Connect with us

Hi, what are you looking for?



PATCH Act: A New Bill Designed to Prevent Occurrences Like WannaCrypt

Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

Now, however, he has partial support from a bi-partisan group of lawmakers: Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). Schatz announced yesterday that they had introduced the ‘Protecting Our Ability to Counter Hacking Act of 2017’ — the PATCH Act.

Its purpose is to establish a Vulnerability Equities Review Board with permanent members including the Secretary of Homeland Security, the Director of the FBI, the Director of National Intelligence, the Director of the CIA, the Director of the NSA, and the Secretary of Commerce — or in each case the designee thereof.

Its effect, however, will be to seek a compromise between the moral requirement for the government to disclose vulnerabilities (Microsoft’s Digital Geneva Convention), and the government’s political expediency in stockpiling vulnerabilities for national security and deterrence purposes.

In a statement issued yesterday, Schatz wrote, “Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy. This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

The bill does not go so far as to mandate the disclosure of all government 0-day exploits to relevant vendors for patching, but instead requires the Vulnerability Equities Review Board to develop a consistent and transparent process for decision-making. It will create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.

It further requires that “The head of each Federal agency shall, upon obtaining information about a vulnerability that is not publicly known, subject such information to the process established.”

Advertisement. Scroll to continue reading.

In this way, the Vulnerability Equities Review Board not only has oversight of all 0-day vulnerabilities held by the government agencies, it also maintains the controls “relating to whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released by the Federal Government to a non-Federal entity.” That is, whether the public interest requires the vendor be able to patch the vulnerability.

The proposal is already receiving wide approval. Frederick Humphries, Microsoft’s VP of US government affairs, tweeted, “We agree with the goals of the PATCH Act and look forward to working w-Sens @RonJohnsonWI @SenCoryGardner @brianschatz, Reps @farenthold @tedlieu to help prevent cyberattacks.”

Thomas Gann, chief public policy officer at McAfee, commented: “All governments have to balance national security interests with economic interests. In some cases, governments have an interest in using certain vulnerabilities for intelligence gathering purposes to protect their national interests in ways that make it impossible to disclose. That said, we support the effort by Senators Schatz and Johnson to establish an equitable vulnerabilities review process. This will help facilitate the disclosure of previously unknown vulnerabilities. An improved process will help balance security and economic interests while also enhancing trust and transparency.”

Megan Stifel, cybersecurity policy director at Public Knowledge, said, “We thank these legislators for leading this effort to foster greater transparency and accountability on the cybersecurity policy challenge of software and hardware vulnerabilities. We welcome this bill and similar efforts to enhance trust in the internet and internet-enabled devices.”

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Staying the course and sticking to strategic goals allows security professionals to steadily and continually improve the security posture of their organization without allowing distractions to divert precious resources away from more important tasks.

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.