Disclosing Exploits Will Protect Online Trade

In the wake of the WannaCry global cyberattack, US legislators have proposed a vital new law that will reduce the risk of similar disruption in future. The Protecting our Ability To Counter Hacking Act – or PATCH for short – will increase transparency and accountability by stipulating how the US government will disclose the cyber vulnerabilities that it develops and discovers. PATCH is supported by legislators from both the Democratic and Republican parties, including Senators Brian Schatz (D-Hawai‘i), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas).

In their press release, Senators Schatz and Johnson present an impressive argument for the US government to be methodical in how it shares information about cyber exploits.

“Striking the balance between U.S. national security and general cybersecurity is critical, but it’s not easy,” said Senator Schatz, lead Democrat on the Senate Subcommittee on Communications, Technology, Innovation, and the Internet. “This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security.”

“As we’ve seen in recent days with the worldwide ransomware attack, the continued threat of cyberattacks means that we need to combine public and private efforts to maintain the security of America’s networks and information. It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” said Senator Johnson, Chairman of the Senate Homeland Security and Governmental Affairs Committee and a senior member of the Senate Subcommittee on Communications, Technology, Innovation, and the Internet.

When governments invent ways to exploit vulnerabilities in technology there is always a serious risk that these same vulnerabilities will also be used against the people that governments are supposed to serve. Malware is of no use unless you distribute it to your victim – which means you effectively give the malware code to your enemies, allowing them to copy and use it also. A flaw in encryption may be useful to your government’s spies, but is a threat to privacy and security too. Whatever loopholes may be exploited by the surveillance agents of your country may also be abused by foreign governments, businesses, and criminals, unless you close them first. WannaCry relied on a technique developed by the NSA, so whatever benefits it delivered to US spies should be balanced against the cost incurred by allowing it to fall into the possession of criminals.

There are many supporters of PATCH who are more technologically savvy than me. I especially enjoyed reading this article by Ryan Hagemann, Director of Technology Policy at the Niskanen Center, for RealClearPolicy. However, I do not think you need to know a lot about cybersecurity to understand why governments should place more emphasis on increasing the safety of cyberspace. A simple argument by analogy will suffice. It begins by observing that the internet represents the greatest leap forward in the exchange of ideas and digital goods and services, and what happens when governments make it safer to trade.

The US government spends a lot of money on policing the seas. Nobody has argued against this policy for a long time. US warships could behave like pirates, by raiding, sinking and stealing from the ships of other nations. They do not. The US Navy seeks to discourage lawlessness on the world’s oceans because trade is good for peaceful relations between countries, and good for the prosperity of all. In fact, some of the tensions between the USA and China relate to the latter country wanting to play a more significant role in policing the waters that are so important to its foreign trade. So if we can all agree that protecting the safety of seagoing vessels is a good thing because it preserves and protects trade, why would we feel differently about protecting those goods and services that travel through cyberspace? Container ships transport physical goods, whilst the internet transports intellectual goods. We should want all trade routes to be safe and secure, whether they cross the oceans or run through wires.

Confidence in trade leads to greater long-term benefits than any short-term gains which might be realized through piracy. Instead of focusing on the narrow gains which the NSA could achieve through enhanced spying, it would be better if cyberspace was made safer for all by charting and neutralizing the cyber rocks that can sink the digital ships of any business and any nation.

The full text of PATCH can be found here.

Eric Priezkalns
Eric Priezkalns

Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a founding member of Qatar’s National Committee for Internet Safety and the first leader of the TM Forum’s Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group, and is an editorial advisor to Black Swan. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric’s history as editor.