Cybersecurity

House passes vulnerability disclosure oversight bill

 

The House of Representatives passed a bill requiring the Department of Homeland Security to inform Congress about how it makes vulnerability disclosure decisions.

The bill, introduced by Rep. Sheila Jackson Lee (D-Texas), seeks to provide Congress with more clarity surrounding the policies and processes used in the vulnerabilities equities process, the executive decision-making that determines whether to disclose a bug to software companies so it can be remediated or to retain it for use in secret espionage.

The bill passed the House by voice vote Jan. 9.

Specifically, the bill would mandate DHS submit a report on cyber vulnerability disclosures to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee.

The report would include -- "to the extent possible" -- which policies and procedures were used to disclose cyber vulnerabilities, as well as the ways in which industry and other beneficiaries acted upon the information provided. The report could also detail how DHS is working across government to protect critical infrastructure and to prevent, detect and mitigate cyber vulnerabilities.

Since the bill's introduction in July 2017, the White House publicly released its bug disclosure policy, revealing some of the considerations taken into account and which agencies are involved in the decision to inform industry about cyber bugs.

White House Cybersecurity Coordinator Rob Joyce has said that government, the world's largest purchaser of malware and software vulnerabilities, ends up disclosing about 90 percent of known vulnerabilities.

Representatives from the Departments of Justice, State, Homeland Security, Energy, Defense, Commerce and Treasury, along with the Office of Management and Budget, CIA, NSA and FBI, are involved in this decision-making. The process is overseen by the White House.

The process of deciding whether to share known vulnerabilities has been of bipartisan interest to Congress for some time. In May, members of the House and Senate from both sides of the aisle introduced a bill that would codify the vulnerabilities equities process board and criteria for releasing vulnerability information.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.