A bipartisan bill introduced Wednesday in Congress aims to add transparency to a controversial oversight framework currently used by federal agencies known as the Vulnerabilities Equities Process. The legislation would help better define exactly when and if the U.S. government should notify a company about flawed computer code it discovers in a commercial product.
Named the Protecting Our Ability to Counter Hacking Act, or PATCH Act, the bill seeks to codify the VEP and answer some of the tough questions that surround the current framework, including who sits on the multi-agency review board responsible for decisions and when public disclosure is appropriate. In addition, the PATCH Act offers a brief decision-making criteria and broadly describes certain considerations that must be weighed by board members, including the secretary of Commerce and the director of national intelligence.
Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., and Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, sponsored the bill.
U.S. spies and law enforcement agencies regularly collect intelligence through hacking tools that effectively exploit undisclosed vulnerabilities in software installed on targeted systems. These capabilities can offer unique insight on a specific threat or individual, but critics have argued that by taking advantage of susceptible technology — and keeping that activity secret — agencies like the NSA and FBI are propagating poor security writ large.
The bill arrives in Congress just days after a now-infamous ransomware campaign affecting more than 300,000 machines was able to spread across the globe because it leveraged leaked computer code originally used by the NSA and released by a mysterious group in April.
“Last week’s global WannaCry ransomware attack — based on NSA malware — was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security,” Lieu said in a statement earlier this week.
It remains unclear whether several Microsoft vulnerabilities associated with WannaCry were ever submitted to the VEP by the NSA.
“Sharing vulnerabilities with tech companies enables us to protect our users, including the ones within the government,” said Heather West, senior policy manager for the software organization Mozilla. “If the government has exploits that have been compromised, they must disclose them to software companies before they can be used widely putting users at risk.”
“The lack of transparency around the government’s decision-making processes here means that we should improve and codify the Vulnerabilities Equities Process in law,” West said.
The rise of WannaCry ransomware reignited a longstanding debate in Washington this week concerning the VEP and more specifically, whether the oversight process is in itself sufficient to protect Americans from hackers that exploit undisclosed software vulnerabilities known to the government.
Notably, the PATCH Act will make it mandatory for agencies to submit information about the secretive vulnerabilities they’ve collected — marking a decisive shift away from the voluntary nature of today’s process. It is the first time Congress has authored a bill about the VEP, a policy native to the executive branch with its roots in the George W. Bush administration.
“The bill’s biggest substantive departure from the present system is that it requires review of all non-public vulnerabilities rather than just those newly discovered,” Harvard University internet security scholars Trey Herr and Mailyn Fidler wrote Wednesday. “This expansion could be controversial within the intelligence community—it may be criticized as overly broad—but it also allows for periodic review of vulnerabilities retained for operational use.”
A coalition of private sector technology companies, including Microsoft, Cisco and Intel, have all publicly voiced their support for the PATCH Act.
“We support the goals of the PATCH Act and we look forward to working with Chairman Johnson, Senators Schatz and Gardner, and Reps. Lieu and Farenthold as it moves forward in both chambers,” a statement posted by the Coalition for Cybersecurity Policy and Law reads. “The events of the past week clearly demonstrate the real-world consequences of exploited vulnerabilities. Governments have a critical role in getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery.”