Trump Is Better Than Obama on Cybersecurity Rules, ACLU Says

RTS1L2Z1
President Donald Trump on the South Lawn of the White House upon his return to Washington, D.C., after a Thanksgiving vacation in Florida, on November 26. REUTERS/Yuri Gripas

President Donald Trump's administration is more "transparent" when it comes to some cybersecurity rules, compared to his predecessor Barack Obama's murkier application of measures involving patches to vulnerable computer software and hardware, according to the American Civil Liberties Union (ACLU).

The ACLU was commenting on the current administration's release of the Vulnerabilities Equities Process (VEP), a set of guidelines for the executive branch to determine whether to inform software or hardware producers about a vulnerability within their products or programs. If not, the government could exploit said cybersecurity flaws for the sake of gathering information.

The Obama administration faced backlash for not fully releasing the VEP guidelines. The ACLU praised Trump after his White House released an unclassified, 14-page version on November 15.

"The Trump administration clearly listened to these critiques, and the unclassified version of the 'VEP Charter' issued this week is more comprehensive and transparent than its predecessor," a blog post published Monday read. "In the debate over whether to favor offensive capabilities or defensive efforts, the document states that disclosure serves the national interest in the 'vast majority' of cases."

The VEP report also showed that other major government agencies—not just the Defense Department, Central Intelligence Agency and other members of the intelligence community—also are part of the Equities Review Board that decides how to apply the guidelines. Those agencies include the treasury, state, energy and commerce departments.

However, the civil rights and liberties defense group did not let the U.S. government or Trump off the hook over the debate about keeping cybersecurity vulnerabilities secret. The U.S. intelligence community already dealt with one such flaw earlier this year.

In May, a vulnerability in Microsoft software was used to create ransomware, which can lock individuals out of their computers unless a ransom is paid. That vulnerability ended up affecting more than 200,000 victims in at least 150 countries, according to CNN.

Later it was learned that the vulnerability was exploited by a hacker group using material from the National Security Agency. Originally, the hackers, called "Shadow Brokers," tried to sell the NSA malware, then dumped it online in April for others to tinker with it.

The crux of the issue comes down to how the U.S. can be open to the public about VEP while using the vulnerabilities for the military and intelligence community's benefit.

"Our society has grown intertwined with our IT technology, so if there's a flaw in those systems, there is an imperative to close that hole and make sure it's not exploited," White House cybersecurity coordinator Rob Joyce said, according to Wired, at the Aspen Institute the same day the VEP report was released. "On the other side, you've got the need to produce foreign intelligence, the need to support war fighters, the need to conduct operations in this new cyber environment. And in fact a lot of the knowledge we get to defend systems is gained…from these same sorts of vulnerabilities. So either extreme isn't good for the country."

Trump Is Better Than Obama on Cybersecurity Rules, ACLU Says | U.S.