Governments rely on flaws in software, hardware, and encryption protocols for espionage and assorted intelligence gathering. And what makes that cyber-sneaking possible are technical flaws that governments find and keep to themselves. But in the United States, the practice of withholding vulnerabilities such that they can’t be fixed has drawn increasing controversy—especially because of real-world situations where secret government hacking tools have leaked and spread to devastating effect.

In an attempt to clarify and codify the government's approach to dealing with this problem, the White house released details for the first time on Wednesday about how the government decides which software vulnerabilities it discloses, and which ones it withholds for its own use in espionage, law enforcement, and cyber warfare. The Trump administration called the unclassified release a “charter” for the so-called “Vulnerabilities Equities Process,” and it sheds new light on how the government weighs withholding advantageous vulnerabilities, versus alerting impacted companies so that they can be fixed before outside hackers use them as well.

A Tangled VEP

The VEP, developed during the Obama administration, has been consistently criticized for its lack of transparency. Before Wednesday, the public information about the program largely came from a Freedom of Information Act release that contained documents from 2010, and a 2014 blog post by then-White House Cybersecurity Coordinator Michael Daniel.

But calls to explicate the VEP have intensified significantly since WikiLeaks and the hacking group Shadow Brokers began releasing alleged CIA and NSA hacking tools, especially after those tools enabled devastating ransomware attacks and more. And while the new VEP publication is a trove of long overdue information, it doesn't in and of itself solve the problems that led to so many recent failures.

“The reasons you want to patch, you want to disclose are because our society has grown intertwined with our IT technology, so if there’s a flaw in those systems there is an imperative to close that hole and make sure it’s not exploited,” Rob Joyce, the current White house Cybersecurity Coordinator, said at the Aspen Institute on Wednesday morning. “On the other side you’ve got the need to produce foreign intelligence, the need to support war fighters, the need to conduct operations in this new cyber environment. And in fact a lot of the knowledge we get to defend systems is gained…from these same sorts of vulnerabilities. So either extreme isn’t good for the country.”

While the new VEP publication is a trove of long overdue information, it doesn't in and of itself solve the problems that led to so many recent failures.

The new VEP charter does score points for increased transparency, including its detailing of the departments and agencies whose representatives comprise the vulnerability review committee, the criteria used, and the mechanisms for handling situations where that group can’t agree on how to handle a particular bug. The NSA is the “executive secretariat” of the VEP, and most of the representatives come from intelligence community agencies, the Department of Defense, the Department of Homeland Security, and the Department of Justice, including the FBI. But analysts say they were relieved to see groups like the State Department, Treasury, Department of Commerce, and Department of Energy on the list, to represent other priorities and viewpoints.

The charter also promises annual reports—both classified versions for government officials and lawmakers, and an unclassified version—to offer regular updates about the VEP. “I think that this is a huge step forward from almost no documentation to having this charter publicly available,” says Heather West, a senior policy manager at the nonprofit Mozilla Foundation. “This will help people understand what the scope is, which agencies are involved. Whenever the next Shadow Brokers or big hack happens we’ll be able to see, if the VEP broke down where was it? And then we can talk about fixing it instead of just speculating.”

Eternal Blues

The Shadow Brokers example serves as a worst case scenario of what can occur when government-held vulnerabilities in popular and widely-used software get out and suddenly threaten millions of people's digital lives. One exploit tool the Shadow Brokers published, Eternal Blue, targeted a common Microsoft Windows vulnerability, and was used to spread malware in both the WannaCry and NotPetya ransomware attacks that swept the world this spring. The NSA has never officially confirmed that Eternal Blue was one of its exploits, it had reportedly been an NSA workhorse for more than five years before the agency finally requested that Microsoft patch it, making it more likely with each passing year that someone else would find it and millions of devices would be caught vulnerable.

'The changes that are listed in these unclassified documents, if there are in fact changes, have been made behind a curtain. Any other changes could be made in the same way.' Andi Wilson, Open Technology Institute

Ideally, VEP can mitigate those problems by weighing the benefits and risks of exploiting—and continuing to exploit—a vulnerability instead of disclosing it. The White House’s Joyce declined to comment on Eternal Blue, and whether it was ever vetted by the VEP. He emphasized, though, that under the charter the VEP will consistently re-evaluate vulnerabilities so they don’t languish in the toolbox unchecked for years. “When a vulnerability is retained it’s not a lifetime waiver,” he said.