Bill Aims to Clarify When and How the Government Discloses Software Vulnerabilities


The Protecting our Ability To Counter Hacking, or PATCH, Act, is an effort to balance “national security and general cybersecurity,” said a senator.

On the heels of a major ransomware attack that first plagued the national health service in Britain and then spread globally, U.S. lawmakers want to codify the process by which the government shares newly discovered vulnerabilities with software vendors and the public.

A bipartisan group of senators introduced a bill that directs federal leaders to come up with a more transparent process for determining when those vulnerabilities should be disclosed. The process would consider how damaging the vulnerabilities would be if exploited by criminals and foreign intelligence, and the potential consequences for vendors and consumers who could be targeted.

The Protecting our Ability To Counter Hacking, or PATCH, Act, is an effort to balance “national security and general cybersecurity,” Sen. Brian Schatz, D-Hawaii, part of a group that introduced the bill, said in a statement.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The legislation would establish a Vulnerability Equities Review Board responsible for outlining policies on “whether, when, how, to whom and to what degree information about a vulnerability that is not publicly known should be shared or released by the federal government to a non-federal entity,” the text said.

The recent ransomware incident, known as the WannaCry attack and which reportedly made use of a vulnerability held by the National Security Agency, highlights a need to “combine public and private efforts” and point out software bugs to vendors as soon as possible, Sen. Ron Johnson, R-Wis., who also introduced the bill, said in a statement.

The law appears to continue the Obama administration’s approach to making disclosure decisions, which also considered the tradeoffs between “prompt disclosure” and “withholding knowledge of some vulnerabilities for a limited time can have significant consequences,” then-cybersecurity coordinator Michael Daniel wrote in a 2014 White House blog post. That post was written shortly after NSA tweeted in 2014 it was unaware of the Heartbleed vulnerability,

“Disclosing a vulnerability can mean that we forego an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks,” Daniel wrote. The decision to disclose, he wrote, involved weighing the following questions:

  • How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
  • How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  • Can the vulnerability be patched or otherwise mitigated?

According to former White House officials, the previous administration would often opt for disclosure in cases in which criminals or foreign actors could use that vulnerability or if its exploitation would be dangerous for consumers. They also said they stored less than 10 percent of zero-day exploits they found.

Under the PATCH Act, the review board would consider many of the questions Daniel mentioned. The legislation also directs the board—whose permanent members would include designees of the Homeland Security Department, the FBI, the CIA, the Office of the Director of National Intelligence, the Commerce Department and NSA—to submit its policies to the president and to Congress. Personnel from the State, Treasury and Energy departments and the Federal Trade Commission would be involved on an ad hoc basis.

After the WannaCry incident was reported, Homeland Security Adviser Tom Bossert noted the U.S. is “extremely careful with their processes of how they handle any vulnerabilities they’re aware of."

He also emphasized that the malware was “not a tool developed by the NSA to hold ransom data," though he neither confirmed nor denied that the NSA had exploited that vulnerability.