pressmaster - Fotolia

Vulnerabilities Equities Process may be law with PATCH Act

The bipartisan PATCH Act aims to codify the Vulnerabilities Equities Process into law in the wake of a global ransomware attack based on a stolen NSA cyberweapon.

The Vulnerabilities Equities Process has a pathway into becoming a law with the backing of a bipartisan group of senators, as well as technology companies such as Mozilla.

The Protecting Our Ability to Counter Hacking (PATCH) Act was introduced Wednesday by Sens. Brian Schatz (D-Hawaii) and Ron Johnson (R-Wis.), and co-sponsored by Sen. Cory Gardner (R-Colo.) and U.S. Reps. Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas) in the wake of the global WannaCry ransomware outbreak that was based on an NSA cyberweapon.

The PATCH Act would create a Vulerabilities Equities Process Review Board tasked with determining "whether, when, how, to whom, and to what degree" a vulnerability held by a government entity might be disclosed to a non-government entity. Permanent members of the review board would include: the secretary of Homeland Security (also the chairperson); the secretary of Commerce; the director of National Intelligence; and the directors of the FBI, CIA and NSA.

"As we've seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America's networks and information," Sen. Johnson said in a statement. "It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process."

Jeremiah Grossman, chief of security strategy at SentinelOne, said finding the right balance between vulnerability disclosure and national security is "one that's confounded a number of security professionals and policymakers for the last couple years."

"The fact of the matter is, the NSA isn't in the business of helping Microsoft protect its software, or anyone's software for that matter," Grossman told SearchSecurity. "It'd be great to find a way for the various government agencies with cyberweapons to give the private sector a heads up, when they know something is in the wild, but it's never going to be a process we can depend upon. We're on our own here."

Mozilla, which has long supported the idea of codifying into law the Vulnerabilities Equities Process, already sent a letter to Congress in support of the PATCH Act.

Denelle Dixon, chief legal and business officer at Mozilla, said finding the right balance was about "holistic situational analysis."

"This is less about red lines than it is about a holistic situational analysis. It's important to have established factors that the government considers to make sure that all interests and risks are taken into account, which the PATCH Act does," Dixon told SearchSecurity. "We've seen how quickly factors like 'Does a foreign adversary or criminal organization know about this vulnerability?' can change, which is why we also welcome the PATCH Act's requirements for regular periodic reviews of all of the vulnerabilities that the government knows about."

Rep. Lieu said codifying the Vulnerabilities Equities Process into law was important because "one nation's cyberweapon is everyone else's vulnerability, from governments to businesses to consumers." 

Last week's global WannaCry ransomware attack -- based on NSA malware -- was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security. It also highlighted that our government's current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people," Lieu said in a statement. "When our medical records, bank accounts and communications are on the line, we must ensure that we are adequately weighing the risks of withholding each vulnerability from the company that can patch it."

Andi Wilson, policy analyst at New America's Open Technology Institute, said the critical component of the Vulnerabilities Equities Process should be that "it apply to absolutely all vulnerabilities in the government's possession, not just the ones that the intelligence community chooses to put into the process."

"The PATCH Act presents an opportunity to make vulnerabilities review consistent and transparent, assuring government stakeholders, companies, and the American people that a clear set of rules is being used to decide whether vulnerabilities should be disclosed," Wilson wrote. "Given the very real cybersecurity concerns of nondisclosure, it is imperative that steps be taken to improve the process for vulnerabilities review, and legislation like the PATCH Act is crucial in establishing confidence and trust in that process."

Hitesh Sheth, CEO of Vectra Networks, said enterprises should not expect the PATCH Act and Vulnerabilities Equities Process to solve their issues and "shouldn't rely on the government to significantly alter its practices."

"While disclosing vulnerabilities will improve the overall cybersecurity posture of the U.S., it will also diminish the effectiveness of cyberespionage campaigns being conducted abroad. The intelligence community will be resistant to any policy changes that undermine their capabilities, meaning this legislation is likely to face significant resistance," Sheth told SearchSecurity. "Instead of relying on government intervention, companies must continue to invest in smarter security solutions that can offer protection against both known and unknown vulnerabilities. These investments, coupled with regular software updates and patching, are your best defense in an increasingly unpredictable threat landscape."

Dixon said securing the internet is a shared responsibility between companies, governments and users.

"If the government has exploits that have been compromised, [it] must disclose them to tech companies before those vulnerabilities can be used widely and put users at risk," Dixon wrote in a blog post. "The lack of transparency around the government's decision-making processes here means that we should improve and codify the Vulnerabilities Equities Process in law."

Next Steps

Learn five steps businesses should take after a WannaCry attack.

Find out seven criteria for buying vulnerability management tools.

Get info on a vulnerability disclosure program set up by the EFF.

Dig Deeper on Security operations and management