Congress introduces bill to stop US from stockpiling cyber-weapons

The bill would ensure that all software and hardware vulnerabilities in the US government's possession are properly reviewed in an effort to avoid a similar mass leak of NSA hacking tools and cyber-weapons.
Written by Zack Whittaker, Contributor

Several bipartisan lawmakers introduced a bill Wednesday that aims to prevent another mass leak of government-owned hacking tools -- by forcing the government to turn over its arsenal to an independent review board to determine which significant vulnerabilities can be secured.

The bicameral bill introduced in Congress aims to scale back the government's vast bank of offensive cyber-weapons.

The so-called Protecting Our Ability to Counter Hacking Act -- or PATCH Act, for short -- would force the government to turn over its stockpile of undisclosed zero-day exploits it uses to target computers and networks for surveillance and intelligence gathering activities to a newly-established independent technical review board. Lawmakers hope that more secret hardware and software vulnerabilities can be made public and fixed.

That would make America's overall cybersecurity health stronger, say the lawmakers.

"It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process," said Sen. Ron Johnson (R-WI), chairman of the Senate Homeland Security.

The bill is also sponsored by Sens. Brian Schatz (D-HI), and co-sponsored by Sen. Corey Gardner (R-CO), and Reps. Ted Lieu (D-CA) and Blake Farenthold (R-TX).

The lawmakers are striking while the iron's hot, just days after a massive cyberattack occured after the National Security Agency (NSA) lost control of a batch of its cyberweapons, allowing unknown hackers to infect thousands of computers around the world with ransomware.

That's because the government agency found, retained, and kept secret these software vulnerabilities so it could exploit them for national security purposes.

It's no secret that the government (or other US allies) does this.

Documents leaked by whistleblower Edward Snowden revealed that the agency will exploit vulnerabilities it finds -- and in some cases purchases them -- in order to gather intelligence. The NSA, which carries out most of the government's electronic eavesdropping but is also charged with protecting the government's own cybersecurity, previously said that it discloses nine-out-of-ten vulnerabilities, but wouldn't say if it uses them first.

The rules determining whether or not a flaw is severe enough to publicly disclose it to those who can fix it remain mostly under wraps.

Those rules are governed by the vulnerabilities equities process (VEP), which decides in secret whether or not a flaw should be used for espionage, or disclosed to the public.

There's no time like the present to codify that VEP process into law while giving it oversight to ensure accountability and transparency, the lawmakers said.

Read more: Cybercrime: A spotter's guide to the groups that are out to get you | Understanding the military buildup of offensive cyberweapons | The impending disaster of industrial control systems | Also: Ransomware attack: How a nuisance became a global threat

"Last week's global WannaCry ransomware attack -- based on NSA malware -- was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security," said Lieu, in a statement.

"It also highlighted that our government's current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people," he added.

The introduction of the bill has so far received wide support.

Mozilla, the Firefox browser maker which has called for reforms after it was the target of government malware, said in a blog post that it supports the bill.

"The VEP remains shrouded in secrecy, and is in need of process reforms to ensure transparency, accountability, and oversight," said Denelle Dixon-Thayer, Mozilla's chief legal and business officer. "The PATCH Act includes many of the key reforms, including codification in law to increase transparency and accountability."

McAfee, the Coalition for Cybersecurity Policy and Law which represents Microsoft, Symantec, and Intel to name a few, the Center for Democracy and Technology, and New America's Open Technology Institute (OTI) all support the bill.

"Every time the government stockpiles vulnerability information about widely-used software products for its own use, it leaves every user of that software open to attack by others -- as the past week's WannaCrypt attacks have demonstrated," said Kevin Bankston, OTI director.

"The bipartisan PATCH Act would ensure that the weighty decision by the government about when to withhold a vulnerability for law enforcement or intelligence use, versus when to disclose it to the vendor so it can be patched, isn't left to an ad hoc process convened at the Executive Branch's discretion," he added.

Editorial standards