Congress’ Imperfect Start to Addressing Vulnerabilities

With the global and debilitating WannaCry ransomware attack dominating the news in recent weeks, it’s increasingly necessary to have a serious policy debate about disclosure and patching of vulnerabilities in hardware and software.

Although WannaCry takes advantage of a complex and collective failure in protecting key computer systems, it’s relevant to ask what the government’s role should be when it learns about new vulnerabilities. At EFF, we’ve been pushing for more transparency around the decisions the government makes to retain vulnerabilities and exploit them for “offensive purposes.”

Now, some members of Congress are taking steps towards addressing these decisions with the the proposal of the Protecting Our Ability to Counter Hacking—or PATCH—Act (S.1157). The bill, introduced last week by Sens. Ron Johnson, Cory Gardner, and Brian Schatz and Reps. Blake Farenthold and Ted Lieu, is aimed at strengthening the government’s existing process for deciding whether to disclose previously unknown technological vulnerabilities it finds and uses, called the “Vulnerabilities Equities Process” (VEP).

The PATCH Act seeks to do that by establishing a board of government representatives from the intelligence community as well as more defensive-minded agencies like the Departments of Homeland Security and Commerce. The bill tasks the board with creating a new process to review and, in some cases, disclose vulnerabilities the government learns about.

The PATCH Act is a good first step in shedding some light on the VEP, but, as currently written, it has some shortcomings that would make it ineffective in stopping the kind of security failures that ultimately lead to events like the WannaCry ransomware attack. If lawmakers really want to deal with the dangers of the government holding on to vulnerabilities, the VEP must apply to classified vulnerabilities that have been leaked.

The VEP was established in 2010 by the Obama administration and was intended to require government agencies to collectively weigh the costs and benefits of disclosing these vulnerabilities to outside parties like software vendors instead of holding onto them to use for spying and law enforcement purposes.

Unfortunately, after EFF fought a long FOIA battle to obtain a copy of the written VEP policy document, we’ve learned that it went largely unused. In the meantime, agencies like the NSA and CSA suffered major thefts of their often incredibly powerful tools. In particular, the 2016 Shadow Brokers leak enabled outsiders to later develop the WannaCry ransomware using an NSA tool that the agency likened to “fishing with dynamite.” 

Lawmakers should be commended for trying to codify and expand the existing process to ensure that the government is adequately considering these risks, and the PATCH Act is a welcome first step.

But there are two areas in particular where it needs to go further.

First, as described above, the current bill seems to overlook situations where the government loses control of vulnerabilities that it has decided to retain. As we’ve seen with the Shadow Brokers leaks, this is a very real possibility, one which even kept the NSA up at night, according to the Washington Post. Yet the PATCH Act specifically states that a classified vulnerability will not be considered “publicly known” if it has been “inappropriately released to the public.” That means that a stolen NSA tool can be circulating widely among third parties without triggering any sort of mandatory reconsideration of disclosure to a vendor to issue a patch. While it might be argued that other provisions of the bill implicitly account for this scenario, we’d like to see it addressed explicitly.

In addition to overlooking situations like the WannaCry ransomware attack, the bill excludes cases where the government never actually acquires information about a vulnerability and instead contracts with a third-party for a “black box exploit.”

For example, in the San Bernardino case, the FBI reportedly paid a contractor a large sum of money to unlock an iPhone without ever learning details of how the exploit worked. Right now, the government apparently believes it can contract around the VEP in this way. This raises concerns about the government’s ability to adequately assess the risks of using these vulnerabilities, which is why a report written by former members of the National Security Council recommended prohibiting non-disclosure agreements with third-parties entirely. At the very least, we’d like to see the bill bring more transparency to the use of vulnerabilities even when the government itself doesn’t acquire knowledge of the vulnerability.

We hope to see the bill’s authors address these concerns as it moves forward to ensure that all of the vulnerabilities known to the government are reviewed and, where appropriate, disclosed.