'Cyber Vulnerability Disclosure Reporting Act' Passes the House, Moves to Senate
Most of the news about laws regarding online security has fallen on the “more likely to make us less secure” side of things in recent months. From the repeal of net neutrality to the decline of internet freedom worldwide, it’s been rough. However, today we’re sharing some good news for people who care about online security: A bill codifying how the Department of Homeland Security deals with disclosing vulnerabilities to Congress and to the public has passed the House and moves on to the Senate.
The Electronic Frontier Foundation (EFF) reports that H.R. 3202, titled the “Cyber Vulnerability Disclosure Reporting Act” was introduced by Rep. Sheila Jackson Lee (D-TX) back in July of 2017. The bill requires the Secretary of Homeland Security to submit a report outlining the policies and procedures the Department of Homeland Security has developed for “coordinating cyber vulnerability disclosures” to the Congress.
In plain English, the bill requires the DHS to report to Congress how it has reported computer hardware and software flaws to the companies that create that hardware and software.
A second part of the bill calls for an “annex” that would include a record of specific instances where the government has reported vulnerabilities to tech companies — and the steps those tech companies took in response. Subsection (b) creates a provision that the information will be submitted in unclassified form, but may include a classified annex.
Some lawmakers argue that the classification of the exact steps companies take to respond to vulnerabilities is necessary in order to protect companies from risky situations, but the EFF argues that, for the most part, the people’s right to know is more important.
The EFF points out that this bill, if it makes through the Senate, could potentially reveal whether or not the US government has actually been reporting vulnerabilities, which is a claim it has made for years. Because there hasn’t been any requirement for transparency from the government up until now, the only way the public knows if a vulnerability has been discovered is if a company reports it themselves. That’s what happened in 2016, when Apple disclosed that the FBI had given them their first vulnerability report. However, even that disclosure was not very useful — an Apple exec said that the vulnerability the FBI outlined had been identified and patched by the company months before.
Ultimately, H.R. 3202 is a short bill that could potentially result in a more transparent process for the government reporting vulnerabilities to tech companies and, depending on that classified annex, to the public at large. Keep an eye on the progression of H.R. 3202 as it moves through the Senate and, possibly, into law.Share this post
Install Tenta Browser Free!
Start protecting your online privacy today with Tenta Browser.