Introduced just days after the attack, which hit organizations in about 150 countries, the bipartisan Protecting our Ability To Counter Hacking (PATCH) Act seeks to make "zero-day vulnerabilities" exploited by the U.S. government more transparent to the private sector.
Companies need to know their exposure to malware to defend their systems against attacks by hackers who have breached the National Security Agency and other government bodies and obtained cyber weapons to use against corporate systems, the bill’s sponsors suggest.
“It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests,” said Wisconsin Sen. Ron Johnson, a Republican sponsor of the legislation.
The bill would formalize an informal policy, called the Vulnerabilities Equities Process, according to which the government decides “whether to disclose a software vulnerability to the software manufacturer, or instead to keep it secret,” Rep. Ted Lieu, a California Democrat and one of the bills sponsors, said in a press release. “Currently the Vulnerabilities Equities Process is not transparent and few people understand how the government makes these critical decisions.”
