Lawmakers move to boost transparency of government’s cyber vulnerability disclosure

Lawmakers have introduced bipartisan legislation to boost transparency of the process the federal government uses to decide whether to disclose cyber vulnerabilities to the private sector.

The bill comes in the wake of the international “Wanna Cry” ransomware attack. The ransomware campaign, widely believed to be based on a leaked National Security Agency (NSA) hacking tool, has renewed debate over what is known as the federal government’s vulnerabilities equities process (VEP).

The VEP, first acknowledged by the Obama administration in 2014, has raised privacy and security concerns because so little is known about its details.

The legislation introduced Wednesday would boost oversight and transparency of the process by codifying it into law.

{mosads}For instance, the bill would specify the members of the board considering whether to disclose what are called “zero-day” vulnerabilities — those that are unknown to the manufacturer and for which no patch exists as a result. 

The bill, called the Protecting our Ability to Counter Hacking (PATCH) Act, is being offered by Sens. Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.) and Cory Gardner (R-Colo.) in the Senate and Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) in the House. 

Schatz said in a statement that the legislation strikes the right balance between national security and cybersecurity.

“Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security,” Schatz said.

Specifically, the legislation mandates that the Vulnerabilities Equities Review Board be comprised of permanent members including the secretary of Homeland Security, the FBI director, the director of national intelligence, the CIA director, the NSA director and the secretary of Commerce.

The secretaries of State, Treasury, and Energy, as well as the Federal Trade Commission, would all be considered ad hoc members. When requested by the board, any member of the National Security Council would also be able to participate, with approval by the president.

The bill also spells out the board’s duties, which include developing policy on the process of deciding whether to share information about a zero-day vulnerability. The board would have to submit a draft of these policies to Congress and the president within six months of the bill’s enactment. Later, an unclassified version of the draft policies would have to be made available to the public.

The board would be required to submit annual reports to Congress on its activities.

The legislation has already earned support from industry and advocacy organizations, including McAfee, the Information Technology and Innovation Foundation and the Center for Democracy and Technology.

The government is said to err on the side of disclosure, but industry and privacy advocates have pushed for more transparency surrounding the process of deciding what to do in the event of the discovery of a zero-day vulnerability.

The “Wanna Cry” ransomware exploits a vulnerability in Microsoft Windows that was publicly released earlier this year by hacker group ShadowBrokers in a leak of an alleged NSA hacking tool. While Microsoft had issued a patch for its supported systems before the leak, many computers remained unpatched and were susceptible to the ransomware over the weekend.

Microsoft president and chief legal officer Brad Smith took aim at the U.S. government over the weekend, arguing that the incident shows why governments should stop “stockpiling” vulnerabilities.

“Last week’s global WannaCry ransomware attack — based on NSA malware — was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security,” Lieu said in a statement on Wednesday.

“It also highlighted that our government’s current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people.”  

The ransomware attack broke out Friday and has spread to at least 150 countries, dealing blows to Britain’s National Health Service and Germany’s rail network. The impact on the United States has been less severe than other countries, but the ransomware has affected some American companies like FedEx.