Companies could gain greater visibility into hidden cyber vulnerabilities like the one exploited in the recent massive “WannaCry” ransomware attack if the members of Congress who introduced the PATCH Act last week get their way.
Introduced last week just days after the attack, which hit organizations in about 150 countries, the bipartisan Protecting our Ability To Counter Hacking (PATCH) Act seeks to make “zero-day vulnerabilities” exploited by the U.S. government more transparent to the private sector.
Companies need to know their exposure to malware to defend their systems against attacks by hackers who have breached the National Security Agency and other government bodies and obtained cyber weapons to use against corporate systems, the bill’s sponsors suggest.
“It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests,” said Wisconsin Sen. Ron Johnson, a Republican sponsor of the legislation.
The bill would formalize an informal policy, called the Vulnerabilities Equities Process, according to which the government decides “whether to disclose a software vulnerability to the software manufacturer, or instead to keep it secret,” Rep. Ted Lieu, a California Democrat and one of the bills sponsors, said in a press release. “Currently the Vulnerabilities Equities Process is not transparent and few people understand how the government makes these critical decisions.”
In place of the process, the bill would establish an 18-member Vulnerability Equities Review Board including the Secretary of Homeland Security, the director of the FBI, and the Director of National Intelligence or their designees. The board would set policies on “whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released by the federal government to a non-federal entity.”
If the policies established are unclassified, the board would report them to the public.
In the WannaCry attack, the hackers spread ransomware by using a stolen piece of malware, reportedly developed by the National Security Agency, to penetrate a vulnerability in the Microsoft Windows operating system, according to the Los Angeles Times. The Windows flaw, which could only affect older systems, wasn’t itself a zero-day vulnerability because Microsoft had previously issued a warning about it.
Named because once the flaws are discovered, software developers have zero days to “patch” or fix them, such previously unknown vulnerabilities can be used to fuel ransomware and other types of cyberattacks. The knowledge of zero-day vulnerabilities is bought and sold by highly skilled software criminals in what amounts to a lucrative black market.
But the U.S. government also sometimes discovers or buys “zero days.” “Usually the U.S. government discloses these vulnerabilities to the vendor so they can be fixed, but sometimes it retains them and exploits them for national security purposes,” said Sen. Bill Schatz, a Hawaii Democrat and one of the bill’s sponsors, in a statement.
In 2013, the Washington Post reported that the NSA secretly spent more than $25 million to buy “‘software vulnerabilities’ from private malware vendors.”
The Trump Administration has sought to defend the NSA, according to The Financial Times. “This was not a tool developed by the NSA to hold ransom data,” Tom Bossert, Homeland Security adviser to President Donald Trump, told the newspaper.