alphaspirit - Fotolia

Should the Vulnerabilities Equities Process be codified into law?

The Vulnerabilities Equities Process is a controversial subject. Expert Matthew Pascucci looks at the arguments for and against codifying it into law.

Experts at RSA Conference 2017 suggested that the Vulnerabilities Equities Process should be codified into law. How important is the Vulnerabilities Equities Process for enterprises? What are the pros and cons of formalizing this process?

The Vulnerabilities Equities Process (VEP) is important for enterprises to understand in order to react to vulnerability disclosure coming from the government.

The Vulnerabilities Equities Process was created to guide government agencies through the decision-making process of releasing or withholding vulnerabilities they've discovered. This answer isn't as black and white as it sounds, and it's a complex issue that can be polarizing for those who deal with the issue directly. The call to codify the VEP, or to formalize the process into law, has both pros and cons.

The pros of creating a formalized Vulnerabilities Equities Process are that it would add more transparency to the process, and would prevent agencies from acting on their own, without oversight. Right now, the process is in place, but not all government agencies are following it completely, and there's no true penalty for them if they fail to adhere.

The majority of the vulnerabilities found are either disclosed to the vendor or weaponized for offensive measures. Enforcing law and oversight with the VEP would reduce the capability for government agencies to use these vulnerabilities in inappropriate ways or without permission.

The executive secretariat, or the role that would supervise the process, is a point of contention, but it is needed. When a law is created, it would need to be run within one of these agencies, and letting one agency be the forerunner – say, the Department of Homeland Security over the National Security Agency (NSA) -- could cause tension between departments.

Creating a law with interagency oversight that would report to the Equities Review Board would be in everyone's interest to enable transparency. This, along with the continued review of reports and metrics on the disclosure and use of vulnerabilities, would hold our government accountable.

The cons of the Vulnerabilities Equities Process becoming codified would be that the process could become burdensome, as agencies wouldn't be acting on their own with vulnerability disclosure. This would limit their ability to move fast in the name of national security, and would hold them back from creating technology for offensive measures. I'm a personal fan of privacy and transparency, and agree that VEP should be codified, but this is a valid argument from a different viewpoint.

The major issue of having no codified law for VEP is that a singular agency decides the intent of a vulnerability. Should they disclose it or should they use it? Certain agencies have a better reputation in relation to this than others and, without codifying this into law, they each run in their own silos.

It should also be made known that these agencies are running with autonomy to a point and, recently, both the NSA and CIA had their hacking tools released to the internet after being breached. This is dangerous, and, by adding oversight to the process, a direct action item would include the protection of these vulnerabilities that have been turned into tools. In my opinion, the lack of oversight and protection of this data is neglectful.

There are many different viewpoints on this topic, and most of them are polarizing to the other side. Even with the Vulnerabilities Equities Process, there is still the potential for government agencies to purchase vulnerabilities from other third parties that can bypass this entire process.

In my opinion, adding transparency and oversight to this process would benefit the enterprise, the country and citizens for the long term.

Ask the expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Learn more about the confusion around WikiLeaks' release of government documents

Take a look as the identity of things moves beyond manufacturing

Read about a former White House official's view on cyberweapons, the VEP and more

This was last published in May 2017

Dig Deeper on Security operations and management