Following one of the largest global cyber-attacks in history, Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee, and Sen. Brian Schatz (D-Hawai‘i), have introduced the Protecting our Ability To Counter Hacking (PATCH) Act.
Earlier this month, the WannaCry ransomware, which holds systems hostage for payment in Bitcoin, infiltrated organizations in over 100 countries around the world. The bipartisan legislation promises to add transparency and accountability to the government’s process for retaining or disclosing vulnerabilities in technology products, services, applications, and systems.
“As we’ve seen in recent days with the worldwide ransomware attack, the continued threat of cyber-attacks means that we need to combine public and private efforts to maintain the security of America’s networks and information,” Johnson said. “It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process.”
“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” Schatz added. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cyber-security and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”
The U.S. government is one of the many stakeholders researching and finding “zero-day vulnerabilities,” which are flaws in technology that are unknown to the vendor.
“Before they are patched, these vulnerabilities are susceptible to hacking and make the technologies that we rely on every day less secure,” the bill’s sponsors said ina statement. Usually the U.S. government discloses these vulnerabilities to the vendor so that they can be fixed but sometimes it retains them and exploits them for national security purposes.”
The PATCH Act codifies current government practices to review vulnerabilities and designates the Department of Homeland Security as the chair of an interagency review board. That board will ensure a consistent policy for how the government evaluates vulnerability for disclosure and retention. The bill will also create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.
The PATCH Act has garnered support from a variety of cyber-security experts and advocacy organizations, including the Coalition for Cyber-security Policy and Law, McAfee, Mozilla, the Information Technology and Innovation Foundation, New America's Open Technology Institute, and the Center for Democracy and Technology.
A related debate in Washington involves the Federal Communications Commission. Chief Information Officer Dr. David Bray issued the following statement on May 8 regarding the cause of delays experienced by consumers trying to file comments on the FCC’s Electronic Comment Filing System.
“The FCC was subject to multiple distributed denial-of-service attacks (DDos),” he wrote. “These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.”
Distributed denial-of-service-attacks involve bad actors flooding a given website with more online traffic than it is prepared to handle in an effort to crash the site.
While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. “We have worked with our commercial partners to address this situation and will continue to monitor developments going forward,” Bray said.
Following the DDoS attack on the FCC’s website, Senators Ron Wyden (D-Ore.) and Sen. Schatz wrote to Chairman Ajit Pai, asking him to answer questions on the ability of the agency to mitigate cyber-attacks.
Specifically, they want Pai to explain in more detail the nature of the reported cyber-attack and how it impacted the public’s ability to comment on a proposal to roll back net neutrality protections.
In their letter to Pai, the senators ask whether the FCC was prepared to defend against DDoS) attacks, should they happen again.
“DDoS attacks against federal agencies are serious - and doubly so if the attack may have prevented Americans from being able to weigh in on your proposal to roll back net neutrality protections,” Wyden and Schatz wrote. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.”
Among the specific questions and requests:
Providing details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC.
Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks?
Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not?
To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not?
How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended?
Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not?
Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, is there an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected?
The letter also asks whether commenters who successfully submitted a comment—but did not receive a response—will receive a response the FCC’s staff addresses the DDoS and related technical issues?