VEP – Page 2 – WindowsTechs.com

Bill reforming NSA hacking policy has skeptics in White House

Posted on May 24, 2017 by Shaun Waterman

The Trump administration has concerns about a proposed reform of the policy process the U.S. government uses when deciding how to handle newly discovered software vulnerabilities known as zero days, White House Cybersecurity Coordinator Rob Joyce told a meeting of tech leaders in Boston this week. The vulnerability equities process, or VEP, is how government officials decide whether to disclose such flaws to the software manufacturer, so they can be patched and all users made safe; or to secretly keep it and use it to spy on U.S. adversaries. Former officials said the process needs overhauling and lawmakers dropped a bill to codify it — the Protecting our Ability To Counter Hacking, or PATCH, Act. The bill would codify the VEP into law, establishing a review board that would publish guidelines explaining the basis for its decisions. Joyce, addressing the launch of CyberMA, a Massachusetts affiliate of the national CyberUSA initiative on Monday, said Trump administration officials were engaging with […]

The post Bill reforming NSA hacking policy has skeptics in White House appeared first on Cyberscoop.

Continue reading Bill reforming NSA hacking policy has skeptics in White House→

Why reforming the Vulnerability Equities Process would be a disaster

Posted on May 22, 2017 by Dave Aitel

When the authors of WannaCry turbo-charged their ransomware with NSA exploits leaked by the Shadow Brokers, people thought it was the Vulnerability Equities Process’ worst-case scenario. It’s really not. The VEP is the policy process the U.S. government undertakes when one of its agencies finds a new software vulnerability. It’s how the government decides whether to tell the manufacturer about the bug, so they can patch it and keep all their customers safe; or to keep it secret and stealthily employ it to spy on foreign adversaries who use that software. In the wake of Shadow Brokers dumping several sets of highly advanced NSA hacking tools online — many using previously unknown vulnerabilities — there have been rising demands for reform of the VEP. Lawmakers have got in on the act, pledging to legislate the process with the Protecting Our Ability to Counter Hacking, or PATCH Act of 2017. But […]

The post Why reforming the Vulnerability Equities Process would be a disaster appeared first on Cyberscoop.

Continue reading Why reforming the Vulnerability Equities Process would be a disaster→

Should the government stockpile zero day software vulnerabilities?

Posted on May 19, 2017 by Shaun Waterman

Storm clouds are rising over the U.S. government’s policy on software flaw disclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process. Under the VEP, U.S. officials weigh the benefits of disclosing a newly discovered flaw to the manufacturer — which can issue a patch to protect customers — or having the government retain it for spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said. “We disclose something like 90 percent of the vulnerabilities we find,” said Richard Ledgett, who retired April 28 as the NSA’s deputy director. “There’s a narrative out there that we’re sitting on hundreds of zero days and that’s just not the case,” he told Georgetown University Law Center’s annual cybersecurity law institute. […]

The post Should the government stockpile zero day software vulnerabilities? appeared first on Cyberscoop.

Continue reading Should the government stockpile zero day software vulnerabilities?→

PATCH Act Calls for VEP Review Board

Posted on May 18, 2017 by Michael Mimoso

The PATCH Act proposes the formation of a review board that would formalize and make transparent the processes by which the government determines whether it will use or disclose a zero-day vulnerability. Continue reading PATCH Act Calls for VEP Review Board→

Lawmakers introduce bill to shine spotlight on government hacking stockpile

Posted on May 18, 2017 by Chris Bing

A bipartisan bill introduced in Congress Wednesday aims to add transparency to a controversial oversight framework currently used by federal agencies known as the Vulnerabilities Equities Process. The legislation, as it’s currently written, would help better define exactly when and if the U.S. government should notify a company about flawed computer code they discover in one of their products. Named the Protecting Our Ability to Counter Hacking Act, or PATCH Act, the bill seeks to codify the VEP into law; answering some of the tough questions that surround the current framework, including who sits on the multi-agency review board responsible for decisions and when public disclosure is appropriate. In addition, the PATCH Act offers a brief decision-making criteria and broadly describes certain considerations that must be weighed by board members, including the Secretary of Commerce and the Directors of National Intelligence. Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory […]

The post Lawmakers introduce bill to shine spotlight on government hacking stockpile appeared first on Cyberscoop.

Continue reading Lawmakers introduce bill to shine spotlight on government hacking stockpile→

Shadow Brokers return to taunt U.S. government after ransomware spread

Posted on May 16, 2017 by Chris Bing

A mysterious group known for publishing highly classified computer code developed by the National Security Agency returned to the limelight Tuesday with a cryptic message concerning the future release of other government hacking tools and secretive information, including “network data from Russian, Chinese, Iranian, and North Korean nuclear missile programs.” “TheShadowBrokers is having many more where coming from?” a lengthy message posted Tuesday morning by the peculiar group reads, claiming they own “75% of U.S. cyber arsenal.” The message also cites the Equation Group, which has been observed operating in the wild by cybersecurity firm Kaspersky Lab and is believed to associated with an elite hacking unit within the NSA. “This is theshadowbrokers way of telling theequationgroup ‘all your bases are belong to us.’ TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.” Since the Shadow Brokers posted their first message to […]

The post Shadow Brokers return to taunt U.S. government after ransomware spread appeared first on Cyberscoop.

Continue reading Shadow Brokers return to taunt U.S. government after ransomware spread→

Senators draft bill to turn government’s vulnerabilities equities process into law

Posted on March 23, 2017 by Chris Bing

There’s a bill in the works that would codify the U.S. government’s vulnerabilities equities process into law, CyberScoop has learned. The legislation intends to add clarity, transparency and a level of consistency to the VEP, a secretive framework which guides when and if a federal agency will notify a technology firm of an unknown, exploitable software flaw discovered by the U.S. government. The bill is being sponsored by Sen. Brian Schatz, D-Hawaii, and Sen. Ron Johnson, R-Wis. Spokespeople for both senators confirmed the existence of the bill, but would not provide additional details. The VEP has come under fire in recent years due, at least in part, to the exposure of classified material concerning government hacking operations. Exasperating this situation is the fact that the private sector remains largely in the dark with regard to the VEP’s disclosure criteria and the identify of individuals who sit on its multi-agency review […]

The post Senators draft bill to turn government’s vulnerabilities equities process into law appeared first on Cyberscoop.

Continue reading Senators draft bill to turn government’s vulnerabilities equities process into law→

Government hoarding of software vulnerabilities needs more transparency, tech firms say

Posted on March 22, 2017 by Chris Bing

Several major technology companies are calling for increased transparency from the U.S. government after WikiLeaks published CIA documents showing that the spy agency knew of vulnerabilities in software products but did not disclose them. “We need to look at this like what is the probability that something will be found by other adversaries. There are many elements that need to go into that decision, and being transparent on what the criteria is” will help the government be more open while protecting classified material, said Intel Security’s Chief Technology Officer Steve Grobman during a hearing Wednesday by the Senate Committee on Commerce, Science, and Transportation. “I think the key thing is transparency,” Grobman said, referring to the vulnerabilities equities process, or VEP. The VEP is a secretive framework that essentially guides when and if a federal agency will notify an organization of a known software flaw that was discovered by the U.S. government. Because […]

The post Government hoarding of software vulnerabilities needs more transparency, tech firms say appeared first on Cyberscoop.

Continue reading Government hoarding of software vulnerabilities needs more transparency, tech firms say→

WikiLeaks dump reignites debate over feds hoarding zero days

Posted on March 8, 2017 by Shaun Waterman

The document dump by anti-secrecy group WikiLeaks that identifies alleged CIA hacking tools has reopened a vigorous debate about whether the U.S. government should secretly stockpile cyber-weapons. Critics say the publication of source code for the CIA cyber-weapons would be a cybersecurity disaster akin to the release of anthrax from a government laboratory — and are calling for a new policy. Defenders of U.S. policy say there is already a process in place to weigh the risks any time the government decides to keep a newly discovered software vulnerability to itself and weaponize it, rather than sharing it with the vendor so it can be fixed. And a former White House official tells CyberScoop that U.S. agencies should be reaching out to the manufacturers of the products CIA hackers owned to help them fix the holes they have been using. “Time is of the essence,” former White House Cybersecurity Coordinator J. Michael Daniel, told CyberScoop. In a blog […]

The post WikiLeaks dump reignites debate over feds hoarding zero days appeared first on Cyberscoop.

Continue reading WikiLeaks dump reignites debate over feds hoarding zero days→

Policy Experts Push To Make Vulnerability Equities Process Law

Posted on February 23, 2017 by Tom Spring

By making the Vulnerability Equities Process law, advocates of the idea argue there would be more reliability, transparency and accountability in the process of government vulnerability disclosure. Continue reading Policy Experts Push To Make Vulnerability Equities Process Law→