Feds may have to explain knowledge of security holes – if draft law comes into play

The US House of Representatives this week approved a bill that, given further legislative and executive branch support, will require the American government to account for its handling of software and hardware vulnerabilities.

The "Cyber Vulnerability Disclosure Reporting Act," sponsored by Rep Sheila Jackson Lee (D-TX), requires the Department of Homeland Security to issue "a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures."

The US government has not provided much detail about how it handles vulnerabilities that it becomes aware of, and advocacy organizations like the Electronic Frontier Foundation argue that more transparency is needed to debate the consequences of vulnerability research and disclosure.

"Perhaps the best thing about this short bill is that it is intended to provide some evidence for the government’s long-standing claims that it discloses a large number of vulnerabilities," said EFF attorneys Nate Cardozo and Andrew Crocker in a blog post on Friday.

The US National Security Agency has said it discloses most of the vulnerabilities it finds, more or less.

"Historically, the NSA has released more than 91 per cent of vulnerabilities discovered in products that have gone through our internal review process and are made or used in the United States," the agency said on its website in 2015, or so the Internet Archive's Wayback Machine would have us believe.

The remainder, the NSA said, are either fixed by vendors before disclosure or are retained for national security reasons.

But Cardozo and Crocker insist evidence of such disclosures has been scarce, noting that Apple received its first vulnerability disclosure from the government in 2016.

When vulnerabilities are not disclosed in a timely manner, one of the risks is that they will be revealed by hackers, as the Shadow Brokers did with the NSA's stockpile of flaws and related hacking tools. Another is that they will be independently discovered by those with malicious intent and used prior to public disclosure.

The Trump Administration's approach to the issue involves a revision of the Vulnerabilities Equities Process (VEP), a classified policy put in place in 2010 and revealed several years later that attempts to balance the tension between cyber offense and defense requirements.

The 2017 revision offers an updated take on how government agencies should decide what gets revealed and what stays secret.

The Cyber Vulnerability Disclosure Reporting Act doesn't really overlap with VEP, but if it survives the remaining legislative hurdles, it will ensure basic information about vulnerability handling gets circulated to lawmakers. ®