Two US senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products.
The Protecting our Ability To Counter Hacking (PATCH) Act [PDF] would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.
Right now, as you probably know, the NSA et al discover exploitable programming and design blunders in computers and networking gear, and keep a bunch of the bugs to themselves so they can be used to infect and spy on intelligence targets. This means they're not patched, leaving the flaws for miscreants and rival snoops to find and attack.
This latest draft legislation was introduced today into the Senate by the chairman of the Senate Homeland Security and Governmental Affairs Committee, Senator Ron Johnson (R-WI), and Senator Brian Schatz (D-HI). It's designed to force the US intelligence agencies to pass on vulnerabilities to developers and hardware makers if there is evidence other people are exploiting them.
"Striking the balance between US national security and general cybersecurity is critical, but it's not easy. This bill strikes that balance," said Senator Schatz.
"Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public, while also ensuring that the federal government has the tools it needs to protect national security."
The bill is a response to last week's WannaCry ransomware outbreak, which used stolen and subsequently publicly leaked NSA cyber-weapons – EternalBlue and DoublePulsar – to spread fast, knocking out hospitals, railways, ATMs, universities, telcos, the Russian government, and more. The exploits were released by the Shadow Brokers hacking group in April. The same team is now promising more revelations.
President Obama did institute an informal process for assessing vulnerabilities and deciding if they should be patched, but it wasn't a binding system. Under the proposed legislation, the DHS would chair a committee of experts, including representatives from the NSA and the National Institute of Standards and Technology.
"As we've seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America's networks and information," said Senator Johnson.
"It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests, while increasing transparency and accountability to maintain public trust in the process."
The proposed act is still in its infancy; as usual, it has many hurdles to jump and committees to impress before it can become law. ®