After last week’s massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but it’s still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities.
A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available.
The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the board’s activities.
A version of the government’s process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system.
The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the “Heartbleed” bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a “wake-up call” about vulnerability “hoarding.”