Sign Up
..... Connect Australia with the world.
Categories

Posted: 2017-05-18 14:17:06

A bill proposed in US Congress would require the National Security Agency to inform representatives of other US government agencies about security holes it finds in software like the one that allowed the recent WannaCrypt ransomware attacks.

Under former President Barack Obama, the government created a similar inter-agency review, but it was not required by law and was administered by the NSA itself.

Microsoft slams US government over ransomware

Microsoft blames the US government for not disclosing software vulnerabilities after officials across the globe scrambled to catch the culprits behind a massive ransomware worm.

The new bill would mandate a review when a government agency discovers a security hole in a computer product and does not want to alert the manufacturer because it hopes to use the flaw to spy on rivals. It also calls for the review process to be chaired by the defense-oriented Department of Homeland Security rather than the NSA, which spends 90 per cent of its budget on offensive capabilities and spying.

Republican Senator Ron Johnson and Democratic Senator Brian Schatz introduced the legislation in the US Senate Homeland Security and Governmental Affairs Committee.

"Striking the balance between US national security and general cyber security is critical, but it's not easy," said Senator Schatz in a statement. "This bill strikes that balance."

Tech companies have long criticised the practice of withholding information about software flaws so they can be used by government intelligence agencies for attacks.

Hackers attacked 200,000 computers in more than 150 countries last week using a Microsoft Windows software vulnerability that had been developed by the NSA, was later stolen and eventually leaked online.

Microsoft President Brad Smith harshly criticised government practices on security flaws in the wake of the ransomware attacks. "Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage," Smith wrote in a blog post.

Agencies like the NSA often have greater incentives to exploit any security holes they find for spying, instead of helping companies protect customers, cyber security experts say.

"Do you get to listen to the Chinese politburo chatting and get credit from the president?" said Richard Clayton, a cyber-security researcher at the University of Cambridge. "Or do you notify the public to help defend everyone else and get less kudos?"

Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, said that in putting DHS in charge of the process, the new bill was an effort to put the process "into civilian control."

The new committee's meetings would still be secret. But once a year it would issue a public version of a secret annual report.

The NSA did not immediately respond to a request for comment.

Reuters

View More
  • 0 Comment(s)
Captcha Challenge
Reload Image
Type in the verification code above