House passes Homeland Security cybersecurity oversight bill

House lawmakers on Tuesday approved legislation aimed at boosting oversight of the way that the U.S. government discloses cyber vulnerabilities to the private sector.

The legislation was introduced before the Trump administration issued a first-ever charter outlining the secretive method, known as the vulnerability equities process (VEP), by which the executive branch determines whether to disclose what are called “zero day” vulnerabilities to affected vendors.

{mosads}The legislation passed Tuesday would specifically require the Department of Homeland Security, which is now known to have a seat at the table in VEP, to report to Congress on the policies and procedures by which previously unknown vulnerabilities are disclosed to the private sector.

Lawmakers passed the bill in a voice vote Tuesday afternoon.   

The charter issued by the White House in November laid out the principles and aims of the process, and also identified the specific agencies involved in the decisionmaking, which turned out to be a much longer list than expected. The administration is also expected to issue an annual public report documenting the number of vulnerabilities discovered that were kept secret.

The move came in response to calls from lawmakers, public advocacy groups and private sector companies who have pushed for more transparency around the process, which was first acknowledged by the Obama administration in 2014. Critics have warned the government against “stockpiling” vulnerabilities for intelligence purposes, citing the risk that hackers may discover and leverage them. 

The effort has been widely viewed as a step forward for transparency. 

The legislation approved Tuesday was introduced by Rep. Sheila Jackson Lee (D-Texas) and would require Homeland Security to submit a report to Congress containing “a description of the policies and procedures developed for coordinating cyber vulnerability disclosures.”

It also says the report should “to the extent possible” include an annex with information on instances when these procedures were used to disclose vulnerabilities and the degree to which stakeholders acted on the information.

The bill cleared the House Homeland Security Committee last July, roughly three months before the White House issued the VEP charter.

Other agencies involved in VEP include the departments of Defense, Treasury, State, Justice, Energy, and Commerce, as well as the Office of Director of National Intelligence, Office of Management and Budget, National Security Agency, CIA and FBI.