Cybersecurity

House passes vulnerability disclosure oversight bill

 

The House of Representatives passed a bill requiring the Department of Homeland Security to inform Congress about how it makes vulnerability disclosure decisions.

The bill, introduced by Rep. Sheila Jackson Lee (D-Texas), seeks to provide Congress with more clarity surrounding the policies and processes used in the vulnerabilities equities process, the executive decision-making that determines whether to disclose a bug to software companies so it can be remediated or to retain it for use in secret espionage.

The bill passed the House by voice vote Jan. 9.

Specifically, the bill would mandate DHS submit a report on cyber vulnerability disclosures to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee.

The report would include -- "to the extent possible" -- which policies and procedures were used to disclose cyber vulnerabilities, as well as the ways in which industry and other beneficiaries acted upon the information provided. The report could also detail how DHS is working across government to protect critical infrastructure and to prevent, detect and mitigate cyber vulnerabilities.

Since the bill's introduction in July 2017, the White House publicly released its bug disclosure policy, revealing some of the considerations taken into account and which agencies are involved in the decision to inform industry about cyber bugs.

White House Cybersecurity Coordinator Rob Joyce has said that government, the world's largest purchaser of malware and software vulnerabilities, ends up disclosing about 90 percent of known vulnerabilities.

Representatives from the Departments of Justice, State, Homeland Security, Energy, Defense, Commerce and Treasury, along with the Office of Management and Budget, CIA, NSA and FBI, are involved in this decision-making. The process is overseen by the White House.

The process of deciding whether to share known vulnerabilities has been of bipartisan interest to Congress for some time. In May, members of the House and Senate from both sides of the aisle introduced a bill that would codify the vulnerabilities equities process board and criteria for releasing vulnerability information.

About the Author

Chase Gunter is a former FCW staff writer.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected