Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
THE ENTERPRISE SECURITY SUPERSITE. UPDATED 3 MINUTES AGO.
You are here: Home / Viruses & Malware / Feds Explain Cyber Threat Assessment
White House Opens Up About How It Assesses Cyberthreats
White House Opens Up About How It Assesses Cyberthreats
By Andrew Blake Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
NOVEMBER
20
2017
The White House has opened up about the so-called Vulnerabilities Equities Process (VEP) established during the Obama administration, providing its first public explanation of how the government goes about determining whether to disclose cybersecurity flaws or keep them secret.

The Trump administration released the unclassified charter for the equities process Wednesday in the face of growing concerns surrounding the government's hoarding of exploits and the related security risks, particularly in light of losing control of classified hacking tools subsequently used to wage wide-scale cyberattacks recently affecting victims in the U.S. and abroad.

Published on the White House website, the charter shows for the first time the government agencies that participate in the equities process and the criteria used when deciding whether to disclose otherwise unknown security vulnerabilities -- laws colloquially called "zero days," because there's been zero days to patch them.

Federal authorities have exploited zero day in digital products during the course of pursuing law enforcement and national security matters, perhaps most notably evidenced by Stuxnet, a malicious computer worm reportedly created by U.S. and Israeli intelligence that sabotaged Iran's contentious nuclear program by harnessing several unpatched security flaws.

By keeping these vulnerabilities private, however, critics argue that the government keeps vendors from securing their products and consequently make their customers prone to hacking.

Indeed, Microsoft vulnerabilities previously hoarded by the National Security Agency (NSA) were leaked online and ultimately weaponized into WannaCry, a ransomware strain that crippled computers systems in more than 150 countries earlier this year and briefly sidelined the United Kingdom's National Health Service (NHS), among others victims.

Any decision to withhold security bugs must be revisited one year later, and the government must issue an annual report providing information on the equities process, according to the charter published Wednesday.

The agencies that participate in the equities process include the Departments of Commerce, Defense, Energy and Homeland Security, as well as the Secret Service, Office of the Director of the National Intelligence, NSA, CIA, Treasury, State Department and White House, the charter revealed.

The government considers criteria including the severity of the vulnerability and the scope of potential victims while determining whether to disclose security bugs, according to the charter.

"The United States is a world leader when it comes to sophisticated processes and conversation on this topic, and no other nation in has created and run a process as advanced, meticulous and transparent as ours," White House cybersecurity coordinator Rob Joyce said in a blog post published in tandem with the publication. "While not infallible, these processes ensure rigorous consideration of all factors vital to our national security."

More than 90 present of security flaws detected by the government are ultimately disclosed to vendors, Mr. Joyce said at an event Wednesday, but critics including former NSA analyst Edward Snowden said the statistic wasn't terribly meaningful.

"The percentage of [vulnerabilities] the government discloses to vendors is largely PR," tweeted Mr. Snowden, who leaked evidence of the NSA's offensive previously secret operations in 2013. "The public harm of maintaining 10 high severity flaws far outweighs the benefit of disclosing 90 low severity ones. We need to know the severity of disclosed vulnerabilities, not just the number."

"The most conservative solution is a strict limit on length of retention: if it's older than 90 days (some argue 180), it's time to roll over to a new vuln and patch the previous," Mr. Snowden suggested. "When replacements can no longer be produced, that's not a loss; it means defense has finally matured."

© 2017 Washington Times under contract with NewsEdge/Acquire Media. All rights reserved.
Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN VIRUSES & MALWARE

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

ENTERPRISE SECURITY TODAY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.