US bill forces NSA to inform government bodies about zero-days

The US Congress has proposed a new bill requiring the National Security Agency to inform representatives of other US government agencies about discovered zero-days.

There is already an arrangement that requires the NSA to share vulnerabilities with other government bodies, but this is a policy set by the NSA itself with no legal obligation to do so. The new law introduces a mandatory assessment when a government agency such as the NSA discovers a security vulnerability in software and refuses to notify the software creator in order to use the vulnerability for espionage purposes. According to the bill, this assessment process will take place under the chairmanship of the Department of Homeland Security. Reuters reports that.

A Republican and a Democratic senator have introduced the bill, hoping to strike a better balance between the importance of national security and the security of computers and software in general.

Several tech companies have long criticized how the US government deals with discovering vulnerabilities in software. Microsoft CEO Brad Smith has said it’s a big problem when countries collect vulnerabilities and don’t report them. According to him, exploits that are in the hands of governments leak out too often, after which a lot of damage can occur. He believes that the government should give more importance to the damage caused to citizens after a vulnerability is abused.

This criticism has intensified after recent attacks in which ransomware has infected computer systems in 150 countries. Last week, unknown persons distributed a ransomware variant called WannaCry, which used the Eternalblue tool. The NSA creates this tool and used it for a period of five years. The Shadowbrokers released the Eternalblue tool in April. This exploit was at the root of the distribution of the WannaCry ransomware.

It recently emerged that the NSA was the party that alerted Microsoft to the vulnerabilities for which the Shadowbrokers published several exploits. Based on that information, Microsoft was able to release a patch in March.