A bipartisan group of Senators introduced a bill Wednesday that seeks to prevent another massive data leak of government-owned hacking tools like the one used in the weekend’s WannaCry ransomware campaign.
The Protecting Our Ability to Counter Hacking Act would force the U.S. government to turn over these hacking tools to an independent review board that would determine the vulnerabilities that need to be secured.
The bill also aims to make public more of these system vulnerabilities so organizations can fix it.
The hope is that it would reduce the stockpile of zero-day exploits and prevent the data from being leaked to hackers again. The cybercriminal group Shadow Brokers currently have a cache of these U.S. National Security Agency weapons and are threatening a monthly release. The NSA uses these tools for surveillance and gathering intelligence.
“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” Sen. Brian Schatz, D-Hawaii, who introduced the bill, said in a statement. “This bill strikes that balance.”
The bill will codify a framework for government agencies while ensuring it has the needed tools essential to national security, Schatz said.
“The continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America’s networks and information,” Sen. Ron Johnson, R-Wisconsin, said in a statement. “It’s essential that government agencies make zero-day vulnerabilities known to vendors whenever possible.”
PATCH was also sponsored by Sen. Corey Gardner, R-Colorado, Rep. Ted Lieu, D-California, and Rep. Blake Farenthold, R-Texas. It has support from cybersecurity experts and advocacy groups that include McAfee, Mozilla, The Information Technology and Innovation Foundation and New America’s Open Technology Institute — among others.
The legislation comes on the heels of the WannaCry attack that pummeled Europe, Russia and China over the weekend, including 20 percent of the U.K. National Health Service. WannaCry is thought to be part of the NSA cache of cyber weapons and exploits.