After WannaCry, Senators want policy on vulnerability disclosures

The Senate has introduced legislation to address evaluating and disclosing vulnerabilities in the wake of the international WannaCry ransomware attacks.

The Protecting our Ability To Counter Hacking, or PATCH, Act — introduced by Sens. Ron Johnson, R-Wis., and Brian Schatz, D-Hawaii — is a bipartisan bill calling for the codification of current government practices to review the potential risks and rewards of revealing software exploits and designates the Department of Homeland Security as the chair of the interagency review board. 

The PATCH Act is intended to direct how, when and where information on vulnerabilities should be shared or released between public and private entities. It promotes cybersecurity transparency and accountability between government agencies, vendors and consumers of technology products, services, applications and systems, while taking into account when the vulnerability can provide intelligence. 

“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” said Sen. Schatz in a news release. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

Clarifying a government process for the researching, retaining and disclosing of zero-day vulnerabilities has garnered broad support from cybersecurity experts and organizations, including the Coalition for Cybersecurity Policy and Law, McAfee, Mozilla, New America’s Open Technology Institute, the Center for Democracy and Technology and the Information Technology and Innovation Foundation.

In a press statement, Daniel Castro, ITIF vice president, celebrated the responsible, timely disclosure of software flaws that could lead developers to more quickly strengthen defenses against cyberattacks.

“The PATCH Act is a critical step forward to reform this broken process,” he said. “The legislation will bring needed transparency to the vulnerabilities equities process and balance national security interests with economic interests.”