In the wake of the high-profile WanaCryptor ransomware attack, a bipartisan group of elected officials from both Congressional Houses have introduced the Protecting our Ability To Counter Hacking (PATCH) Act to improve cybersecurity and transparency at the federal level.
The legislation was offered by U.S. Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). The bill is intended to boost cybersecurity and increase transparency for retaining or disclosing vulnerabilities in technology products, services, applications and systems, according to a joint statement from the legislators.
The Patch Act creates an intra-agency review board, which will be chaired by the Department of Homeland Security, with one of its guiding principles being to ensure consistent policies are followed when the government evaluates vulnerabilities for disclosure and retention.
“The Board will ensure a consistent policy for how the government evaluates vulnerability for disclosure and retention. The bill will also create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process,” the statement said.
“It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” Johnson said.
The bipartisan group said the act is supported by a plethora of companies and cybersecurity organizations, including the Coalition for Cybersecurity Policy and Law, McAfee, Mozilla, the Information Technology and Innovation Foundation, New America's Open Technology Institute, and the Center for Democracy and Technology.
“The PATCH Act includes key reforms to the [the government's Vulnerabilities Equities Process (VEP)] that Mozilla has called for, including codification in law to increase transparency and accountability. We look forward to working with Sen. Brian Schatz and Sen. Ron Johnson on the PATCH Act,” said Denelle Dixon, Mozilla's chief legal and business officer.
The Patch Act will also play a role in transparency and accountability with the additional task of boosting the public trust in the government when it comes to cybersecurity.
“Last week's global WannaCry ransomware attack – based on NSA malware – was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security,” Lieu said, “It also highlighted that our government's current decision-making process for when to hoard software flaws and when to disclose them is opaque and unaccountable to the American people.”