Analysis & Opinions - Lawfare
PATCH: Debating Codification of the VEP
Preview
"Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).
Established in accordance with a 2008 presidential directive and currently overseen by the National Security Council, the VEP is an interagency process used by the government to decide whether to disclose vulnerabilities or hold them for potential exploitation. Vulnerabilities are flaws in software or hardware that could be exploitedto give an outside party access to a computer system. Because vulnerabilities can be fixed and patched if disclosed to vendors, but not if they are kept secret, the VEP affects the security of software and of the greater cyber ecosystem. This process also affects law enforcement and intelligence activities, as a vulnerability kept secret remains useful until widely known, but once disclosed can be patched and thereby rendered ineffectual. The VEP is designed to oversee the disclosure of vulnerabilities by the intelligence community, law enforcement, and other government actors, balancing reasons to keep them secret for use as opposed to being disclosed and fixed.
The first of its kind, this bill formally kicks off the debate over whether and how to codify the VEP, which presently exists only as a function of administration policy. The VEP has roots in Bush-era policies and saw significant refinement during Obama’s tenure. Snowden’s revelations in 2013 and the 2014 Heartbleed security vulnerability scandal resuscitated interest in codifying the process to facilitate accountability and continuity between administrations.
This post, based on the Senate version of the bill, highlights several key ideas in the recently introduced bill and evaluates the broader debate over codification. Regardless of the bill’s fate, its introduction is significant because it marks the first time that Congress will be actively involved in meaningful discussion about government disclosure of vulnerabilities. This is a positive development, particularly given the wide-ranging implications of that debate for the activities of law enforcement and intelligence operations. The willingness of legislators to consider introducing a bill also demonstrates the public prominence of this issue. Especially as law enforcement actors increasingly turn to vulnerabilities to circumvent encryption, effective and standard oversight is warranted.
The VEP is a small piece of the much larger puzzle of how to secure software. The process is not designed to incentivize private sector behavior or radically change the way companies handle software security. The VEP is important as a narrow oversight function over the government’s disclosure of vulnerabilities, which, if kept secret, could lead to public harm. Much of what is proposed in this bill is not new. But codifying these criteria into law is meant to address concerns the VEP is at the mercy of administration politics and lacks sufficient transparency and oversight for outside actors to trust that the process is being run as intended..."
Want to Read More?
The full text of this publication is available via the original publication source.
For more information on this publication:
Please contact
Cyber Project
For Academic Citation:
Herr, Trey and Mailyn Fidler.“PATCH: Debating Codification of the VEP.” Lawfare, May 17, 2017.
The Authors
Mailyn Fidler
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Video
- SNF Agora Institute
Election 2020 — Securing the Vote
Audio
- Pioneer Institute
Ballot Question 1: Risks & Regulations Regarding Right to Repair
Magazine Article
- Economist
Digital Dominance: A new global ranking of cyber-power throws up some surprises
In the Spotlight
Most Viewed
Policy Brief
- Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper
- Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
Report
- Belfer Center for Science and International Affairs
David Petraeus on Strategic Leadership
Preview
"Today a bipartisan group of lawmakers introduced in both the House and Senate a bill that would formalize the Vulnerability Equities Process (VEP) into law. The proposed legislation, the Protecting our Ability To Counter Hacking (PATCH) Act, is sponsored by Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) (all members of the Senate Committee on Commerce, Science, and Transportation) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).
Established in accordance with a 2008 presidential directive and currently overseen by the National Security Council, the VEP is an interagency process used by the government to decide whether to disclose vulnerabilities or hold them for potential exploitation. Vulnerabilities are flaws in software or hardware that could be exploitedto give an outside party access to a computer system. Because vulnerabilities can be fixed and patched if disclosed to vendors, but not if they are kept secret, the VEP affects the security of software and of the greater cyber ecosystem. This process also affects law enforcement and intelligence activities, as a vulnerability kept secret remains useful until widely known, but once disclosed can be patched and thereby rendered ineffectual. The VEP is designed to oversee the disclosure of vulnerabilities by the intelligence community, law enforcement, and other government actors, balancing reasons to keep them secret for use as opposed to being disclosed and fixed.
The first of its kind, this bill formally kicks off the debate over whether and how to codify the VEP, which presently exists only as a function of administration policy. The VEP has roots in Bush-era policies and saw significant refinement during Obama’s tenure. Snowden’s revelations in 2013 and the 2014 Heartbleed security vulnerability scandal resuscitated interest in codifying the process to facilitate accountability and continuity between administrations.
This post, based on the Senate version of the bill, highlights several key ideas in the recently introduced bill and evaluates the broader debate over codification. Regardless of the bill’s fate, its introduction is significant because it marks the first time that Congress will be actively involved in meaningful discussion about government disclosure of vulnerabilities. This is a positive development, particularly given the wide-ranging implications of that debate for the activities of law enforcement and intelligence operations. The willingness of legislators to consider introducing a bill also demonstrates the public prominence of this issue. Especially as law enforcement actors increasingly turn to vulnerabilities to circumvent encryption, effective and standard oversight is warranted.
The VEP is a small piece of the much larger puzzle of how to secure software. The process is not designed to incentivize private sector behavior or radically change the way companies handle software security. The VEP is important as a narrow oversight function over the government’s disclosure of vulnerabilities, which, if kept secret, could lead to public harm. Much of what is proposed in this bill is not new. But codifying these criteria into law is meant to address concerns the VEP is at the mercy of administration politics and lacks sufficient transparency and oversight for outside actors to trust that the process is being run as intended..."
Want to Read More?
The full text of this publication is available via the original publication source.The Authors
Mailyn Fidler
- Recommended
- In the Spotlight
- Most Viewed
Recommended
Video - SNF Agora Institute
Election 2020 — Securing the Vote
Audio - Pioneer Institute
Ballot Question 1: Risks & Regulations Regarding Right to Repair
Magazine Article - Economist
Digital Dominance: A new global ranking of cyber-power throws up some surprises
In the Spotlight
Most Viewed
Policy Brief - Quarterly Journal: International Security
The Future of U.S. Nuclear Policy: The Case for No First Use
Discussion Paper - Belfer Center for Science and International Affairs, Harvard Kennedy School
Why the United States Should Spread Democracy
Report - Belfer Center for Science and International Affairs
David Petraeus on Strategic Leadership
