This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies. The primary focus of this policy is to prioritize the public’s interest in cybersecurity and to protect core Internet infrastructure, information systems, critical infrastructure systems, and the U.S. economy through the disclosure of vulnerabilities discovered by the USG, absent a demonstrable, overriding interest in the use of the vulnerability for lawful intelligence, law enforcement, or national security purposes.
The Vulnerabilities Equities Process (VEP) balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the USG, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence. The U.S. Government’s determination as to whether to disseminate or restrict a vulnerability is only one element of the vulnerability equities evaluation process and is not always a binary determination. Other options that can be considered include disseminating mitigation information to certain entities without disclosing the particular vulnerability, limiting use of the vulnerability by the USG in some way, informing U.S. and allied government entities of the vulnerability at a classified level, and using indirect means to inform the vendor of the vulnerability. All of these determinations must be informed by the understanding of risks of dissemination, the potential benefits of government use of the vulnerabilities, and the risks and benefits of all options in between. This document defines the policy and process for evaluating competing considerations to inform U.S. Government decisions.
4.1. Equities Review Board and VEP Director
The Equities Review Board (ERB) is the primary forum for interagency deliberation and determinations concerning the VEP. The ERB will meet monthly, but may also be convened sooner if an immediate need arises.
The ERB will consist of representatives from the following agencies who are authorized to represent the views of their respective agency head:
- Office of Management and Budget
- Office of the Director of National Intelligence (to include Intelligence Community-Security Coordination Center (IC-SCC))
- Department of the Treasury
- Department of State
- Department of Justice (to include the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force (NCIJTF))
- Department of Homeland Security (to include the National Cybersecurity Communications and Integration Center (NCCIC) and the United States Secret Service (USSS))
- Department of Energy
- Department of Defense (including the National Security Agency (NSA) (including Information Assurance and Signals Intelligence elements)), United States Cyber Command, and DoD Cyber Crime Center (DC3))
- Department of Commerce
- Central Intelligence Agency
Other USG agencies may participate when demonstrating responsibility for, or identifying equity in, a vulnerability under deliberation. Changes to the name of an agency will not affect its participation in this process.
Each agency participating in the VEP will designate an agency point of contact (POC) to act as the focal point for vulnerability submissions for their respective organization and the primary contact for the VEP Executive Secretariat.
The VEP POC will ensure one or more Subject Matter Experts (SME) from their agency are identified to support equities determinations and discussions as needed.
The VEP Director at the NSC will be responsible for ensuring effective implementation of VEP policies. The VEP Director is the Special Assistant to the President and Cybersecurity Coordinator, or an equivalent successor.
The Korean peninsula is a location of strategic interest for the US in the Pacific Command (PACOM), and many observers note that North Korea is an unpredictable and potentially volatile actor. According to the Department of Defense in its report to Congress and the intelligence community, the DPRK “remains one of the United States’ most critical security challenges for many reasons. These include North Korea’s willingness to undertake provocative and destabilizing behavior, including attacks on the Republic of Korea (ROK), its pursuit of nuclear weapons and long-range ballistic missiles, and its willingness to proliferate weapons in contravention of United Nations Security Council Resolutions.” Some of the latest evidence of irrational behavior is the elevation of Kim Jong Un’s 26-year old sister to a high governmental post late in 2014, the computer hacking of the Sony Corporation supposedly by North Korea during late 2014 over the possible release of a film that mocked Kim Jong Un, and the April 2015 execution of a defense chief for allegedly nodding off during a meeting. Over the past 50 years, North Korea has sporadically conducted operations directed against its enemies, especially South Korea. These actions included attacks on South Korean naval vessels, the capturing of a US ship and holding American hostages for 11 months, the hijacking of a South Korean airline jet, electronic warfare against South Korean signals including global positioning satellites (GPS), and assassinations or attempted assassinations on South Korean officials including the ROK president. The attempted 1968 Blue House Raid by North Korean elite military personnel resulted in the death or capture of all 31 infiltrators involved in the assassination attempt as well as the death of 71 personnel, including three Americans, and the injury of 66 others as the North Korean SPF personnel attempted to escape back to DPRK territory.
The purpose of this North Korean Threat Tactics Report (TTR) is to explain to the Army training community how North Korea fights including its doctrine, force structure, weapons and equipment, and the warfighting functions. A TTR also identifies where the conditions specific to the actor are present in Decisive Action Training Environment (DATE) and other training materials so that these conditions can easily be implemented across all training venues.
North Korea is an oligarchy with Kim Jong Un as its supreme leader.
The DPRK is a militaristic society with about 1.2 million active duty personnel in uniform out of a population of 24 million with another 7.7 million in the reserve forces.
All military personnel serve under the umbrella of the Korean People’s Army (KPA); the Korean People’s Air Force (KPAF) and Korean People’s Navy (KPN) primarily support the KPA ground forces.
The KPAF focuses on homeland defense and close air support to the KPA.
The KPN’s primary mission is to protect the North Korean coastline and support the KPA special purpose forces (SPF) in mission execution.
Much of the equipment in all military branches is old and obsolete, but the KPA has concentrated its modernization efforts on missile technology that may provide the means to successfully launch a nuclear warhead.
North Korea possesses a nuclear weapon and is modernizing its missile fleet in order to increase the attack range for its nuclear arsenal.
North Korea possesses both chemical and biological weapons.
The KPA practices both passive and active camouflage to hide its units, headquarters, and other important resources from the air.
Although the North Korean military may feature some positive attributes as a fighting force, the KPA also suffers from many weaknesses as well. Much of the military’s equipment is old and obsolete. The North Korean military consciously refuses to rid itself of any equipment and still operate tanks that date back to World War II. This wide range of military hardware from many generations of warfare also generates logistical issues. The KPA’s supply personnel must not only find the spare parts for a large variety of equipment, the KPA maintenance personnel must be well-versed in the repair of a great assortment of vehicles and weapons. In addition, the DPRK lacks the logistical capability to support the KPA beyond a few months. Due to the shortage of fuel and the cost to operate vehicles for a cash-strapped country, many of the KPA soldiers find themselves involved in public works projects or helping farmers bring in their rice crops. Any time spent in non-military support is less time that the KPA soldiers can spend training for combat. Even the mechanized and armor forces, due to resource restraints, spend much of their training time doing light infantry training instead of mounted operations. While KPA soldiers may be well trained in individual skills or small unit tactics, the amount of time spent on larger exercises pales in comparison to most Western militaries. Without adequate time and resources to practice large scale military operations, the KPA will always face a steep learning curve when the KPA is forced to perform them in actual combat for the first time.
The DPRK’s unorthodox use of provocation in order to obtain concessions from its enemies—especially the US, South Korea, and Japan—is a danger. One never knows what North Korea will do next as, in the past, the DPRK has sanctioned assassination attempts on South Korean political leaders and conducted bombings when South Korean contingents are in another country, unannounced attacks on ships by submarines, unprovoked artillery attacks, or has tunneled underground into another country. US military personnel stationed in South Korea must be prepared for the unexpected from the DPRK.
One of these incidents could ignite the Korean peninsula back into a full-blown war. While an armistice has been in place since 1953, an armistice is just a ceasefire waiting for a peace treaty to be signed or for the resumption of hostilities. Any conflict between North and South Korea would inevitably bring the US into the conflict as the ROK has been an ally for over six decades.
North Korea’s possession of nuclear weapons and the missiles to transport it up to 9,650 km makes it a threat to US forces stationed in Korea, Japan, Alaska, or even the west coast of the continental United States. Even more concerning was the DPRK’s first successful test launch of a KN-11 missile from a submarine on 23 January 2015 since, in the near future, the North Korean submarines could silently move closer to their targets before launching a nuclear missile that would give the US less warning time. If the DPRK thought that the survival of its country or the Kim regime was at stake, North Korea might use any nuclear weapons at its disposal. The KPA also possesses chemical weapons and its doctrine calls for their employment. The DPRK is also involved in biological weapons research and would likely use those with offensive capabilities. US military personnel training for deployment to South Korea must be prepared to fight in a chemical, biological, or nuclear environment.
COUNTER INTELLIGENCE CORPS (CIC)
ALLIED FORCE HEADQUARTERS
APO 512 (Caserta, Italy)
|St. Andrew Prisoner of War Camp, Taranto, Italy
(Campo di Sant’Andrea a.k.a. Campo ‘S’)
40°31’15N, 17°18’18ESECRET 17 January 1945
SUBJECT: Interrogation and Findings
RE: Remnants of 1st Security Battalion of the 2nd Second Regiment of Patras, and remnants of the 5/42nd Evzone Regiment
Interrogation and Findings (23 pages)
Inclosure 1: KOURKOULAKOS to AFHQ Italy (05 pages)
Inclosures 2 – 9 (12 pages)
Misc. Documents (19 pages)
|SECRET 19 January 1945 – Bari, Italy
SUBJECT: Political Parties and Military Organizations
RE: Situation in Greece
MEMORANDUM FOR THE OFFICER IN CHARGE (23 pages)
MEMO Inclosures (09 pages)