Reply to post: Re: Yeah, Right

Feds may have to explain knowledge of security holes – if draft law comes into play

tom dial Silver badge

Re: Yeah, Right

The general drift of what is in the material Snowden took and Greenwald, Poitras, and numerous others published is that the NSA, in general, has adhered to the provisions of the laws under which it operates. To be sure, they have operated at and occasionally exceeded those legal limits. And they have requested and sometimes received Attorney General and FISC permission for expansive interpretations of the powers the law grants them. When denied or overruled, however, they appear to have pulled back appropriately. They seem to have had fairly extensive internal controls and audit trails, and reported errors, as required, to the AG and FISC. All of this apparently was known to congressional oversight committee members, or could have been had they bestirred themselves and looked at the classified material the NSA made available to them. The presumption should be that if this bill is enacted, they will follow the law as modified.

In any case, the NSA presumably is one of the non-enumerated "stakeholders" mentioned in 6 USC 148(m) that is the subject of this bill; That section reads:

"(m) Coordinated vulnerability disclosure

The Secretary, in coordination with industry and other stakeholders, may develop and adhere to Department policies and procedures for coordinating vulnerability disclosures."

The bill in process appears to require only a report of certain DHS policies and procedures that may include NSA activities related to software vulnerabilities NSA know and others do not. At that, it seems to require only one such report where one reasonably would expect it to direct periodic reporting. It also does not require that they release any information about those vulnerabilities, or regulate their use of them beyond limits in place or to be legislated otherwise. So not only can the NSA, based on history, be expected to follow the proposed law, there seems to be no important reason for them, or DHS, not to comply.

As referred to the Senate, the bill seems pretty inconsequential.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021