The Hill: Dem lawmaker wants White House to regularly notify Congress on cyber vulnerabilities

March 8, 2018
In The News

Rep. Ted Lieu (D-Calif.) is pressing the Trump administration to report regularly to Congress on the secretive process by which the federal government decides whether to share unknown cyber vulnerabilities with the private sector. 

The Trump administration has sought to bring more transparency to what is called the Vulnerabilities Equities Process (VEP) under pressure from lawmakers, public advocacy groups and others in the private sector. The process of disclosing what are commonly known as “zero days” to tech companies has attracted increased scrutiny in the wake of high-profile malware outbreaks that leveraged hacking tools allegedly developed by the NSA.

Last November, the White House released the first-ever public charter on the VEP, laying out its purpose and disclosing the agencies and officials that participate in it.

Lieu commended the decision as a step toward transparency in a letter to White House cybersecurity coordinator Rob Joyce sent this week. However, he expressed concerns “with the level of discretion when it comes to sharing information with Congress.”

Lieu’s letter, first reported by Politico, referenced a section of the public charter that says the administration “may” report annually to Congress on the process. 

“The new policy lacks the critical piece of accountability to give the American people full confidence in the government’s decision-making on vulnerability disclosure,” Lieu wrote. 

“The ultimate success of the VEP hinges on whether the results of the government’s opaque decision-making on vulnerability disclosure can be audited by Congress to ensure the desired policy is being achieved,” the lawmaker wrote. 

Specifically, the charter says that the National Security Agency, which serves as the “executive secretariat” of the VEP, will produce an annual report on the process to participating agencies as well as the National Security Council that includes statistical data and any changes to the structure of the board that makes determinations on cyber vulnerabilities. 

“The report will be written at the lowest classification level permissible and will include, at a minimum, an executive summary written at an unclassified level. As part of a commitment to transparency, annual reporting may be provided to Congress,” the charter states. 

Lieu asked Joyce whether he would commit to providing annual reports to Congress, beginning with a report on 2017 activities.

Lieu also asked Joyce to clarify what authorities the official directing the process can use “to ensure agencies are complying with the reporting requirements” to the review board. According to the public charter, Joyce will serve as VEP director in his role as White House cybersecurity coordinator.

The VEP was first acknowledged by the Obama administration, but little was known publicly about the officials or agencies involved in the process until last year.

The process attracted increased scrutiny following the global “Wanna Cry” and “notPetya” malware outbreaks in May and June 2017. Both attacks relied on exploits allegedly stolen from the NSA that leveraged a vulnerability in Microsoft Windows. While Microsoft had issued a patch for the flaw prior to the cyberattacks, many systems throughout the world remained unpatched and vulnerable to compromise.

Lieu is among a bipartisan group of lawmakers in the House and Senate that introduced legislation called the PATCH Act last May that aimed to boost oversight and transparency of the VEP.