Skip to main content

FCW: Senate bill codifies vulnerabilities board

May 17, 2017

Exploits developed by the National Security Agency are very likely at the core of a destructive breed of the WannaCry malware that is wreaking havoc around the globe.

The release of NSA tools into the wild by the Shadow Brokers group has raised concerns about the process by which IT vulnerabilities discovered by NSA hackers are shared with software and hardware vendors.

A new bill in the Senate would codify the administrative Vulnerabilities Equities Process into law and create a legal framework for how agencies decide whether to inform a vendor about a vulnerability or to retain it for the purposes of espionage.

The Protecting our Ability To Counter Hacking Act, or PATCH Act, is being touted by its sponsors as a bipartisan approach to injecting new transparency into the disclosure process.

It gives a legislative frame to a secret process developed under the Obama administration. Some former participants in the process have already called for more transparency in the way decisions about disclosure are made.

The PATCH Act's sponsors agree.

"It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process," said Sen. Ron Johnson (R-Wis.), a sponsor of the bill and the chairman of the Senate Homeland Security and Government Affairs Committee.

"Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security," said cosponsor Sen. Brian Schatz (D-Hawaii).

The bill establishes the Vulnerability Equities Review Board to set policy on the disclosure of vulnerabilities known to the U.S. government. Members will include the heads of the Department of Homeland Security, FBI, CIA, NSA and the Department of Commerce, to be joined by a set of ad hoc members from other departments.

The board would make disclosure decisions based on set criteria, including the exposure of the U.S. economy and U.S. critical infrastructure to a vulnerability, the risks of leaving it unpatched, the risks of a vulnerability being disclosed to an adversary, the need of the U.S. to use an particular exploit in intelligence gathering or an ongoing operation, the likelihood of the U.S. government finding out if such a vulnerability was known elsewhere and other factors.

The board is also required to report to Congress on how often it meets, the total number of vulnerabilities it reviews and the number of vulnerabilities it decides to share with vendors or opts to retain. An unclassified version of this report is to be made public.

Some privacy advocates and IT groups have already come out in support of the legislation.

The bill "would ensure that the weighty decision by the government about when to withhold a vulnerability for law enforcement or intelligence use, versus when to disclose it to the vendor so it can be patched, isn't left to an ad hoc process convened at the executive branch's discretion," said Kevin Bankston, director of the Open Technology Institute at New America.

Daniel Castro, vice president of the Information Technology and Innovation Foundation called the bill "a critical step forward to reform [a] broken process."

A House version of the bill is being introduced by Reps. Cory Gardner (R-Colo.), Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).