Cybersecurity

House passes vulnerability disclosure oversight bill

 

The House of Representatives passed a bill requiring the Department of Homeland Security to inform Congress about how it makes vulnerability disclosure decisions.

The bill, introduced by Rep. Sheila Jackson Lee (D-Texas), seeks to provide Congress with more clarity surrounding the policies and processes used in the vulnerabilities equities process, the executive decision-making that determines whether to disclose a bug to software companies so it can be remediated or to retain it for use in secret espionage.

The bill passed the House by voice vote Jan. 9.

Specifically, the bill would mandate DHS submit a report on cyber vulnerability disclosures to the House Homeland Security Committee and the Senate Homeland Security and Government Affairs Committee.

The report would include -- "to the extent possible" -- which policies and procedures were used to disclose cyber vulnerabilities, as well as the ways in which industry and other beneficiaries acted upon the information provided. The report could also detail how DHS is working across government to protect critical infrastructure and to prevent, detect and mitigate cyber vulnerabilities.

Since the bill's introduction in July 2017, the White House publicly released its bug disclosure policy, revealing some of the considerations taken into account and which agencies are involved in the decision to inform industry about cyber bugs.

White House Cybersecurity Coordinator Rob Joyce has said that government, the world's largest purchaser of malware and software vulnerabilities, ends up disclosing about 90 percent of known vulnerabilities.

Representatives from the Departments of Justice, State, Homeland Security, Energy, Defense, Commerce and Treasury, along with the Office of Management and Budget, CIA, NSA and FBI, are involved in this decision-making. The process is overseen by the White House.

The process of deciding whether to share known vulnerabilities has been of bipartisan interest to Congress for some time. In May, members of the House and Senate from both sides of the aisle introduced a bill that would codify the vulnerabilities equities process board and criteria for releasing vulnerability information.

About the Author

Chase Gunter is a staff writer covering civilian agencies, workforce issues, health IT, open data and innovation.

Prior to joining FCW, Gunter reported for the C-Ville Weekly in Charlottesville, Va., and served as a college sports beat writer for the South Boston (Va.) News and Record. He started at FCW as an editorial fellow before joining the team full-time as a reporter.

Gunter is a graduate of the University of Virginia, where his emphases were English, history and media studies.

Click here for previous articles by Gunter, or connect with him on Twitter: @WChaseGunter

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.