A bill to expand congressional oversight over how the Department of Homeland Security works with the private sector to disclose cyber vulnerabilities is now before the Senate after it passed the House by voice vote last week.
The bill, introduced by Democratic Rep. Sheila Jackson Lee of Texas, would require DHS to submit an annual report to Congress describing the process the federal government uses to disclose cybersecurity flaws it discovers to the private sector and other affected organizations. The bill would include information about how DHS is working with other federal agencies and managers of private cyber infrastructure to mitigate susceptibility to cyberattacks.
The report would also contain supplemental information about the effectiveness of this method over the course of the previous year, such as the extent industry and relevant stakeholders acted on the information given to them. It would allow a classified annex to the report to discuss cyber vulnerabilities that DHS does not want made public.
The issue of when and whether to reveal cyber vulnerabilities is a controversial one. When the government discovers such vulnerabilities, whether it is DHS, or the National Security Agency, or the FBI, it sometimes does not want to disclose them because U.S. intelligence agencies can use the vulnerabilities for intelligence-gathering purposes against foreign computer systems.
But not telling the private sector about the vulnerabilities leaves their computer systems vulnerable to attack. And that can lead to “zero day” situations in which U.S. cyber infrastructure is under fire and there is no patch prepared in advance to fight it off, leading to sudden and real damage.
In November 2017, the White House cybersecurity coordinator, Rob Joyce, released a charter detailing the process — known as the Vulnerabilities Equities Process, or VEP — that DHS uses to collaborate with other federal agencies to make determinations regarding cyber vulnerability disclosures.
The agencies that meet to make those decisions include the Office of Management and Budget, the office of the Director of National Intelligence and the departments of Commerce, State, Treasury, Energy, Defense and Homeland Security, plus the FBI and the CIA.
Joyce indicated that the bias in these meetings is moving toward informing the software maker of the flaws. “There’s a very strong, real palpable and growing case for disclosing” software vulnerabilities discovered by intelligence agencies, Joyce said, because a failure to do so could undermine vital computer systems used in government and military operations, as well as key economic sectors such as financial and energy.
“If there’s a flaw in those systems, there’s an imperative to close that hole and make sure it’s not exploited to the damage of either our financial or economic well-being,” Joyce said at the time.
As much as 90 percent of the software flaws discovered by U.S. agencies are eventually revealed to software makers, Joyce said, while the rest are retained to be used as levers for intelligence gathering.
Jackson Lee emphasized the importance of mitigating the threat of “zero day” events in her floor speech on Jan. 9, saying it was the reason she brought the bill before the House.
“A zero-day event describes a situation that network security professionals may find themselves in when a previously unknown error or flaw in computing code is exploited by a cybercriminal or terrorist,” the Texas Democrat said. “The term ‘zero-day event’ simply means that there is zero time to prepare a defense against a cyber attack. That is not the place that we would like to find ourselves.
“When a defect in software is discovered, their network engineers and software companies can work to develop a patch to fix the problem before it can be exploited by those who may seek to do us harm,” she added.
Jackson Lee has been one of the most outspoken members of Congress about the importance of securing the cybersecurity of the nation’s infrastructure in recent years. She introduced bills in each of the last two congressional sessions that would direct DHS to improve information sharing among federal agencies and the private sector in the interest of protecting infrastructure from cyber threats.
Supporters of the legislation hope it can secure passage in the Senate later this year, hopefully by October, which is National Cyber Security Awareness Month.
Watch: Trump’s 2018 Legislative Agenda Is Already Slipping
Gopal Ratnam contributed to this story.