A day doesn't go by without at least one major cyber event being discussed in every media forum. To help keep our members and Web site visitors informed, we will periodically publish short articles on an area of cybersecurity. The inaugural article in this section of our Web site addresses one of the activities gaining recognition as an influential voice in the area of cyber defense. We extend our thanks to co-authors Mr. Tony Sager, Chief Technologist of the Council on CyberSecurity and Mr. Frank Guido of the Council on CyberSecurity for sharing this insightful article with our online community.
We welcome your feedback regarding any of the articles shared here, as well as suggestions of areas you would like to see addressed in the future.
Dick Schaeffer, NCMF President
Our blog includes a weekly update of cybersecurity news & highlights.
In this article by Terry Thompson for the NCMF blog, he explores the threat posed by what we now refer to as the Internet of Things (IoT). Our smart homes and cities may be more efficient, but at what risk? What measures can be taken to increase our safety while enjoying the benefits of the IoT?
The Department of Justice issued the first report of its Cyber-Digital Task Force on 2 July 2018. The 156-page document addresses foreign influence operations, sophisticated cyber schemes, cyber threats, response to cyber incidents and other topics. Appendices cover recent disruptions of Botnets and Dark Web activities. The report provides details of topics and incidents ranging from ransomware to Internet of Things, summarizes changes in federal guidelines to pursue cyber criminals, and reviews DoJ frameworks for responding to various types of cyber incidents. Click on the title to access the report in PDF form.
Article and white paper that explore the vital role Satellite Communications (SATCOM) plays in the global telecommunications system, and the issues and vulnerabilities associated with the corresponding security of the devices used in the process.
New York Times article by Louis Lucero II - May 27, 2018: "Hoping to thwart a sophisticated malware system linked to Russia that has infected hundreds of thousands of internet routers, the F.B.I. has made an urgent request to anybody with one of the devices: Turn it off, and then turn it back on..."
Check out this informative summary of cyber threat predictions for 2018 from companies such as Trend Micro, Forbes, Fire Eye Mandiant, Security Info Watch, and more. Links to full reports are included.
On 15 November 2017, White House Cybersecurity Coordinator Rob Joyce released the government’s new policy on publicizing information about the Vulnerabilities Equity Process (VEP). Long treated as a classified process, VEP is used to decide which vulnerabilities in hardware, software, network equipment, and industrial control system components discovered by NSA and other government agencies can be released to U.S. companies for mitigation and which ones remain classified for potential operational use by intelligence or law enforcement agencies. The VEP will be implemented by an interagency Equities Review Board (ERB) under the National Security Council. NSA will serve as the VEP Executive Secretariat and will be responsible for preparation of ERB meeting agendas, information flow, and record keeping. Click on the title to read more.
Vulnerabilities Equity Process (VEP) in the Spotlight
Vulnerabilities in the Spotlight - Vulnerabilities Equity Process (VEP)
Posted on 11/25/2017
On 15 November 2017, White House Cybersecurity Coordinator Rob Joyce released the government’s new policy on publicizing information about the Vulnerabilities Equity Process (VEP). Long treated as a classified process, VEP is used to decide which vulnerabilities in hardware, software, network equipment, and industrial control system components discovered by NSA and other government agencies can be released to U.S. companies for mitigation and which ones remain classified for potential operational use by intelligence or law enforcement agencies. The VEP will be implemented by an interagency Equities Review Board (ERB) under the National Security Council. NSA will serve as the VEP Executive Secretariat and will be responsible for preparation of ERB meeting agendas, information flow, and record keeping.
Rob Joyce announced the development of a new VEP Charter at the Washington Post “Cyber Summit” in October. He said that transparency in the VEP process was an important goal, adding that NSA historically has disclosed more than 90% of the vulnerabilities it discovered to the affected vendors. The last point is important. While the VEP process is now public knowledge, specific vulnerabilities and related technical information will only be released to the company owning the products with the specific vulnerability.
In his blog post that accompanied publication of the VEP Charter, Joyce discusses the tension created when government discovers vulnerabilities. Should the government release this information in line with its law enforcement and national security responsibilities? Or should government retain knowledge of at least some vulnerabilities to use against “extremely capable actors whose actions might otherwise go undiscovered and unchecked.” His belief is that conducting the risk/benefit analysis of discovered vulnerabilities is “a vital responsibility of the Federal Government.” (For Rob Joyce’s’ blog, see https://www.whitehouse.gov/blog/2017/11/15/improving-and-making-vulnerability-equities-process-transparent-right-thing-do; the blog includes a link to the Charter, “Vulnerabilities Equities Policy and Process for the United States Government.”)
The VEP Charter outlines the purpose, background, and scope of the VEP as well as the process used when a vulnerability is identified for review. The Charter also reveals the agencies that are on the ERB, described as “the primary forum for interagency deliberation and determinations considering the VEP.” The ERB will consist of ten Executive Branch organizations: OMB, ODNI, Treasury, State, Justice, DHS, Energy, DoD (including NSA, USCYBERCOM, and the DoD Cyber Crime Center), Commerce, and CIA. NSA will serve as the Executive Secretariat. An annual report will be released at the lowest possible level of classification to include an unclassified Executive Summary.
The Charter emphasizes the need for speed in the determination about whether to release or restrict discovered vulnerabilities. ERB members will be notified within one business day of a reported vulnerability. Upon notification, they must identify any equities they may have. Decisions will generally be made within a two-week period in which all agencies will have the opportunity to agree, disagree, and/or discuss the proposed solution. If there is no consensus, the ERB will consider decision options based on department/agency inputs.
There are some caveats spelled out in the Charter. One concerns the handling and dissemination of vulnerability information to vendors. That can be done by the agency or department that first discovered the vulnerability or it may be delegated to another department. The VEP Executive
Secretariat will monitor the process and the ERB will consider the vendor’s response. If the ERB determines that the vendor is not patching the vulnerability for any reason, the U.S. Government may take appropriate mitigation steps.
A second caveat has to do with the process for contesting ERB decisions by one or more of its members. This process will initially include the ERB, but may ratchet up to the Executive Office of the President for final determination about the disclosure (or non-disclosure) of a specific vulnerability.
A third set of caveats focuses on institutional considerations. The needs of defense, intelligence, law enforcement, commercial, and international relations must be considered in the equities review process, and all agencies must safeguard vulnerability information provided by any agency. NSA is responsible for bringing to the ERB any vulnerability reported in Government-Off-The-Shelf (GOTS) products previously certified by NSA. Finally, any malicious activity discovered by any agency in a vulnerability considered by the ERB must be reported to the VEP Secretariat. They will launch an equities review discussion on the next business day.
The last section in the Charter clarifies “Exceptions” to the VEP and ERB process. These include vulnerabilities discovered by security researchers and reported to security organizations like US-CERT for immediate response. These will not be included in the equities review process. Several categories of “misuse” will also not fall under VEP. An important exception is made for any vulnerabilities disclosed to the U.S. by foreign partners or used in sensitive operations. Agencies are required to report anything in these categories to the VEP Secretariat for inclusion in a classified Annex to the Charter.
Public release of the VEP Charter is an exciting and overdue development in cybersecurity. It provides transparency into a decision-making process that is, by definition, complex and highly sensitive. While some critics may say that the Charter is only an administrative directive and not U.S. law, the fact that there is a vulnerabilities equity review process that is well-organized and run as part of the national security process should be comforting to cyber professionals in industry, academia, and elsewhere in government. Professionals will understand that information about some vulnerabilities must be restricted for reasons of national security and law enforcement, but can rest assured that most vulnerabilities discovered by the government will be revealed to the vendors who made the original product. This contributes to the well-being of the U.S. economy and the general public.
The U.S. is not the only country with an equities review process for digital products and systems. NSA’s British counterpart, GCHQ, manages a similar process. The former Director of GCHQ gave an interview to Cipher Brief soon after the White House published the VEP Charter. Robert Hannigan states that the UK Government also releases more than 90% of discovered vulnerabilities, but points out that some discovered vulnerabilities must remain restricted because the government has to retain “some tools” to do the work of intelligence.
Hannigan also notes that the process is not legislated in the UK either, but is run by the GCHQ in concert with its new cybersecurity arm, the National Cyber Security Centre. He also points out that GCHQ analysts work closely with NSA, so discussions about vulnerabilities are not done in isolation. (For the full interview, see https://www.thecipherbrief.com/column_article/britains-gchq-decides-secrets-share )
ybersecurity: Personal Privacy in a Digital World: Cybercrimes are estimated to be costing American businesses over half a billion dollars a year and with security breaches regularly threatening the personal and financial information of broad swaths of the American public, the problem seems to be getting worse.
On November 8, 2017, The Washington Post brought together business executives, leading cybersecurity experts, privacy advocates and others to discuss detection and prevention strategies for individuals and corporations. The experts examined the current and future cyber threat landscape and the solutions that could help consumers cope with this urgent problem. Click on the image or title to learn more.
The Washington Post hosted its annual Cybersecurity Summit in Washington on October 3. This year’s summit was sponsored by Hewlett Packard and Georgetown University. The summit included three sessions: “The View from the White House;” “Threats Facing America;” and “Cybersecurity and Civil Liberties.” Click on the image or title to see a review of the summit and links to additional resources.
The 20-year climb to an elevated CyberCom: How a 1997 military exercise sparked the eventual creation of a unified combatant command for cyber.
Article by William S. Cohen for FCW.com on 10/12/2017.
How governments view powerful tools like the internet often determines how they treat them. In the West, governments have sought to let citizens freely and openly engage with cyberspace – for trade, culture, and civic discourse. Others, such as Russia and China, see the internet as a powerful tool to consolidate their power domestically and a threat to their sovereignty internationally. But doing so disregards the economic, social, and cultural globalization that the internet has helped manifest. The Cipher Brief’s Levi Maxey spoke with Chris Inglis, the former Deputy Director of the National Security Agency, about why governments might understand digital sovereignty differently and the negative impacts a fragmenting of the global digital commons could have.
This article by Tony Sager and Frank Guido of the Council on CyberSecurity, addresses one of the activities gaining recognition as an influential voice in the area of cyber defense. This inaugural article in this section of our website addresses one of the activities gaining recognition as an influential voice in the area of cyber defense. We extend our thanks to co-authors Mr. Tony Sager, Chief Technologist of the Council on CyberSecurity and Mr. Frank Guido of the Council on CyberSecurity for sharing this insightful article with our online community.
The Council on Cybersecurity is an independent, expert, not-for-profit organization with a global scope committed to the security of the open Internet. Visit the Council on Cybersecurity's blog for cyber developments and check out their publications page
The National Initiative for Cybersecurity Careers and Studies (NICCS) is a key resource of cybersecurity information. The vision of the NICCS is to provide the nation with the tools necessary to ensure citizens and the workforce have more dynamic cybersecurity skills. The mission of NICCS is to be a national resource for cybersecurity awareness, education, careers, and training.
The INSA Cyber Council is a select group of current and former executives from the public, private and academic sectors with a breadth of expertise across the Cyber and Digital arena to include: Cyber/IT/Computing/Data Analytics, Operations, Policy and Security. The Council engages government and industry communities in pursuit of thought leadership and practical solutions, focusing on key challenges we all face today. The Council has published numerous white papers since its inception in 2009 with the most recent published in the Fall of 2014. Visit their site for more details.
The CyberWire is a free, community-driven cyber security news service based in Baltimore. Their mission is to provide concise and relevant daily briefings on the critical news happening across the global cyber security domain. In an industry overloaded with information, they strive to help individuals and organizations rapidly find the news and information that's important to them. Sign up for their free, daily news brief & check out their daily podcasts.