Cybersecurity: What to Know About the 'Vulnerabilities Equities Process'
They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP.
November 22, 2017 at 03:26 PM
10 minute read
SAN FRANCISCO — They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP.
Short for the “Vulnerabilities Equities Process,” the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, news reports and comments by Microsoft's chief legal officer indicated that the NSA knew about the vulnerability at the root of the worm, but only told Microsoft after losing control of it.
In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time unveiled a public version of the VEP Charter in an effort to shed some light on the government's decision-making process. The 14-page document describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it:
1) The government will usually disclose the vulnerabilities it finds. Usually.
“The new charter makes an important policy decision that the presumption lies in favor of disclosing the vulnerabilities to the companies,” said Michelle Richardson, a deputy director at the Center for Democracy and Technology who has written about the VEP. “While several Obama officials had said as much in their personal capacities, it is crucial to have it be an official declaration from the whole of government.”
The relevant language from the charter reads: “In the course of carrying out USG missions, the USG may identify vulnerabilities that cyber actors could exploit. In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”
The caveat? The charter adds that there are “legitimate advantages and disadvantages to disclosing vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities … can have significant consequences.” (Clearly.) When the government decides to keep a vulnerability under wraps, the charter says it will reassess that determination on an annual basis “until dissemination is accomplished,” or until the vulnerability becomes public or is “otherwise mitigated.”
2) There are a lot of cooks in the kitchen.
According to the charter, the body in charge of administering the VEP is known as the “Equities Review Board.” The board, which meets monthly, or more frequently as needed, comprises representatives from at least 10 different government agencies, including the Office of the Director of National Intelligence, the Department of State, the Department of Treasury, the Central Intelligence Agency, and the Department of Justice.
The National Security Agency “will support VEP governance by serving as the Executive Secretariat for the VEP, acting at all times under the authority, direction, and control of the Secretary of Defense,” the charter says. It adds that other agencies may become involved when “demonstrating responsibility for, or identifying equity in, a vulnerability under deliberation.”
The new charter requires the secretariat to submit an annual report to the various agency “points of contact” and the White House National Security Council, and create an executive summary written at an unclassified level. “As part of a commitment to transparency, annual reporting may be provided to the Congress,” it adds.
3) The government will not bother reviewing vulnerabilities that result from poor design.
There are types of vulnerabilities that will not go through the VEP process, according to the charter. Those include misconfiguration or poor configuration of a device that “sacrifices security in lieu of availability, ease of use or operational resiliency”; misuse of “available device features that enables non-standard operation”; and “engineering and configuration tools, techniques and scripts that increase/decrease functionality of the device for possible nefarious operations.” (Phone jailbreaking would ostensibly fall into this category.)
Lastly—and perhaps obviously—the government will not go through a VEP review upon discovering that a “device/system has no inherent security features by design.”
4) Companies should think about their patching policies.
Joyce, in his blog post, acknowledges that the risk of not disclosing a vulnerability that the government learns about is that it will be exploited by other actors “to harm legitimate, law-abiding users of cyberspace.” In weighing the various considerations, he says that one of the choices the government has is to disclose the security flaw to the vendor “with expectation that they will patch the vulnerability.”
Stewart Baker, a partner at Steptoe & Johnson LLP and a former Department of Homeland Security official, said the charter underscores that if the government tells a company about a security hole, the company better make sure it has a plan to respond. ”They're going to have to think, 'Am I somehow liable for failing to patch?'” Baker said.
SAN FRANCISCO — They may not realize it, but any company hit by the WannaCry ransomware attack over the past several months was impacted firsthand by a secretive U.S. government policy mechanism known as the VEP.
Short for the “Vulnerabilities Equities Process,” the VEP is the procedure through which the government decides whether to hang on to knowledge of computer security flaws for offensive uses (i.e., hacking), or disclose them to ensure they get patched. In the case of WannaCry, news reports and comments by
In the wake of the ensuing controversy, White House Cybersecurity Coordinator Rob Joyce last week for the first time unveiled a public version of the VEP Charter in an effort to shed some light on the government's decision-making process. The 14-page document describes in broad strokes the balancing act government hackers must go through after they discover new vulnerabilities. Here are a few things you ought to know about it:
1) The government will usually disclose the vulnerabilities it finds. Usually.
“The new charter makes an important policy decision that the presumption lies in favor of disclosing the vulnerabilities to the companies,” said Michelle Richardson, a deputy director at the Center for Democracy and Technology who has written about the VEP. “While several Obama officials had said as much in their personal capacities, it is crucial to have it be an official declaration from the whole of government.”
The relevant language from the charter reads: “In the course of carrying out USG missions, the USG may identify vulnerabilities that cyber actors could exploit. In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”
The caveat? The charter adds that there are “legitimate advantages and disadvantages to disclosing vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities … can have significant consequences.” (Clearly.) When the government decides to keep a vulnerability under wraps, the charter says it will reassess that determination on an annual basis “until dissemination is accomplished,” or until the vulnerability becomes public or is “otherwise mitigated.”
2) There are a lot of cooks in the kitchen.
According to the charter, the body in charge of administering the VEP is known as the “Equities Review Board.” The board, which meets monthly, or more frequently as needed, comprises representatives from at least 10 different government agencies, including the Office of the Director of National Intelligence, the Department of State, the Department of Treasury, the Central Intelligence Agency, and the Department of Justice.
The National Security Agency “will support VEP governance by serving as the Executive Secretariat for the VEP, acting at all times under the authority, direction, and control of the Secretary of Defense,” the charter says. It adds that other agencies may become involved when “demonstrating responsibility for, or identifying equity in, a vulnerability under deliberation.”
The new charter requires the secretariat to submit an annual report to the various agency “points of contact” and the White House National Security Council, and create an executive summary written at an unclassified level. “As part of a commitment to transparency, annual reporting may be provided to the Congress,” it adds.
3) The government will not bother reviewing vulnerabilities that result from poor design.
There are types of vulnerabilities that will not go through the VEP process, according to the charter. Those include misconfiguration or poor configuration of a device that “sacrifices security in lieu of availability, ease of use or operational resiliency”; misuse of “available device features that enables non-standard operation”; and “engineering and configuration tools, techniques and scripts that increase/decrease functionality of the device for possible nefarious operations.” (Phone jailbreaking would ostensibly fall into this category.)
Lastly—and perhaps obviously—the government will not go through a VEP review upon discovering that a “device/system has no inherent security features by design.”
4) Companies should think about their patching policies.
Joyce, in his blog post, acknowledges that the risk of not disclosing a vulnerability that the government learns about is that it will be exploited by other actors “to harm legitimate, law-abiding users of cyberspace.” In weighing the various considerations, he says that one of the choices the government has is to disclose the security flaw to the vendor “with expectation that they will patch the vulnerability.”
Stewart Baker, a partner at
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Dissenter Blasts 4th Circuit Majority Decision Upholding Meta's Section 230 Defense
5 minute read
DeepSeek Isn’t Yet Impacting Legal Tech Development. But That Could Soon Change.
6 minute read
Law Firms Look to Gen Z for AI Skills, as 'Data Becomes the Oil of Legal'
Losses Mount at Morris Manning, but Departing Ex-Chair Stays Bullish About His Old Firm's Future
5 minute readTrending Stories
- 1Ex-Starbucks GC Exiting Latest Role, Will Get Severance
- 2Family Law Special Section 2025
- 3We Must Uphold the Rights of Immigrant Students
- 4Orrick Picks Up 13-Lawyer Tech, VC Group From Gunderson Dettmer
- 5How Alzheimer’s and Other Cognitive Diseases Affect Guardianship, POAs and Estate Planning
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
