In mid-May, Fortune 500 companies including FedEx, governmental entities including the British National Health Service (NHS) and numerous other individuals, governments, and private entities became entangled in a cybersecurity attack rooted in ransomware titled “WannaCry.” In exchange for access to their own files, the affected users were required to pay a ransom (in bitcoin, a cryptocurrency) to the cyber-attackers. In many cases, users had six hours to turn over the bitcoin amount, with ransom amounts increasing every hour if a user refused to pay.
The distributors of WannaCry used resources stolen from the National Security Agency (NSA) to exploit weaknesses in computers running certain versions of Microsoft Windows. Through a process called the “vulnerabilities equities process” or “VEP” the NSA and other agencies review computer software and then build tools to target those flaws, often in the pursuit of capturing bad actors who may do the same. However, current law does not require the NSA to inform the software owner about those flaws. It was during one of these reviews that the NSA discovered the flaw in certain Windows software exploited by WannaCry. In a blog post, Microsoft President and Chief Legal Officer, Brad Smith, criticized the U.S. government for “stockpiling” or hoarding these vulnerabilities instead of reporting the vulnerabilities to vendors.
Microsoft’s CLO was not the only person disturbed by the NSA’s failure to disclose the vulnerability. In response to the WannaCry attack, several members of the House and Senate introduced a bipartisan Bill titled the “Protecting Our Ability To Counter Hacking (PATCH) Act.” The PATCH Act would create an interagency review board that would assess the vulnerabilities discovered by government agencies to determine when the government would either retain those tools or when the government would warn private actors about the potential vulnerability on their system. Permanent members of this board would include the Secretaries or Directors of Homeland Security, the FBI, National Intelligence, the CIA, National Security, and Commerce with certain other federal agency directors and secretaries included as ad hoc members. In determining whether to disclose the exposed vulnerability, among other considerations, the board would consider the following: (1) the technologies and services subject to the vulnerability and whether those technologies are used in core Internet infrastructure; (2) the risks of leaving the vulnerability exposed; (3) the harm if an adversary learned about the vulnerability; (4) whether the government could determine if an individual was exploiting that vulnerability; (5) whether the vulnerability is needed for ongoing intelligence operation; (6) the risks the vulnerability poses to foreign countries; and (7) whether the vulnerability can be mitigated. The Act also requires reports to Congress, at least annually, that detail the frequency of meetings, the number of vulnerabilities determined to be shareable and the number of vulnerabilities the Board determines as not shareable.
This Bill, supported by various privacy groups and private actors including the Coalition for Cybersecurity Policy and the Law, if passed into law, would require the Federal Government to at least consider how its practice of exposing flaws in the increasingly-connected universe of information technologies could affect private enterprise and consumers. The Federal Government has shown that it has the resources to detect and exploit vulnerabilities in technology systems, but cooperation with private enterprise to patch these vulnerabilities may prevent many entities from having another “WannaCry” event in the future.