NSA will continue to disclose zero-day bugs under Trump... for now

The process governing how US intelligence agencies disclose known software bugs to technology firms and corporations, dubbed the vulnerabilities equities process (VEP), will remain the same under the administration of President Donald Trump, experts claim.

Agencies such as the National Security Agency (NSA) and its UK counterpart, the Government Communications Headquarters (GCHQ), routinely "stockpile" a selection of zero-day flaws to use offensively, typically under the guise of national security.

Zero-days, by definition, are not known to the software vendor they affect and have been known to sell for up to a million dollars. Critics argue that by not informing vendors of their existence, the agencies risk putting everyday web users at risk of cybercrime and hacking.

Under a Trump presidency, many remain unsure as to how rules around cybersecurity will change as a much-anticipated Executive Order (EO) on the subject remains elusive. But key officials, speaking at the RSA conference last week, said the VEP is staying put.

"The process is still in use, it is in regular use, and we are having meetings about these things on a pretty regular basis," said Neil Jenkins, director of Homeland Security's Enterprise Performance Management Office, or EPMO, as reported by CyberScoop. He added: "I would say, as of right now, we are still in the mode of responsible disclosure under the current administration.

"It is not within our national interest to build up a stockpile of vulnerabilities to hide behind and to use for intelligence or law enforcement purposes. But the process does recognise that there are some vulnerabilities that we need to keep."

His comments, especially around disclosure, echo past statements from intelligence officials. In one interview with Wired last year, Michael Daniel, then-special adviser to the president on cybersecurity issues claimed the number of stockpiled computer bugs is lower than many think.

"There's often this image that the government has spent a lot of time and effort to discover vulnerabilities that we've stockpiled in huge numbers [...] the reality is just not nearly as stark or as interesting as that," he stressed at the time.

Yet others, even those with close inside knowledge of how the VEP actually works, say it has serious problems. "[The process] is broken," wrote former NSA security scientist Dave Aitel and former GCHQ security specialist Matt Tait in a blog for Lawfare last year.

They noted: "In reality it satisfies none – or at least, none visible to those beyond the participants of the insular process. Instead of meaningfully shaping best outcomes, the VEP provides thin public relations cover when the US government is questioned on its strategy around vulnerabilities."

Rob Knake, former US National Security Council cybersecurity director told RSA attendees: "If you look at the sort of arc of cyber policy today, coming out of the Trump campaign and then out of the then president-elect's office, it was very offense-oriented.

"So I think there was this sense that the gloves were coming off, that the VEP would be thrown out the window. But what we have seen since then I think is a growing recognition that we revived this policy."