PATCH Act to Increase Transparency of “Zero-Day Vulnerabilities” Introduced in Congress

min read

(May 23, 2017 – Jennifer Ortega) On May 17, a bipartisan group in Congress introduced the Protecting our Ability to Counter Hacking (PATCH) Act, which would add transparency to the U.S. government’s process for disclosing flawed or vulnerable computer code found in a commercial product, service, application, or system. The bill was introduced by Senators Brian Schatz (D-HI), Ron Johnson (R-WI), and Cory Gardner (R-CO) as well as Representatives Ted Lieu (D-CA) and Blake Farenthold (R-TX).

The federal government researches and finds “zero-day vulnerabilities,” which are security flaws in commercial technologies that are unknown to vendors. The government usually discloses these flaws to the vendor so the flaw can be patched, but on occasion, the government retains the information to later exploit the flaw for national security purposes. The process of deciding how to move forward once a vulnerability is discovered is known as the Vulnerabilities Equities Process, or VEP. This practice recently became more well-known after 300,000 computers were affected worldwide by the WannaCry ransomware attack in April, an event in which hackers distributed ransomware that exploited leaked computer code originally held by the National Security Agency (NSA).

The PATCH Act codifies the VEP and the government’s role in researching and finding zero-day vulnerabilities. The bill also establishes an interagency review board to be chaired by the Department of Homeland Security. This board would be responsible for ensuring consistent policy on how the federal government evaluates zero-day vulnerabilities and discloses or retains the information it finds. The bill would make it mandatory for agencies to submit information about the vulnerabilities they collect to the board, which in turn must consider whether to recommend to the Secretary of Homeland Security that a vulnerability be subsequently disclosed to a non-federal entity (e.g., the relevant commercial provider). This represents a substantial change from the current voluntary disclosure process.

As Senator Schatz (Ranking Member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet) explained, “Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

Jen Ortega serves as a consultant to EDUCAUSE on federal policy and government relations. She has worked with EDUCAUSE since 2013 and assists with monitoring legislative and regulatory proposals across a range of policy areas, including cybersecurity, data privacy, e-learning, and accessibility.