Lawmakers approve ‘cyber vulnerability’ bill

A House panel advanced legislation on Wednesday requiring the Department of Homeland Security (DHS) to give lawmakers more information on how it discloses cyber vulnerabilities to the private sector. 

The legislation was sponsored by Rep. Sheila Jackson Lee (D-Texas) and received broad support from members of the House Homeland Security Committee, including Chairman Michael McCaul (R-Texas). 

{mosads}The bill would require Homeland Security Secretary John Kelly to send a report to relevant congressional committees describing policies and procedures used by the DHS to coordinate the disclosure of what are called “zero days” — cyber vulnerabilities that are unknown to a product’s manufacturer and for which no patch exists.

The federal government decides whether to disclose zero days to the private sector through the vulnerabilities equities process (VEP), which was first acknowledged by the Obama administration in 2014 but is still shrouded in secrecy. While the government is said to err on the side of disclosure, the VEP has proven controversial because so little is known about it. 

The process has attracted increased scrutiny in the wake of the outbreak of the “Wanna Cry” ransomware, which is believed to be based on a hacking tool developed by the National Security Agency. 

Lawmakers in both chambers have sought to boost transparency of the VEP.

On Wednesday, Jackson Lee touted the legislation as providing an opportunity for Congress to better understand the process by which the DHS shares threat information with private companies and how that information benefits the private sector.

“Because vulnerabilities can be used by adversaries, it is important that the sensitive information is managed securely and the details are guarded against premature disclosure,” Jackson Lee said during a committee markup.

“There’s no security in keeping zero day events secure and not working on solutions,” she said. “The protection is in finding the zero day events, creating solutions, sharing the solutions broadly, then disclosing the vulnerabilities to the public.” 

The report mandated by the legislation would include an annex of information on specific instances when the DHS disclosed vulnerabilities to private sector companies in the previous year and information on how industry acted on the information. It could also contain information about how the DHS is working with other federal agencies and departments, as well as owners of critical infrastructure, to mitigate the threat of these vulnerabilities. 

Kelly would be required to submit the report, which would be unclassified but could have a classified annex, within 240 days of the enactment of the legislation. 

The committee approved the legislation in a voice vote with no amendments, sending it to the full House for a vote.