Congress to Grapple with NSA’s Cyber-Vulnerabilities Program

After global cyberattack, a bipartisan Senate bill would codify the intelligence community’s process for disclosing cybersecurity flaws. But the intelligence community—and perhaps some lawmakers—are expected to push back.

Brendan Bordelon
Add to Briefcase
Brendan Bordelon
May 16, 2017, 3:53 p.m.

Congress is grinding into action in the wake of last week’s worldwide ransomware attack believed to be driven by a cyberweapon developed at the National Security Agency.

Democratic Sen. Brian Schatz of Hawaii and GOP Sen. Ron Johnson of Wisconsin, the chairman of the Homeland Security and Governmental Affairs Committee, will introduce a bill as soon as Wednesday that would codify how the federal government decides to use or disclose secret vulnerabilities into widely operated software, according to a Schatz spokesman. The executive branch currently retains authority over determining when and how to inform tech companies of the vulnerabilities that U.S. spies discover in their products, and some experts believe the intelligence community is likely to jealously safeguard that prerogative.

Though neither lawmaker has said as much, the timing of the bill’s release likely indicates increasing concern on Capitol Hill over the National Security Agency’s hoarding of “exploits” into software used by businesses and institutions around the world. One such exploit—known as “Wanna Cry” and believed to have been discovered by the NSA and consequently stolen and released by the mysterious “Shadow Brokers” hacking group this year—is behind the ransomware attack that swept the globe starting Friday. The attack shut down some institutions in the United States—and around 150 other countries—that were running obsolete Microsoft operating systems.

The NSA won’t acknowledge that the Wanna Cry exploit is its own, but Microsoft recently patched the vulnerability in a software upgrade after the spy agency likely tipped the company off to the theft of the potent cyberweapon. That didn’t save the many institutions that continued to operate older versions of the software—including much of the United Kingdom’s hospital system. Microsoft blasted the federal government over the weekend for “stockpiling” such vulnerabilities, likening it to a conventional-weapons scenario in which the U.S. military had Tomahawk cruise missiles stolen.

It’s unclear whether Schatz and Johnson’s new bill would seek to reform what’s known in intelligence circles as the “vulnerabilities-equities process,” in which the executive branch decides whether NSA exploits should be turned over so companies can patch security flaws or retained for use against national security targets. But some experts still see value in the legislation even if it simply seeks to develop a public-facing framework while leaving the intelligence community’s disclosure process intact.

“To the extent that there’s more oversight and there’s more reporting requirements … that could be useful, I think, for trust,” said David O’Brien, a senior researcher at Harvard University’s Berkman Klein Center for Internet and Society.

But the White House and other executive agencies may not be willing to give ground on the issue. “It would be unusual to imagine a scenario where the executive wouldn’t be fighting this tooth and nail,” said O’Brien. “Intelligence these days is usually viewed as an executive power, and it’s tough to imagine that it would be willing to cede that power to Congress in any way.”

Even if Congress merely sought to make the process more transparent, O’Brien said he’s still skeptical that the intelligence community wouldn’t push back. “The key issue is always sources and methods,” he said, noting that even basic information about how frequently the process is used or which vulnerabilities are disclosed could reveal clues about ongoing offensive operations and areas of intelligence interest.

It’s difficult to gauge broader congressional support for the bill. Because the NSA has not publicly acknowledged the Wanna Cry exploit as its own, lawmakers are constrained in their ability to talk about the situation without potentially revealing classified information. Sens. Ron Wyden and Dianne Feinstein, two Democrats typically on opposite sides of the debate, both declined to comment on whether Congress needs to address the NSA equities process in the wake of this weekend’s cyberattack. GOP Sen. Lindsey Graham told National Journal that while the attack was “troubling,” he believed that the intelligence community could better answer questions on the equities process than he could.

A spokesman for Senate Intelligence Committee Chairman Richard Burr declined to comment, and a spokesman for House Intelligence Committee Chairman Devin Nunes did not respond to a similar request.

Sen. John McCain, the chairman of the Armed Services Committee, told National Journal that there should be a review of the intelligence community’s vulnerabilities-equities program. But, he added, it should be part of a larger review of “entire operation of the federal government in regards to cyber.

“For eight years, we were begging Barack Obama to do something about it, and he did nothing,” McCain said. He added that Congress has so far gotten more traction on cybersecurity under President Trump, and that lawmakers would be developing their own cyber policy after years of being “stymied” under the Obama administration.

While the goal of increased transparency into the cyber-vulnerabilities program would be to encourage the rapid patching of security flaws, Sen. Mike Rounds, the chairman of the Armed Services Cybersecurity Subcommittee, said that mandating disclosure could raise its own security concerns.

“If you share [a flaw] with anybody, it is now open to the public,” Rounds said. “In South Dakota, we say that a secret is something you tell one person at a time. In cyber, if you say it out loud it’s basically gonna go viral.”

What We're Following See More »
Charles Manson Dead
6 hours ago

Manson "died Sunday of natural causes, according to the California Department of Corrections. He was 83. ...Manson served nine life terms in California prisons and was denied parole 12 times."

Mueller Seeks Documents from DOJ
14 hours ago

Special counsel Robert Mueller "is now demanding documents from the department overseeing his investigation." A source tells ABC News that "Mueller's investigators are keen to obtain emails related to the firing of FBI Director James Comey and the earlier decision of Attorney General Jeff Sessions to recuse himself from the entire matter."

Trump May Be OK with Dropping Mandate Repeal
16 hours ago

"President Donald Trump would not insist on including repeal of an Obama-era health insurance mandate in a bill intended to enact the biggest overhaul of the tax code since the 1980s, a senior White House aide said on Sunday. The version of tax legislation put forward by Senate Republican leaders would remove a requirement in former President Barack Obama’s signature healthcare law that taxes Americans who decline to buy health insurance."

Media Devoting More Resources to Lawmakers’ Sexual Misconduct
16 hours ago

"Members of Congress with histories of mistreating women should be extremely nervous. Major outlets, including CNN, are dedicating substantial newsroom resources to investigating sexual harassment allegations against numerous lawmakers. A Republican source told me he's gotten calls from well-known D.C. reporters who are gathering stories about sleazy members."

Trump to Begin Covering His Own Legal Bills
2 days ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.