New America’s Open Technology Institute (OTI) applauds today’s introduction of the Protecting Our Ability to Counter Hacking Act (also known as the PATCH Act), sponsored by Senators Brian Schatz (D-HI) and Ron Johnson (R-WI), and co-sponsored by Senator Corey Gardner (R-CO), and Representatives Ted Lieu (D-CA) and Blake Farenthold (R-TX).
The bipartisan, bicameral legislation would establish an independent “Vulnerability Equities Review Board,” to ensure that all software and hardware vulnerabilities in the federal government’s possession are reviewed, and the majority are disclosed to the public. The PATCH Act would codify and strengthen the existing Vulnerabilities Equities Process (VEP) – a secret interagency process established by the Obama White House to weigh the various equities supporting or opposing the disclosure of particular vulnerabilities – and addresses concerns that the current process is inconsistent, not transparent, and biased in favor of law enforcement and intelligence interests over cybersecurity and consumer protection interests.
The need for a stronger vulnerabilities process was hammered home during the massive ransomware attack of the past week, which relied in part on an exploit released by mysterious hacker group Shadow Brokers when it stole and published a huge cache of NSA hacking tools last year. If the NSA had disclosed the Microsoft Windows vulnerability underlying that exploit to Microsoft when it was first discovered, it’s possible that many of the banks, hospitals, telecommunications services, trains stations, and other critical entities across the world that were subject to the attack would have been better protected. OTI has been a strong supporter of legislative VEP reform, and attacks like this one illustrate how crucial it is that Congress directly address the issue.
The following statement can be attributed to Kevin Bankston, Director of New America’s Open Technology Institute:
“Every time the government stockpiles vulnerability information about widely-used software products for its own use, it leaves every user of that software open to attack by others—as the past week’s WannaCrypt attacks have demonstrated. The bipartisan PATCH Act would ensure that the weighty decision by the government about when to withhold a vulnerability for law enforcement or intelligence use, versus when to disclose it to the vendor so it can be patched, isn’t left to an ad hoc process convened at the Executive Branch’s discretion. Instead, it would codify what the White House claims it has had all along: a rigorous process, with all the key government stakeholders involved, that carefully considers the pros and cons of withholding the information and is strongly weighted in favor of disclosing it. OTI has been advocating for such reform around vulnerability disclosure for years, and we applaud Senators Schatz and Johnson for tackling this critical cybersecurity issue.”
The following statement can be attributed to Andi Wilson, Policy Analyst at New America’s Open Technology Institute:
“One of the most critical components of a strong vulnerabilities review process is that it apply to absolutely all vulnerabilities in the government’s possession, not just the ones that the intelligence community chooses to put into the process. The PATCH Act presents an opportunity to make vulnerabilities review consistent and transparent, assuring government stakeholders, companies, and the American people that a clear set of rules is being used to decide whether vulnerabilities should be disclosed. Given the very real cybersecurity concerns of nondisclosure, it is imperative that steps be taken to improve the process for vulnerabilities review, and legislation like the PATCH Act is crucial in establishing confidence and trust in that process. OTI strongly supports the PATCH Act sponsors' efforts to address the cybersecurity risk posed by government-stockpiled vulnerabilities, and thanks Senators Schatz and Johnson for their leadership on this issue.”