Legislation , Risk Management

'PATCH Act' Aims to Help Prevent Cyberattacks

Bill Would Revamp Government's Software Vulnerability Disclosure Policies
'PATCH Act' Aims to Help Prevent Cyberattacks

New legislation calls for an overhaul of the federal government's software vulnerability disclosure policies following the ransomware outbreak that was fueled by the leak of a stolen National Security Agency cyberweapon.

See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime

Under the bill, called Protecting our Ability To Counter Hacking Act, or the PATCH Act, the Department of Homeland Security would chair an interagency review board that would create a more consistent policy on software vulnerability disclosures by government agencies.

"Last week's global WannaCry ransomware attack - based on NSA malware - was a stark reminder that hoarding technological vulnerabilities to develop offensive weapons comes with significant risks to our own economy and national security," says Rep. Ted Lieu, D-Calif., a backer of the legislation.

Other sponsors are Rep. Blake Farenthold, R-Texas; and Senators Brian Schatz, D-Hawaii; Ron Johnson, R-Wis.; and Cory Gardner, R-Colo.

The WannaCry ransomware, which analysts say could have links to a North Korean group, hampered trains in Germany, locked up U.K. National Health Service computers and triggered the shutdown of Renault vehicle factories in Europe (see Is WannaCry the First Nation-State Ransomware?).

Russia and China have blamed the U.S. government for events that led to WannaCry. Both countries saw thousands of computers infected with the file-encrypting malware, which demands $300 to $600 in the virtual currency bitcoin.

A Broken System?

The federal government already has a procedure, the Vulnerabilities Equities Process, or VEP, to notify the technology industry of software problems it discovers. The Obama administration promised to reinvigorate the program in April 2014 after suspicions the government held back information about the critical OpenSSL vulnerability called Heartbleed.

But VEP has been criticized as opaque. The recent leaks of software exploits have shown U.S. technology vendors are often unaware of the flaws until the information has become public. Then, they must scramble to issue patches before hackers strike. The PATCH Act calls for supplying that critical information sooner to vendors, reducing the risk to the public.

As the internet has become critical for communication and commerce, spy agencies, including the NSA and CIA, have relied on software flaws to collect intelligence from foreign adversaries. Often those techniques rely on so-called zero-day software flaws, which have not been fixed by a vendor.

EternalBlue, an Intelligence Firehose

Leaks of NSA and CIA documents and tools show the agencies have compiled libraries of attacks, known as exploits, which take advantage of software flaws.

Some computer security experts and civil liberties watchdogs have argued that maintaining such stockpiles puts people and companies at risk. The spying benefit is far outweighed by chances that cybercriminals or other nation-states may already be using the flaws, they contend.

Microsoft, whose Windows operating system was attacked with the WannaCry exploit, has strongly criticized stockpiling. Microsoft President and Chief Legal Officer Brad Smith wrote Sunday that the WannaCry incident is the equivalent of an adversary stealing a Tomahawk cruise missile (see Post-WannaCry, Microsoft Slams Spy Agency Exploit-Hoarding).

The Washington Post reported Wednesday that the NSA eventually warned Microsoft of the exploitable flaw (MS17-010), which was contained in the server message block, or SMB, protocol, which is used for file sharing.

On March 14, Microsoft patched the flaw, which could be exploited by an NSA tool called EternalBlue, in its supported Windows systems. That was a month before the mysterious group known as the Shadow Brokers released EternalBlue. But Microsoft didn't issue a patch for its older Windows systems, including XP, until May 13 (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch)

The NSA warning to Microsoft about the SMB vulnerability may have come far too late, given the time needed to engineer a patch. Network operators then need enough time to test and install it, which can be challenging in larger organizations.

Microsoft knew something was brewing as early as January. Around Jan. 8, the Shadow Brokers posted screenshots showing the tools it planned to eventually release, including one that referred to a remotely exploitable Windows SMB flaw. On Jan. 16, the U.S. Computer Emergency Response Team issued a warning, including ways to ward off an attack even without a patch.

The Washington Post story reveals a clue as to why the NSA waited so long to reveal the flaw to Microsoft. It claims that the SMB flaw was one of the most valuable in the agency's stockpile, resulting in a funnel of intelligence. It was essentially a skeleton key to the world's computers.

EternalBlue resulted in an "unreal" intelligence haul that "was like fishing with dynamite," two unnamed officials told the Post.

Industry Support

The PATCH Act is gaining backing from some industry groups and technology companies. Those backers include the Information Technology and Innovation Foundation, the Coalition for Cybersecurity Policy and Law, New America's Open Technology Institute, the Center for Democracy and Technology, McAfee and Mozilla.

Mozilla, the developer of the Firefox browser, pressed the U.S. government in court last year to learn of a possible vulnerability. The FBI had indicated in court documents it had used a "network investigative technique" while conducting a large child pornography investigation (see Mozilla Presses Government to Reveal Firefox Vulnerability).


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network