New US IT security bill would force NSA to report WannaCry-style zero-day flaws

But not publicly, or to the software vendor itself

A new bill has been presented to the US Congress that would force the National Security Agency (NSA) to alert other US government agencies of security flaws it finds in software - such as the Microsoft SMB networking protocol flaw the NSA exploited, which was used by hackers in the recent WannaCry ransomware outbreak.

The Protecting our Ability To Counter Hacking (PATCH) Act was introduced by Republican senator Ron Johnson of Wisconsin and Democratic senator Brian Schatz of Hawaii.

However, the bill might not necessarily lead to a disclosure of such flaws to software vendors. Instead, it would kick-off a review process when any government agency discovers a security flaw in any technology. The review process would be chaired by the Department of Homeland Security, not the NSA.

The bill would establish a legal framework by which any security flaws could be examined and, possibly, reported to the software vendors or publicly disclosed - or, the board might choose to keep it secret for national security purposes.

In addition to a representative from the Department of Homeland Security chairing the board, it would also include the director of the Federal Bureau of Investigation (FBI), the director of the Central Intelligence Agency (CIA), and representatives from a handful of other US government agencies.

"Striking the balance between US national security and general cyber security is critical, but it's not easy," said Senator Schatz in a statement. "This bill strikes that balance," he claimed.

The NSA has been criticised not only for discovering and using a series of security floors, but also failing to disclose those flaws even when it knows they have fallen into the hands of hackers, or the intelligence agencies of other countries.

The ‘EternalBlue' Microsoft SMB exploit was one of a number of NSA-linked hacking tools publicly disclosed by the Shadow Brokers hacking group, an outfit many believe might be a front for Russian intelligence, or another country's intelligence agency.

The US National Security Agency was also criticised for sitting on a security flaw in the OpenSSL cryptography library, dubbed Heartbleed, which was introduced to the open-source software in 2012, but only found in April 2014.

Computing's IT Leaders Forum 2017 is coming on 24 May 2017. The theme this year is "Going Digital: Why your most difficult customer is your best friend".

Attendance is free, but strictly limited to IT Leaders. To find out more and to apply for your place, check out the IT Leaders Forum website.