Donald Trump administration releases rules dictating how cyber security flaws will be disclosed

Under former President Barack Obama, the US government created an inter-agency review, known as the Vulnerabilities Equities Process, to determine what to do with flaws unearthed primarily by intelligence agencies such as the National Security Agency (NSA). The process is designed to balance law enforcement and US intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.

The new Trump administration charter on the process explains how it functions and names the agencies involved in the vulnerability reviews. They include intelligence agencies in addition to several civilian departments, including the Departments of Commerce, Treasury, Energy and State. The NSA is listed as the “executive secretariat” of the inter-agency group, tasked with coordinating debate over flaws submitted by the various agencies if there is disagreement about whether to disclose them. If disagreements are not reconciled the group will vote on whether to disclose or retain the flaw.

The rules also require an annual report, portions of which will be made public, that provides metrics about the amount of flaws discovered, retained and disclosed. Decisions to retain vulnerabilities must be reconsidered every year, according to the charter. The publication of the charter is “a major improvement,” said Ari Scwhartz, coordinator of the Coalition for Cybersecurity Policy and Law and a former Obama administration cyber official. The Obama administration sought to release a similar document before the end of last year but ran out of time, Schwartz said.

Some security experts have long criticized the process as overly secretive and too often erring against disclosure.
Joyce said on Wednesday more than 90 percent of flaws are ultimately disclosed, though some critics say they are not shared quickly enough and that the most severe flaws are too often stockpiled. The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.

The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use. But in a breach US investigators are still working to understand, that tool and others ended up in the hands of a mysterious group called the Shadow Brokers, which then published them online.

Suspected North Korean hackers spotted the Windows flaw and repurposed it to unleash the WannaCry attack, according to cyber experts. North Korea has routinely denied involvement in cyber attacks against other countries. Asked about the WannaCry attack, Joyce declined to say whether the Windows flaw detected by the NSA went through the vulnerability review process.