Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft’s chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.
Now, however, he has partial support from a bi-partisan group of lawmakers: Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). Schatz announced yesterday that they had introduced the ‘Protecting Our Ability to Counter Hacking Act of 2017’ — the PATCH Act.
Its purpose is to establish a Vulnerability Equities Review Board with permanent members including the Secretary of Homeland Security, the Director of the FBI, the Director of National Intelligence, the Director of the CIA, the Director of the NSA, and the Secretary of Commerce — or in each case the designee thereof.
Its effect, however, will be to seek a compromise between the moral requirement for the government to disclose vulnerabilities (Microsoft’s Digital Geneva Convention), and the government’s political expediency in stockpiling vulnerabilities for national security and deterrence purposes.
In a statement issued yesterday, Schatz wrote, “Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy. This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
The bill does not go so far as to mandate the disclosure of all government 0-day exploits to relevant vendors for patching, but instead requires the Vulnerability Equities Review Board to develop a consistent and transparent process for decision-making. It will create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.
It further requires that “The head of each Federal agency shall, upon obtaining information about a vulnerability that is not publicly known, subject such information to the process established.”
In this way, the Vulnerability Equities Review Board not only has oversight of all 0-day vulnerabilities held by the government agencies, it also maintains the controls “relating to whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released by the Federal Government to a non-Federal entity.” That is, whether the public interest requires the vendor be able to patch the vulnerability.
The proposal is already receiving wide approval. Frederick Humphries, Microsoft’s VP of US government affairs, tweeted, “We agree with the goals of the PATCH Act and look forward to working w-Sens @RonJohnsonWI @SenCoryGardner @brianschatz, Reps @farenthold @tedlieu to help prevent cyberattacks.”
Thomas Gann, chief public policy officer at McAfee, commented: “All governments have to balance national security interests with economic interests. In some cases, governments have an interest in using certain vulnerabilities for intelligence gathering purposes to protect their national interests in ways that make it impossible to disclose. That said, we support the effort by Senators Schatz and Johnson to establish an equitable vulnerabilities review process. This will help facilitate the disclosure of previously unknown vulnerabilities. An improved process will help balance security and economic interests while also enhancing trust and transparency.”
Megan Stifel, cybersecurity policy director at Public Knowledge, said, “We thank these legislators for leading this effort to foster greater transparency and accountability on the cybersecurity policy challenge of software and hardware vulnerabilities. We welcome this bill and similar efforts to enhance trust in the internet and internet-enabled devices.”