Latest in Security

Image credit:

NSA would have to disclose its cyber exploit policies under new bill

Ideally, before a global ransomware attack.
David Lumb, @OutOnALumb
May 17, 2017
Share
Tweet
Share

Sponsored Links

EFE

It wasn't long after last week's devastating international ransomware attack before details surfaced about how the hackers found the exploit to target: It was stolen from the NSA, which stockpiles the digital vulnerabilities. Now, Democratic Senator Brian Schatz (HI) has introduced a bill that would create policy regulating how and when federal agencies would disclose known attack vectors.

Schatz' legislation (PDF), the Protecting our Ability to Counter Hacking Act of 2017, would establish a Vulnerability Equities Review Board consisting of the heads of US security agencies along with Presidential Cabinet members on an ad-hoc basis. The board would create policies and regulations establishing when to tell non-government entities about known tech exploits, a process that could potentially prevent another WannaCry ransomware disaster.

The bill's acronym, PATCH Act, is something of a dig at how the mishandled NSA exploit became a malware catastrophe. When a hacking group known as The Shadow Brokers dropped a cache of Windows exploits taken from the NSA back in April, Microsoft quickly issued a security patch to fix a code execution vulnerability called EternalBlue. Unfortunately, the software giant can't force its worldwide users to upgrade, especially for systems like Windows XP and 2000 that are no longer supported. Less than a month later, attackers reconfigured the exploit into the WannaCry ransomware. Only by chance did a British security expert activate its global killswitch.

Days ago, Microsoft criticized US cybersecurity policy for stockpiling the exploit instead of informing the company in order to protect its users worldwide. While individuals who deign to upgrade their systems can quickly install single patches, rolling out updates to many companies and organizations is a time-consuming endeavor, making rapid response essential to protect infrastructure. It wasn't just companies that WannaCry locked out of their systems, either: thousands of operations and appointments were canceled as the ransomware crippled computers in state-run hospitals across the United Kingdom.

Whether this bill makes it to law or not, the clock is ticking for a better approach to sealing vulnerabilities: The Shadow Broker collective has threatened to dump more exploits next month.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Presenting the Best of CES 2021 winners!

Presenting the Best of CES 2021 winners!

View
Bloomberg: 'Cyberpunk 2077' full development didn't start until 2016

Bloomberg: 'Cyberpunk 2077' full development didn't start until 2016

View
Canon made a site that lets you 'take photos' from a real satellite

Canon made a site that lets you 'take photos' from a real satellite

View
Philips Hue module turns any light switch into a smart switch

Philips Hue module turns any light switch into a smart switch

View
The next iPhone might have an in-screen fingerprint scanner

The next iPhone might have an in-screen fingerprint scanner

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr