerabilities that are not yet in the public domain are submitted into an interagency process known as the Vulnerabilities Equities Process (VEP),” said the White House.

VEP was created by the US government under  former President Barack Obama, and is essentially an inter-agency review to determine what to do with flaws unearthed (mostly by the NSA).

“At its most basic level, the VEP is charged with balancing whether to disclose vulnerability information to the vendor with expectation that they will patch the vulnerability, or temporarily restrict knowledge of the vulnerability so that it can be used for national security or law enforcement purposes,” said the revised rules.

The new rules stress the critical nature of improved transparency; the e interests of all stakeholders must be fairly represented; there has to be accountability; and vigorous dialogue.

The rules also require an annual report, portions of which will be made public, that provides metrics about the amount of flaws discovered, retained and disclosed.

It comes after the hacker collective ShadowBrokers released stolen code reportedly from the National Security Agency (NSA) in July.

The group last year released a number of NSA hacking tools, and then dumped online a list of vulnerable Sun Solaris and Linux servers that were used by the allegedly NSA-linked Equation Group cyber criminal gang.

The fact that the hackers were able to get their hands on NSA hacking tools infuriated a number of tech giants, angry at the fact that the NSA kept these vulnerabilities secret so they could exploit them.

Indeed, Microsoft President Brad Smith publicly slammed the NSA for the “stockpiling of vulnerabilities” and warned that the attack should be seen as “a wake-up call” for governments.

Net Neutrality

Meanwhile, another US government agency, this time the Federal Communications Commission, is reportedly set to unveil plans next week for a final vote to reverse the landmark 2015 net neutrality order which safeguards against a two speed Internet.

Reuters again quoted two people briefed on the plans, as saying that Ajit Pai, controversial Republican FCC chairman, plans to hold a final vote on the proposal at the FCC’s 14 December meeting.

It comes after the FCC in May voted 2-1 to advance Pai’s plan to withdraw the former Obama administration’s order reclassifying internet service providers as if they were utilities.

In July the tech industry urged Pai to drop plans to rescind the rule change. Earlier in the year, the Internet Association, which represents many leading tech firms, bluntly warned the FCC not to repeal net neutrality rules.

Quiz: Do you understand the language of the Internet?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

31 mins ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

1 hour ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

2 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

4 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

7 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

7 hours ago