Vulnerability disclosure should come next for Congress on cybersecurity

This week, the U.S. Senate passed the Cybersecurity Information Sharing Act (CISA), a bill intended to promote the sharing of cybersecurity threat information. Mozilla joined the major tech companies and civil society groups in opposing this bill with concerns that it would undermine user trust, privacy, and security. Unnecessary and harmful sharing of private user information could be a real consequence of this bill.

But CISA is not law yet; CISA must be reconciled with the two cybersecurity bills that the U.S. House passed earlier this year, and both chambers will then need to pass the reconciled version. Unfortunately, it’s hard to see how any marginal improvements during these negotiations will be enough to fix its flaws.

If CISA follows this path and becomes U.S. law, it might be tempting for Members of Congress to feel like that they can “check the box” of cybersecurity and move on to the next hot topic. However, CISA and its counterparts will do little to stop exploits like the Target hack, the OPM breach, or the Heartbleed vulnerability.

If Congress wants to make meaningful progress toward improved cybersecurity, it should move now to ensuring that the government is disclosing critical vulnerabilities in computer networks and systems. Responsible disclosure of vulnerabilities would build on any information sharing legislation in a way that could gain widespread support.

CISA is far from the only mechanism for the private sector to share cybersecurity threat information with the government, and by itself is unlikely to result in meaningful improvements in cybersecurity. But information sharing through CISA will likely lead the government to acquire knowledge of critical vulnerabilities in computer networks and systems, and the government’s expeditious disclosure of those vulnerabilities with the relevant vendor(s), in contrast, would be highly valuable. Information sharing was never supposed to be a one-way street. Yet, there is currently no presumption in law that the U.S. government should disclose vulnerabilities. This makes CISA’s provisions requiring information shared with the Department of Homeland Security to be automatically shared with the NSA, DOD, and others in the intelligence community even more concerning.

While the Obama Administration has claimed that it discloses the vast majority of vulnerabilities, we know from recent FOIA documentation that the government currently lets the NSA lead the disclosure determination process, a discussion dominated by the intelligence community with inadequate participation from critical federal agencies like the Departments of Homeland Security or Commerce, and lacks accountability and transparency.

Indeed, the President’s own Review Group on Intelligence and Communications Technologies, which had security clearances and access to classified documents, found that there needed to be a significantly more robust and accountable process around vulnerability disclosure (see Recommendation #30). Implicit in this recommendation is the idea that the presumption should be that all vulnerabilities should be disclosed to the relevant vendor(s) so that they can be patched, and then in due course disclosed to the public. However, there may be times when delay in disclosure may prove so valuable to an ongoing intelligence operation, for example, that such a delay is merited.

Delays in disclosure should be few and far between, and the determination to delay disclosure must involve all of the relevant stakeholders in the government and be guided by a more detailed set of criteria than those Michael Daniel, the White House Cybersecurity Coordinator, laid out last year in a blog post about the Heartbleed vulnerability (although those are a good start).

Members of Congress should not think that their work on cybersecurity is done. With the passage of these information sharing bills, now more than ever, Congress should turns its attention to government vulnerability disclosure in order to meaningfully improve cybersecurity.