US intelligence can’t break vulnerability hoarding habit
Vulnerabilities: keep them secret as a weapon against the bad guys or tell the world so we can all get patched? Continue reading US intelligence can’t break vulnerability hoarding habit
Category Archives: PATCH Act
Should governments keep vulnerabilities secret?
The ‘secret vulnerability stash’ debate rages on. Continue reading Should governments keep vulnerabilities secret?
Bill reforming NSA hacking policy has skeptics in White House
The Trump administration has concerns about a proposed reform of the policy process the U.S. government uses when deciding how to handle newly discovered software vulnerabilities known as zero days, White House Cybersecurity Coordinator Rob Joyce told a meeting of tech leaders in Boston this week. The vulnerability equities process, or VEP, is how government officials decide whether to disclose such flaws to the software manufacturer, so they can be patched and all users made safe; or to secretly keep it and use it to spy on U.S. adversaries. Former officials said the process needs overhauling and lawmakers dropped a bill to codify it — the Protecting our Ability To Counter Hacking, or PATCH, Act. The bill would codify the VEP into law, establishing a review board that would publish guidelines explaining the basis for its decisions. Joyce, addressing the launch of CyberMA, a Massachusetts affiliate of the national CyberUSA initiative on Monday, said Trump administration officials were engaging with […]
The post Bill reforming NSA hacking policy has skeptics in White House appeared first on Cyberscoop.
Continue reading Bill reforming NSA hacking policy has skeptics in White House
Should the government stockpile zero day software vulnerabilities?
Storm clouds are rising over the U.S. government’s policy on software flaw disclosure after the massive WannaCry infection spread using a cyberweapon developed by the NSA, and even former agency leaders say it might be time to take a fresh look at the Vulnerability Equities Process. Under the VEP, U.S. officials weigh the benefits of disclosing a newly discovered flaw to the manufacturer — which can issue a patch to protect customers — or having the government retain it for spying on foreign adversaries who use the vulnerable software. The process has always had a bias toward disclosure, former federal officials said. “We disclose something like 90 percent of the vulnerabilities we find,” said Richard Ledgett, who retired April 28 as the NSA’s deputy director. “There’s a narrative out there that we’re sitting on hundreds of zero days and that’s just not the case,” he told Georgetown University Law Center’s annual cybersecurity law institute. […]
The post Should the government stockpile zero day software vulnerabilities? appeared first on Cyberscoop.
Continue reading Should the government stockpile zero day software vulnerabilities?
PATCH Act Calls for VEP Review Board
The PATCH Act proposes the formation of a review board that would formalize and make transparent the processes by which the government determines whether it will use or disclose a zero-day vulnerability. Continue reading PATCH Act Calls for VEP Review Board
Lawmakers introduce bill to shine spotlight on government hacking stockpile
A bipartisan bill introduced in Congress Wednesday aims to add transparency to a controversial oversight framework currently used by federal agencies known as the Vulnerabilities Equities Process. The legislation, as it’s currently written, would help better define exactly when and if the U.S. government should notify a company about flawed computer code they discover in one of their products. Named the Protecting Our Ability to Counter Hacking Act, or PATCH Act, the bill seeks to codify the VEP into law; answering some of the tough questions that surround the current framework, including who sits on the multi-agency review board responsible for decisions and when public disclosure is appropriate. In addition, the PATCH Act offers a brief decision-making criteria and broadly describes certain considerations that must be weighed by board members, including the Secretary of Commerce and the Directors of National Intelligence. Sens. Brian Schatz, D-Hawaii, Ron Johnson, R-Wis., and Cory […]
The post Lawmakers introduce bill to shine spotlight on government hacking stockpile appeared first on Cyberscoop.
Continue reading Lawmakers introduce bill to shine spotlight on government hacking stockpile