,

Johnson Sponsors Bill To Enhance Cybersecurity

Bill Would Create A Review Board To Set Policy For Sharing Vulnerabilities

By
U.S. Sen. Ron Johnson
Gage Skidmore (CC-BY-NC-ND)

U.S. Sen. Ron Johnson, R-Wisconsin, co-introduced a bill with Sen. Brian Schatz, D-Hawaii, to enhance cybersecurity in the wake of a global cyberattack that hit 150 countries last weekend.

The bill would create an intelligence review board that decides how the government goes about sharing information about software vulnerabilities.

Johnson said the review board would include representatives from the Department of Homeland Security, Federal Bureau of Investigation, Central Intelligence Agency and National Security Agency. The board would also include a designee from the Department of Commerce.

Stay informed on the latest news

Sign up for WPR’s email newsletter.

This field is for validation purposes and should be left unchanged.

Johnson said a Vulnerability Equities Review Board would set policy about when, to whom and to what degree any software vulnerabilities are shared with those outside government agencies.

“The question becomes when they find a vulnerability, do we keep it secret so we can use it against our enemies, gather intelligence in a legal process, or do we tell the vendors so they can provide a patch so customers aren’t hacked?” Johnson said.

Johnson said the bill would formalize the process now used by federal agencies.

“The vast majority of those vulnerabilities currently are — the vendor is notified so it can make the patch,” Johnson said. “This just codifies and formalizes that process so it’s as transparent as possible.”

Brad Smith, president and chief legal officer of Microsoft, said this week in a company blog post that last weekend’s attacks were an example of the federal government’s problem with stockpiling software vulnerabilities.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Smith wrote. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” Smith wrote.

Smith said governments should treat online attacks the same as using weapons and consider the damage to civilians. He also renewed a call for the federal government to share information about vulnerabilities with vendors like Microsoft to better protect customers.

Johnson said the federal government did share information with Microsoft about vulnerabilities. However, he noted some people most affected by the attacks included those who had pirated operating systems online. As a result, those who had not purchased the software did not receive a patch or fix provided by the company.

In his online post, Smith said tech companies and customers have a shared responsibility to prevent data loss.

“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” Smith wrote.

The bill has been referred to the Committee on Homeland Security and Governmental Affairs.