Under a bill proposed by two lawmakers on Wednesday, the U.S. National Security Agency (NSA) could be required to make public any security flaws it finds in software that it exploits to spy on users.
Issues related to whether a vulnerability discovered by the NSA should be disclosed to the companies concerned or the public, would be considered by a board headed up by the Secretary of Homeland Security according to the “Protecting our Ability to Counter Hacking Bill” or the “PATCH Bill”.
Issues such as whether the NSA could achieve its objective without exploiting the security hole, how likely another actor could be of exploiting it, whether the flaw is used in core internet or critical infrastructure; and what risks are posed by leaving the vulnerability unpatched; would be needed to be considered by the board.
the director of the Central Intelligence Agency (CIA), the director of the Federal Bureau of Investigation (FBI), and a handful of other important organizations would be included as members in the board.
A major cyberattack hit 200,000 computers across the world last week and the proposal by Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian Schatz of Hawaii comes after that major cyberattack.
But because the NSA had previously found a hole, the hackers were able to exploit the flaw in Microsoft’s Windows operating system. The hacking group were allowed to find out about the lapse as a group called the Shadow Brokers has leaked the NSA’s exploit online.
Growing criticism about their surveillance methods have been received by governments. Governments should stop stockpiling exploits, said Microsoft’s Chief Legal Officer Brad Smith.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith said in a blog post on Sunday.
The board would create an annual report with an unclassified public version released too under the bill proposed.
(Adapted from CNBC)