White House Signals It Will Accept 702 Compromise, as Cyber Vulnerabilities Program Updated
The White House is willing to yield to demands for changes to Section 702 Foreign Intelligence Surveillance Act authority, which expires at year’s end, Cybersecurity Coordinator Rob Joyce said Wednesday at an Aspen Institute event. Joyce announced transparency measures for a program that gathers information on vulnerabilities resulting in “zero day” flaws in products and services. The software industry and some privacy groups welcomed the changes to the Vulnerabilities Equities Process (VEP) Charter as a step toward increasing public understanding of cyber threat information the government holds. Over the past few months, the administration developed a "rigorous standard" that will improve the process and release key detail, Joyce said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Reauthorizing the FISA program is critical -- "if it expires, we go deaf and blind," Joyce said. Surveillance authority has been "hotly debated," he said, with discussions evolving from a starting point where some in Congress didn't want to see it revived. “There will be a compromise," Joyce said, saying S-2010 and HR-3989 and a product “still being discussed in House Intelligence” would amend the program in lieu of the “clean” renewal with no sunset that administration officials and intelligence agencies argued is necessary (see 1710130047). The administration draws a line on requiring a warrant for searches of the 702 database when a target is a U.S. person, which would have a “chilling effect” on anti-terrorism activities, he said.
The VEP process spells out how the federal government will notify a company about a cybersecurity flaw in a product or service, or refrain from disclosing the information so the government can use it for intelligence gathering. Releasing such information shows the administration's commitment to improving cybersecurity, Joyce said. In about 10 percent of cases, the government opts to keep secret information to assist in intelligence operations, he said. The goal is to strike the right balance between national security goals and protecting businesses and consumers, Joyce told reporters.
The charter is a “clear step forward in cybersecurity transparency” and will help the public better understand the balance between disclosing information and retaining information for intelligence purposes, said a statement from Software & Information Industry Association Senior Vice President Mark MacCarthy. It's progress, but "fails to incorporate some necessary reforms or to adequately recognize the impact that vulnerabilities have on users,” said AccessNow Policy Manager Amie Stepanovich. A “large majority” of VEP board members and the secretariat “will come from a national security or defense perspective, meaning that it is likely this point of view will dominate,” she said.
"The VEP charter makes clear that government-discovered vulnerabilities should be disclosed unless there is a demonstrable law enforcement or intelligence reason to retain them," said Michelle Richardson, deputy director of the Center for Democracy and Technology's Freedom, Security and Technology Project. "This formal and public government policy is unprecedented and should prevent the government from amassing vulnerabilities for later use."
Privacy and civil liberties groups fought for access to the previously classified program, with Electronic Frontier Foundation opening a door through a Freedom of Information Act lawsuit in 2014 (see 1407030057). CDT also pushed for a more transparent process. Given the high stakes, "we hope the forthcoming statistics reflect the charter's preference for protecting the health of the internet and its users," Richardson said. "Government hacking may be a necessary evil, but it still can be conducted in a targeted, thoughtful way."
Congress must ensure safeguards, said Rep. Jim Langevin, D-R.I., co-chair of the Congressional Cybersecurity Caucus. The VEP is the right process for "selecting the very few vulnerabilities where disclosure will be delayed," but the process falls apart if the "exploits cannot be kept in government hands," he said. Recent cybersecurity incidents demonstrated the damage that can be caused by unpatched software, Langevin said, saying he's pleased the new charter "continues a commitment to bringing all stakeholders within the government, including those with a focus on defensive cybersecurity measures and commerce, to the table." Legislation that would codify VEP was introduced earlier this year (see 1705240030), but Joyce told reporters the administration supports having "flexibility" rather than a mandated approach.