It wasn't long after last week's devastating international ransomware attack before details surfaced about how the hackers found the exploit to target: It was stolen from the NSA, which stockpiles the digital vulnerabilities. Now, Democratic Senator Brian Schatz (HI) has introduced a bill that would create policy regulating how and when federal agencies would disclose known attack vectors.
Schatz' legislation (PDF), the Protecting our Ability to Counter Hacking Act of 2017, would establish a Vulnerability Equities Review Board consisting of the heads of US security agencies along with Presidential Cabinet members on an ad-hoc basis. The board would create policies and regulations establishing when to tell non-government entities about known tech exploits, a process that could potentially prevent another WannaCry ransomware disaster.
The bill's acronym, PATCH Act, is something of a dig at how the mishandled NSA exploit became a malware catastrophe. When a hacking group known as The Shadow Brokers dropped a cache of Windows exploits taken from the NSA back in April, Microsoft quickly issued a security patch to fix a code execution vulnerability called EternalBlue. Unfortunately, the software giant can't force its worldwide users to upgrade, especially for systems like Windows XP and 2000 that are no longer supported. Less than a month later, attackers reconfigured the exploit into the WannaCry ransomware. Only by chance did a British security expert activate its global killswitch.
Days ago, Microsoft criticized US cybersecurity policy for stockpiling the exploit instead of informing the company in order to protect its users worldwide. While individuals who deign to upgrade their systems can quickly install single patches, rolling out updates to many companies and organizations is a time-consuming endeavor, making rapid response essential to protect infrastructure. It wasn't just companies that WannaCry locked out of their systems, either: thousands of operations and appointments were canceled as the ransomware crippled computers in state-run hospitals across the United Kingdom.
Whether this bill makes it to law or not, the clock is ticking for a better approach to sealing vulnerabilities: The Shadow Broker collective has threatened to dump more exploits next month.