Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

PATCH Act: A New Bill Designed to Prevent Occurrences Like WannaCrypt

Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

Now, however, he has partial support from a bi-partisan group of lawmakers: Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). Schatz announced yesterday that they had introduced the ‘Protecting Our Ability to Counter Hacking Act of 2017’ — the PATCH Act.

Its purpose is to establish a Vulnerability Equities Review Board with permanent members including the Secretary of Homeland Security, the Director of the FBI, the Director of National Intelligence, the Director of the CIA, the Director of the NSA, and the Secretary of Commerce — or in each case the designee thereof.

Its effect, however, will be to seek a compromise between the moral requirement for the government to disclose vulnerabilities (Microsoft’s Digital Geneva Convention), and the government’s political expediency in stockpiling vulnerabilities for national security and deterrence purposes.

In a statement issued yesterday, Schatz wrote, “Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy. This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

The bill does not go so far as to mandate the disclosure of all government 0-day exploits to relevant vendors for patching, but instead requires the Vulnerability Equities Review Board to develop a consistent and transparent process for decision-making. It will create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.

It further requires that “The head of each Federal agency shall, upon obtaining information about a vulnerability that is not publicly known, subject such information to the process established.”

In this way, the Vulnerability Equities Review Board not only has oversight of all 0-day vulnerabilities held by the government agencies, it also maintains the controls “relating to whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released by the Federal Government to a non-Federal entity.” That is, whether the public interest requires the vendor be able to patch the vulnerability.

Advertisement. Scroll to continue reading.

The proposal is already receiving wide approval. Frederick Humphries, Microsoft’s VP of US government affairs, tweeted, “We agree with the goals of the PATCH Act and look forward to working w-Sens @RonJohnsonWI @SenCoryGardner @brianschatz, Reps @farenthold @tedlieu to help prevent cyberattacks.”

Thomas Gann, chief public policy officer at McAfee, commented: “All governments have to balance national security interests with economic interests. In some cases, governments have an interest in using certain vulnerabilities for intelligence gathering purposes to protect their national interests in ways that make it impossible to disclose. That said, we support the effort by Senators Schatz and Johnson to establish an equitable vulnerabilities review process. This will help facilitate the disclosure of previously unknown vulnerabilities. An improved process will help balance security and economic interests while also enhancing trust and transparency.”

Megan Stifel, cybersecurity policy director at Public Knowledge, said, “We thank these legislators for leading this effort to foster greater transparency and accountability on the cybersecurity policy challenge of software and hardware vulnerabilities. We welcome this bill and similar efforts to enhance trust in the internet and internet-enabled devices.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.