Trump administration releases rules on disclosing cyber flaws

This post was originally published on this site

WASHINGTON (Reuters) – The Trump administration publicly released on Wednesday its rules for deciding whether to disclose cyber security flaws or keep them secret, in an effort to bring more transparency to a process that has long been cloaked in mystery.

The move is an attempt by the U.S. government to address criticism that it too often jeopardizes internet security by stockpiling the cyber vulnerabilities it detects in order to preserve its ability to launch its own attacks on computer systems.

The revised rules, published on whitehouse.gov, are intended to shed light on the process for how various federal agencies weigh the costs of keeping a flaw secret, said Rob Joyce, the White House cyber security coordinator.

Speaking at an Aspen Forum event in Washington, Joyce said the rules were the “most sophisticated” in the world.

Private industry companies, he said, “are not getting tips from China, Russia, North Norea, Iran about the vulnerabilities” in their systems.

Under former President Barack Obama, the U.S. government created an inter-agency review, known as the Vulnerability Equities Process, to determine what to do with flaws unearthed primarily by intelligence agencies such as the National Security Agency.

The process is designed to balance law enforcement and U.S. intelligence desires to hack into devices with the need to warn manufacturers so that they can patch holes before criminals and other hackers take advantage of them.

The new Trump administration charter on the process explains how it functions and names the agencies involved in the vulnerability reviews. They include intelligence agencies in addition to several civilian departments, including the Departments of Commerce, Treasury, Energy and State.

Some security experts have long criticized the process as overly secretive and too often erring against disclosure.

Joyce said on Wednesday more than 90 percent of flaws are ultimately disclosed, though some critics say they are often not shared quickly enough.

The criticism grew earlier this year when a global ransomware attack known as WannaCry infected computers in at least 150 countries, knocking hospitals offline and disrupting services at factories.

The attack was made possible because of a flaw in Microsoft’s Windows software that the NSA had used to build a hacking tool for its own use.

But in a breach U.S. investigators are still working to understand, that tool and others ended up in the hands of a mysterious group called the Shadow Brokers, which then published them online.

Suspected North Korean hackers spotted the Windows flaw and repurposed it to unleash the WannaCry attack, according to cyber experts. North Korea has routinely denied involvement in cyber attacks against other countries.