CrAKeN Posted May 17, 2017 Share Posted May 17, 2017 After last week’s massive ransomware attack shut down machines around the world, the NSA, which knew of the exploit before it was public, became a target for criticism. Microsoft patched the problem before the attack, but it’s still raised questions about how, and when, the NSA decides to hold on to software vulnerabilities. A new bill would help bring accountability to how the NSA deals with those vulnerabilities. Introduced by Sen. Brian Schatz, the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act, would establish a legal framework for the process, requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available. The law would also legally establish a review board with high-ranking members of the federal government. The board would be chaired by the secretary of homeland security and include agency directors from the intelligence community as well as the secretary of commerce. The law would also require annual reports to Congress on the board’s activities. A version of the government’s process, known as "vulnerabilities equities process," has been in place for some time, although its exact details are unclear. A version of the board already exists, but some have criticized the process as opaque, and a law would go some way toward binding the federal government to the system. The NSA most famously faced criticism for its exploit process in 2014, when Bloomberg reported that the agency had exploited the “Heartbleed” bug, which exposed vulnerabilities in devices around the world. (The agency denied the report.) Microsoft obliquely criticized the US after the WannaCry ransomware attack last week, calling the incident a “wake-up call” about vulnerability “hoarding.” Source Link to comment Share on other sites More sharing options...
straycat19 Posted May 18, 2017 Share Posted May 18, 2017 Ha-Ha-Ha As if the NSA is going to tell anyone what exploits they have. 17 hours ago, CrAKeN said: requiring federal agencies to establish policies on when to share vulnerabilities and, if unclassified, to make those policies widely available. Read the law, they establish their own policy on when to share (NEVER) and then disseminate those policies only if they are unclassified (sorry all policies in NSA are classified.) Another law that regulates nothing, gains nothing, and is just words on paper that do nothing. Typical political junk. Link to comment Share on other sites More sharing options...
nIGHT Posted May 18, 2017 Share Posted May 18, 2017 Microsh1t should learn from NSA how to stealthily inject telemetry. hehehe! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.