A bipartisan group of senators proposed a bill that would require the National Security Agency to notify a board of experts whenever the agency finds security flaws in a company’s networks.
Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory Gardner, R-Colo., and U.S. Reps. Ted Lieu, D-Calif., and Blake Farenthold, R-Texas, proposed the Protecting our Ability to Counter Hacking (PATCH) Act. The bill follows a major global cyberattack, which exploited a vulnerability that the NSA found in an old version of Microsoft’s systems.
“It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” said Johnson.
The board would be made up of the secretary of Homeland Security, the director of the FBI, the director of the CIA, and other experts.
The Federal government finds “zero-day vulnerabilities,” which are flaws in technology that are unknown to the technology company. Usually the government discloses these vulnerabilities to the company so that they can be fixed, but sometimes it retains them in order to exploit them for national security purposes.
“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” said Schatz. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the Federal government has the tools it needs to protect national security.”
The board will maintain a consistent policy for how the government evaluates vulnerabilities for disclosure or retention. The bill would also create oversight mechanisms to improve transparency and accountability.
“Last week’s global WannaCry ransomware attack—based on NSA malware—was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security,” Lieu said. “It also highlighted that our government’s current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people.”
Daniel Castro, vice president of the Information and Innovation Technology Foundation agreed that the PATCH Act will increase transparency between government and industry.
“The legislation will bring needed transparency to the vulnerabilities equities process and balance national security interests with economic interests,” Castro said in a statement. “Moreover, disclosing vulnerabilities to companies in a timely manner will allow them to develop patches sooner and help keep the nation secure.”