The charter adds significant transparency to the process by which the federal government balances competing national security goals. The clashing considerations address building the capability to hold criminals and other adversaries at risk for their actions without increasing the risk that a vulnerability known to our government (but not necessarily to the entity responsible for the system’s operations) might be used to harm legitimate users of cyberspace.
Briefly, an interagency group of agencies responsible for elements of cybersecurity forms this VEP review board (ERB). It consists of:
- Office of Management and Budget
- Office of Director of National Intelligence—including IC-SCC)
- Department of Treasury
- Department of State
- Department of Justice—including FBI and National Cyber Investigative Joint Task Force)
- Department of Homeland Security—including National Cybersecurity Communications and Integration Center (NCCIC) and Secret Service
- Department of Energy
- Department of Defense—including National Security Agency (Assurance and Signals Intelligence), U.S. CyberCom, Cyber Crime Center (DC3)
- Department of Commerce
- Central Intelligence Agency
- and other agencies, as appropriate
We can consider these agencies the core of the nation’s cyber defense and offense.
NSA will serve as secretariat, doing much of the analysis and administrative work. They will maintain records of all the vulnerabilities identified, including the submitting agency, determination (whether to reveal to firms or save for other uses), and dates. Any need for reassessment and other pertinent information may also be included. The secretariat will prepare an annual report that will be submitted through the Special Assistant to the President and Cyber Coordinator. This report will be prepared at the lowest classified level with at least a summary unclassified. The report will include statistical information on a fiscal year basis, will identify the equity review board members (ERB) and any reassignment of director or secretariat responsibilities.
When an agency determines a vulnerability that requires equities review, that agency will submit notice to the ERB with the recommendation for either dissemination or restriction regarding the vulnerability. The submission will also describe the vulnerability and identify vulnerable products and systems. This process is intended to be completed within about a week. The process will be based on consensus, where possible. When consensus is not possible, options will be propose to the board.
Factors the board will consider include defense, military, intelligence and operations, communications, international relationships, as well as law enforcement equities.
If a vulnerability affects the NSA, NSA would be notified as soon as possible. Exceptions will be possible for a specific limited categories of vulnerabilities—for example, if there are restrictions due to partner agreements or sensitive operations. Some vulnerabilities requiring rapid response will not be subject to the vulnerabilities equities process. The fact that the Department of Energy has a seat at the table indicates the importance of protecting the nation’s energy infrastructure and related systems.
This decision has required a great deal of thoughtful work by the agencies involved, as well as thoughtful compromises about how to proceed. The transparency provided through this move is a small victory for the “good guys” and should help the long-range goal of protecting free societies.