back to article Feds may have to explain knowledge of security holes – if draft law comes into play

The US House of Representatives this week approved a bill that, given further legislative and executive branch support, will require the American government to account for its handling of software and hardware vulnerabilities. The "Cyber Vulnerability Disclosure Reporting Act," sponsored by Rep Sheila Jackson Lee (D-TX), …

  1. tom dial Silver badge

    It would not have been hard to put the entire essential content in the article:

    "a) Report

    Not later than 240 days after the date of the enactment of this Act, the Secretary of Homeland Security shall submit to the Committee on Homeland Security of the House of Representatives and the Committee on Homeland Security and Governmental Affairs of the Senate a report that contains a description of the policies and procedures developed for coordinating cyber vulnerability disclosures, in accordance with section 227(m) of the Homeland Security Act of 2002 (6 U.S.C. 148(m)). To the extent possible, such report shall include an annex with information on instances in which such policies and procedures were used to disclose cyber vulnerabilities in the year prior to the date such report is required and, where available, information on the degree to which such information was acted upon by industry and other stakeholders. Such report may also contain a description of how the Secretary is working with other Federal entities and critical infrastructure owners and operators to prevent, detect, and mitigate cyber vulnerabilities.

    (b) Form

    The report required under subsection (b) shall be submitted in unclassified form but may contain a classified annex."

    If I were at DHS this would not bother me a lot, larded as it is with weasel phrases like "to the extent possible," "where available," and "may contain;" especially as I could put anything touchy in a classified annex.

    A feel-good act on a par with the best of them, this will take a fraction of an analyst's year to compile and arrange. As written and, on January 9 passed by the US House of Representatives, it seems to be required only once. Representative Lee ought, at the least, to have required it to be updated annually.

    1. Anonymous Coward
      Anonymous Coward

      On the other hand, the content is irrelevant. It's a bill sponsored by the Democrats, and the Republicans have a majority in both houses, and are deeply sympathetic to the anti-democracy tendencies of the TLAs.

      I feel the Reg could have made that point a little clearer, since in the article those points are evident only from a single capital D. That might be clear for those who take a passing interest in US politics, but not everybody does.

  2. John Smith 19 Gold badge

    OMG. A law in less than 200 pages in more or less plain English


    Yes it does seem like something that should be re-visited on a regular (but of course how regular?) basis.

  3. BebopWeBop Silver badge

    The remainder, the NSA said, are either fixed by vendors before disclosure or are retained for national security reasons.

    The4 NSA have been generous and shared or made available vulnerabilities to other countries security service as well as countless entrepreneurs as well

  4. Pascal Monett Silver badge

    The NSA is just like Trump

    It will say whatever it thinks gets it off the hook.

    Unlike Trump, however, there is no extensive public record that would demonstrate just how much what the NSA says is just a pack of lies.

    So we'll just take it as a given.

  5. Will Godfrey Silver badge
    Thumb Down

    Yeah, Right

    Does anyone actually believe the NSA would obey such a law? The very best possibility would be a slow/partial release of old exploits once they've found better ones.

    1. Anonymous Coward
      Anonymous Coward

      Re: Yeah, Right

      Of course they will, there's no oversight, there's no one to force them to do it, there's no one to check they have done it and there's no one who knows what they have that's connected to this law.

      Then again maybe they won't...

    2. tom dial Silver badge

      Re: Yeah, Right

      The general drift of what is in the material Snowden took and Greenwald, Poitras, and numerous others published is that the NSA, in general, has adhered to the provisions of the laws under which it operates. To be sure, they have operated at and occasionally exceeded those legal limits. And they have requested and sometimes received Attorney General and FISC permission for expansive interpretations of the powers the law grants them. When denied or overruled, however, they appear to have pulled back appropriately. They seem to have had fairly extensive internal controls and audit trails, and reported errors, as required, to the AG and FISC. All of this apparently was known to congressional oversight committee members, or could have been had they bestirred themselves and looked at the classified material the NSA made available to them. The presumption should be that if this bill is enacted, they will follow the law as modified.

      In any case, the NSA presumably is one of the non-enumerated "stakeholders" mentioned in 6 USC 148(m) that is the subject of this bill; That section reads:

      "(m) Coordinated vulnerability disclosure

      The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures."

      The bill in process appears to require only a report of certain DHS policies and procedures that may include NSA activities related to software vulnerabilities NSA know and others do not. At that, it seems to require only one such report where one reasonably would expect it to direct periodic reporting. It also does not require that they release any information about those vulnerabilities, or regulate their use of them beyond limits in place or to be legislated otherwise. So not only can the NSA, based on history, be expected to follow the proposed law, there seems to be no important reason for them, or DHS, not to comply.

      As referred to the Senate, the bill seems pretty inconsequential.

      1. Anonymous Coward
        Big Brother

        Freedom is slavery ..

        @tom dial: "The general drift of what is in the material Snowden took and Greenwald, Poitras, and numerous others published is that the NSA, in general, has adhered to the provisions of the laws under which it operates."

        You must be operating from some kind of a mirror universe, the NSA has been hoovering up the worlds communications for decades. The legal provisions of which were kept secret until Snowden leaked them. Not that the NSA limit themselves to the law. Mass surveillance enacted in secret is fascism.

        1. Anonymous Coward
          Anonymous Coward

          Re: Freedom is slavery ..

          "Mass surveillance enacted in secret is fascism."

          Or far more commonly it's a feature of communism / Trotskyism / socialism.

          1. Bernard M. Orwell

            Re: Freedom is slavery ..

            ""Mass surveillance enacted in secret is fascism."

            Or far more commonly it's a feature of communism / Trotskyism / socialism."

            Fascism is a greatly misunderstood word, and I see posts like this all the time. Fascism is not a function of party politic; it is neither right nor left wing in nature, so this "debate" over whether Fascism is a property of right wingers (Trump, Nazis, the Conservatives), or that of left wingers (Sanders, Marx, Communists) is a nonsense.

            Fascism describes an overly authoritarian governmental model that emphasizes control of the population, and the sublimation of the individual, in favour of empowerment of the state. This form of authoritarianism can be found in many instances of both contemporary and historical government.

            It is widely held that the following features mark a fascist (authoritarian) government as such:

            Nationalism or extreme patriotism, lack of human/civil/individual rights, identification of a unifying enemy, supremacy of the military, control of media, mass surveillance and social control, extreme national security, corporate power is protected, labour power is controlled, disdain for art and intellectualism, extreme police powers and uncompromising political rhetoric.

            We identify fascism with the right wing more usually due to its origins in fascist Spain and Italy and its strong association with the rise of the Nazi philosophy, but it is far from absent in left wing national politics, being apparent in such places as north Korea and Cambodia (historically speaking).




        2. tom dial Silver badge

          Re: Freedom is slavery ..

          "The NSA has been hoovering up the worlds communications for decades." Of course they have - the NSA since 1952 (65 years) and its various predecessors from 1917, for a total of a full century and counting. It is their mission. The implicit suggestion that the US or NSA are unique in this is absurd, as quite a few countries (including the other four of the Five Eyes) are active in the same sort of activity, for the same reasons.

          A significant part of this "hoovering" is, for technical reasons, conducted within the US, and wherever done will collect information pertinent to both senders and receivers, even when only one of them can plausibly be thought "foreign." That probably is how Ambassador Kislyak's conversations with Michael Flynn were collected. It may be unfortunate, but plainly is unavoidable, that some "US Person" communications will be collected. Much has been made of this type of collection, but it is permitted by the operative laws, which the Congress may, if it wishes, adjust as it sees proper.

          Most of the collected communications, especially in later years after exponential growth of Internet communication volume, has almost surely been discarded, a large part of it because of legal retention limits, but mostly because automated filters reject it or administrative retention limits based on practical considerations are reached.

          It is incorrect in part to say the legal provisions were secret until Snowden leaked them, however. They are, and were, generally available in the US Code (Title 50) and were the subject of extensive and well publicized hearings around 1976, and legislation in 1978. The Foreign Intelligence Surveillance Act was amended in 2008 after additional hearings. Executive order 12333, with various amendments, has been in effect, and available in the Federal Register since December, 1981. The Foreign Intelligence Surveillance Court and the FISC Court of Review also were established in the law; they were no secret, either, despite the fact that they deal with classified material and issue classified decisions. Those classified decisions, along with the classified briefs and arguments that preceded them, comprise a major part of what was kept secret until (and mostly after) Snowden leaked them.

          James Bamford's books, as well as others, along with numerous reports in major news publications like the New York Times and Washington Post revealed a good deal about NSA activities over its lifetime, so many, maybe most, NSA surveillance activities were not secret, although most people were, and probably still are, ignorant of them.

          Did the NSA sometimes exceed its authority? Certainly, and in some instances they were taken to task by the FISC and required to step back. In other cases the activities got congressional blessing after the fact (e. t., the US Patriot Act). In quite a few cases, the excesses were technical errors or, in a few, employee misconduct. Based on reading a significant number of the documents Snowden leaked, in addition to or instead of the breathless reporting about the documents does, in fact, suggest rather strongly that NSA management has established meaningful and generally effective controls and auditing procedures over authorized activities; that the NSA staff have implemented many of them in software; and that the analysts and other staff generally adhere to them.

          1. Sir Runcible Spoon Silver badge

            Re: Freedom is slavery ..

            Most of the collected communications, especially in later years after exponential growth of Internet communication volume, has almost surely* been discarded, a large part of it because of legal retention limits, but mostly because automated filters reject it or administrative retention limits based on practical considerations are reached.

            Not because it's morally reprehensible then? No, didn't think so.

            *Nice bit of optimism there, but in these days of lies within lies it's dangerously naive to even contemplate. Don't forget, people have been referring to NSA activities for years and were ridiculed as 'tin-foil hatters'. Turns out most of those people *underestimated* the extent of the surveillance.

            No, apologists for the NSA are going to have to run the same gauntlet now I'm afraid. If you don't think they are slurping everything, forever, in every way possible, then you are crazily naive. See how that works?

        3. This post has been deleted by its author

      2. rmullen0

        Re: Yeah, Right

        Yeah right, the NSA totally obeys the law. Especially the 4th Amendment which prohibits warrantless wiretaps. I don't care what the criminals in Congress say, they are disobeying the Constitution. You must work for the government to make such a blatantly false statement. Nice propaganda.

    3. Dr. Ellen
      Big Brother

      Re: Yeah, Right

      And when they're caught not-doing-it, nothing bad will happen to them. Pity what happened to that whistleblower, though.

  6. anonymous boring coward Silver badge

    NSA's duty would be to do nothing like this. So I doubt they will.

    Anything already known (floating around the internet) or useless will be disclosed. The rest, not so much.

  7. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021