How to Cure What Ails American Cybersecurity
In the wake of the recent WannaCry ransomware attacks, cybersecurity has once again catapulted into the policy limelight. But the world is just now coming to terms with its implications. The impact of the attacks was felt by individuals, firms, and government agencies across the globe. It now falls to policymakers to start taking the threats from nefarious cyberspace actors seriously. Fortunately, two senators have proposed a bill that does just that.
Sens. Ron Johnson (R-WI) and Brian Schatz (D-HI) introduced the “Protecting Our Ability to Counter Hacking” (PATCH) Act. This bill would codify the government’s process of disclosing exploitable zero-day software vulnerabilities in law, while adding a number of mechanisms to streamline notifications to vendors whose software is impacted by declassified disclosures. This is an important step towards ensuring the integrity of America’s digital ecosystem — for consumers, industry, and national security stakeholders.
Zero-day vulnerabilities are software bugs that have had “zero days” to be patched by developers and for consumers to install. These security weaknesses can be discovered in any number of ways, including “white-hat hackers” intent on revealing vulnerabilities for the public good, hackers intending to sell bugs to interested buyers, or intelligence agencies seeking new avenues for conducting surveillance. Exploits discovered by the intelligence community are of particular note because the government has an established protocol for divulging their release: the Vulnerabilities Equities Process (VEP).
The VEP is the mechanism by which the government determines whether and how it discloses previously unknown security vulnerabilities to companies. In 2014, Michael Daniel, the former White House Cybersecurity Coordinator, discussed how the disclosure process works in practice. The question of which vulnerabilities are revealed ultimately revolves around whether the consumer protection benefits for users and companies outweigh the transparency costs for intelligence agencies. Writing over at Lawfare at the time, Jack Goldsmith noted that “this is a very tricky tradeoff to manage.” In a Belfer Center report on this issue, Ari Schwartz and Rob Knake discussed similar difficulties in balancing these tradeoffs.
However one views the particulars, there is broad agreement on one fundamental principle: The VEP is a necessary part of a broader cybersecurity strategy. Unfortunately, the VEP is little more than an administration policy and is not required to exist by federal statute.
By turning the current VEP policy into a law, the PATCH Act ensures a continuity of policy across administrations. That certainty is necessary to ensure a stable and consistent approach to a key facet of federal cybersecurity policy. It also embraces the necessary TAO (transparency, accountability, and oversight) of surveillance reform, carefully balancing intelligence-gathering operations and the individual security needs of consumers.
Cybersecurity is not just the purview of the federal government. It also requires empowering companies to patch their systems. A secure America requires companies and government to work together as partners, not adversaries. The PATCH Act does all of this, and is an excellent step toward ensuring responsible, timely, and effective disclosure of potentially serious zero-day exploits in software code. While it won’t cure all that ails federal cybersecurity practices, the act would be far more effective than other proposals, such as requiring reports, structural organizational analysis, or “risk management” strategies.
Sens. Johnson and Schatz should be applauded for their leadership on this issue. This bill comes at an important juncture in the debate over how the government can best tailor its cybersecurity policy to meet the security needs of all Americans. The PATCH Act is a first — but significantly positive — step down the right path.
It’s time for Congress to pass legislation that formalizes the process for disclosing software vulnerabilities. Executive orders can be rescinded at any time, which means that any headway made towards a better, more transparent disclosure process could be lost at any moment. The PATCH Act, by contrast, will enshrine these disclosure processes in law. The sooner this bill passes, the sooner Americans’ digital lives can be better secured.
Ryan Hagemann is the director of technology policy at the Niskanen Center.