WASHINGTON – Following one of the largest global cyberattacks in history, Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Brian Schatz (D-Hawai‘i) introduced the Protecting our Ability To Counter Hacking (PATCH) Act, bipartisan legislation that adds transparency and accountability to the U.S. government process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems.
“As we’ve seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America’s networks and information. It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” said Senator Johnson.
“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” said Senator Schatz. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
The U.S. government is one of the many stakeholders researching and finding “zero-day vulnerabilities,” which are flaws in technology that are unknown to the vendor. Before they are patched, these vulnerabilities are susceptible to hacking and make the technologies that we rely on every day less secure. Usually the U.S. government discloses these vulnerabilities to the vendor so that they can be fixed but sometimes it retains them and exploits them for national security purposes.
The PATCH Act codifies current government practices to review vulnerabilities and designates the Department of Homeland Security as the chair of the interagency review board. The Board will ensure a consistent policy for how the government evaluates vulnerability for disclosure and retention. The bill will also create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.
The PATCH Act has broad support from cybersecurity experts and advocacy organizations, including the Coalition for Cybersecurity Policy and Law, McAfee, Mozilla, the Information Technology and Innovation Foundation, New America's Open Technology Institute, and the Center for Democracy and Technology.
To read the full text of the Senate bill, click here.
More information on the PATCH Act can be found here.