The Senate Intelligence Committee’s annual intelligence bill is taking aim at the process by which the federal government discloses cyber vulnerabilities.
The bill, which passed in the committee at the end of July by a vote of 14-1, calls for the head of each element of the intelligence community to submit a report to Congress detailing the process and criteria used to determine whether to submit a vulnerability for review under the vulnerabilities equities process.
The vulnerabilities equities process was established by the Obama administration and is a process by which the government discloses certain vulnerabilities discovered by both the public and private sectors in the name of cybersecurity for all. The government retains sets of discovered exploits or vulnerabilities, in some cases zero-day vulnerabilities, as a means of collecting intelligence against certain targets. Legislation has been introduced to codify the vulnerabilities equities process, as it is merely policy.
The Protecting our Ability To Counter Hacking, or PATCH, Act is a bipartisan bill to address issues of cybersecurity transparency and accountability that arise from researchers hoarding zero-day software vulnerabilities that can impact government agencies, vendors and customers.
The reports submitted to Congress as outlined in the Senate Intelligence Committee’s bill would be unclassified but may include classified annexes.
Additionally, no less than once each year, the bill directs the director of national intelligence to submit a report detailing how many vulnerabilities the intelligence community submitted for review during the previous calendar year; how many vulnerabilities were disclosed to vendors responsible for correcting it; and vulnerabilities disclosed since the previous report that have either been patched or mitigated by the vendor or have not been patched or mitigated after a period of 180 days since the vulnerability was disclosed.
Similarly, the House Intelligence Committee’s annual intelligence bill calls for reports on cyber vulnerabilities.
Several high-profile global cyber incidents allegedly leveraging stolen vulnerability stockpiles of the National Security Agency have created an uproar of sorts. The government retains sets of discovered exploits or vulnerabilities, in some cases zero days, as a means of collecting intelligence against certain targets. Experts as well as current and former officials maintain such hording of vulnerabilities is critical to keeping the nation safe for spying purposes, while civil libertarians and private sector IT companies believe the hording of exploits creates a dangerous environment.
The Senate Intelligence Committee’s bill also addresses bug bounties within the government, a relatively new undertaking familiar to Silicon Valley and private sector companies that incentivize the discovery and disclosure of cyber vulnerabilities within company systems.
The Department of Defense instituted a bug bounty program called Hack the Pentagon, with the Army and Air Force following suit.
The Senate Intelligence Committee’s bill requires the undersecretary for intelligence and analysis of the Department of Homeland Security to submit a report on a strategic plan to implement bug bounty programs at appropriate agencies within the government.
The report must also include assessments of the effectiveness of Hack the Pentagon, private sector bug bounty programs, and recommendations on the feasibility of initiating bug bounty programs at appropriate agencies and departments within the government.