The U.S. House passed the Cyber Vulnerability Disclosure Reporting Act (H.R. 3202), sponsored by Rep. Sheila Jackson Lee (D-TX), which will compel the U.S. government to reveal its process for disclosing security vulnerabilities.
The government has been criticized for many years that it prefers to “hoard” vulnerabilities and exploit them at will, leaving American companies vulnerable against malicious hackers. To alleviate some of the concerns after the Edward Snowden documents came out, the Obama administration created the Vulnerabilities Equities Process (VEP).
However, this new policy didn’t improve the situation to a large degree, as the FBI, for instance, could still find ways around having to report bugs. One of the ways to do that was to pay private companies to exploit vulnerabilities in software or hardware.
As most of the world’s biggest technology and services companies are in the U.S. that also means that if vulnerabilities exist in their software, it’s the U.S. that ultimately has to pay the price. Therefore, there should be an incentive to disclose vulnerabilities to companies as soon as possible, so they can fix their platforms and protect their customers.
Turning Bug Disclosure Into Law
The government has long claimed that it discloses at least 90% of the vulnerabilities it finds to companies. However, details about the process matter in this case, because what the government said may technically be true, but not in ways that matter.
For instance, the government could disclose much less important and non-security related bugs, or it could disclose bugs that have already been disclosed by someone else. At that point, the government will know it can no longer use the bug, so it may as well try to get some credit for disclosing it, too.
We don’t know if the U.S. government actually behaves this way, which is why the House passed the Cyber Vulnerability Disclosure Reporting Act, so we can learn the exact bug disclosure process that the government uses.
Besides detailing the policies for bug disclosure in its report, the government would also have to provide real examples of bugs it disclosed to the private sector in the previous year. Some argue that this “annex” would have to be classified, but the EFF believes there’s no reason why most bug disclosure instances shouldn’t be made public, perhaps with few exceptions in more extraordinary situations.
Last week, White House Cybersecurity Coordinator Rob Joyce said in relation to the Meltdown and Spectre bugs that the “NSA did not know about the flaw, has not exploited it and certainly the U.S. government would never put a major company like Intel in a position of risk like this to try to hold open a vulnerability.”
However, the EFF thinks the U.S. government doesn’t have a stellar track record in being truthful about these issues, and we have evidence that the NSA has in fact been sabotaging American companies’ security.