Following one of the largest global cyberattacks in history, Blake Farenthold (R-Texas) and U.S. Representatives Ted Lieu (D-Calif.) and U.S. Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) introduced the Protecting our Ability To Counter Hacking (PATCH) Act, bipartisan legislation that adds transparency and accountability to the U.S. government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems.
“Cyberattacks around the world have increasingly shown the vulnerabilities of both public and private sector computer systems,” said Representative Farenthold. “The government needs to be more aggressive in helping to secure cyber vulnerabilities for everyone’s safety and security.”
“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” said Senator Schatz, lead Democrat on the Senate Subcommittee on Communications, Technology, Innovation, and the Internet. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
“As we’ve seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America’s networks and information. It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” said Senator Johnson, Chairman of the Senate Homeland Security and Governmental Affairs Committee and a senior member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet.
“The latest global ransomware attack revealed the importance of locating and patching vulnerabilities before malicious actors can attack our most critical systems,” said Senator Gardner. “This legislation ensures the American public has greater transparency into how vulnerabilities and threats are shared between federal government actors, intelligence organizations, and the private sector. We must be vigilant to avoid another massive cyberattack and that requires strengthening the process to help detect and share technological vulnerabilities.”
“As a computer science major, it is clear to me that one nation's cyber weapon is everyone else's vulnerability, from governments to businesses to consumers,” said Representative Lieu, a member of the House Subcommittee on Courts, Intellectual Property, and the Internet. “Last week’s global WannaCry ransomware attack—based on NSA malware—was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security. It also highlighted that our government’s current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people. When our medical records, bank accounts and communications are on the line, we must ensure that we are adequately weighing the risks of withholding each vulnerability from the company that can patch it. I am proud to introduce the bipartisan PATCH Act to bring much-needed oversight, transparency and accountability to the Vulnerabilities Equities Process as a critical step to restoring trust and improving our cybersecurity.”
The U.S. government is one of the many stakeholders researching and finding “zero-day vulnerabilities,” which are flaws in technology that are unknown to the vendor. Before they are patched, these vulnerabilities are susceptible to hacking and make the technologies that we rely on every day less secure. Usually the U.S. government discloses these vulnerabilities to the vendor so they can be fixed, but sometimes it retains them and exploits them for national security purposes.
The PATCH Act codifies current government practices to review vulnerabilities and designates the Department of Homeland Security as the chair of the interagency review board. The Board will ensure a consistent policy for how the government evaluates vulnerability for disclosure and retention. The bill will also create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.
The PATCH Act has broad support from cybersecurity experts and advocacy organizations, including the Coalition for Cybersecurity Policy and Law, McAfee, Mozilla, the Information Technology and Innovation Foundation, New America's Open Technology Institute, and the Center for Democracy and Technology.
“The events of the past week underscore the importance of transparency and oversight in government handling of vulnerabilities. Governments must improve on the goal of getting vulnerability information to organizations capable of acting to protect security in a timely manner upon discovery. We support the goals of the PATCH Act and we look forward to working with Chairman Johnson and Senator Schatz and as it moves forward in Committee,” the Coalition for Cybersecurity Policy and Law said in a statement.
“Every year the federal government discovers countless vulnerabilities in software and hardware products used by millions of American businesses and individuals. But instead of responsibly disclosing this information to the developers who can fix these flaws, the U.S. government will sometimes horde these vulnerabilities to use against others. Without this information, these systems are left vulnerable to hackers who can wage cyberattacks against America and its allies. The PATCH Act is a critical step forward to reform this broken process. The legislation will bring needed transparency to the vulnerabilities equities process (VEP) and balance national security interests with economic interests. Moreover, disclosing vulnerabilities to companies in a timely manner will allow them to develop patches sooner and help keep the nation secure,” said Daniel Castro, Vice President of the Information Technology and Innovation Foundation.
“All governments have to balance national security interests with economic interests. In some cases governments have an interest in using certain vulnerabilities for intelligence gathering purposes to protect their national interests in ways that make it impossible to disclose. That said, we support the effort by Senators Schatz and Johnson to establish an equitable vulnerabilities review process. This will help facilitate the disclosure of previously unknown vulnerabilities. An improved process will help balance security and economic interests while also enhancing trust and transparency,” said Thomas Gann, Chief Public Policy Officer at McAfee.
“The PATCH Act includes key reforms to the VEP that Mozilla has called for, including codification in law to increase transparency and accountability. We look forward to working with Sen. Brian Schatz and Sen. Ron Johnson on the PATCH Act,” said Denelle Dixon, the Chief Legal and Business Officer for Mozilla.
To read the full text of the Senate bill, click here.