|
U.S. cyber bill would
shift power away from spy agency
Send a link to a friend
 [May 18, 2017]
By Joel Schectman
WASHINGTON
(Reuters) - A bill proposed in Congress on Wednesday would require the
U.S. National Security Agency to inform representatives of other
government agencies about security holes it finds in software like the
one that allowed last week's "ransomware" attacks.
Under former President Barack Obama, the government created a similar
inter-agency review, but it was not required by law and was administered
by the NSA itself.
The new bill would mandate a review when a government agency discovers a
security hole in a computer product and does not want to alert the
manufacturer because it hopes to use the flaw to spy on rivals. It also
calls for the review process to be chaired by the defense-oriented
Department of Homeland Security rather than the NSA, which spends 90
percent of its budget on offensive capabilities and spying.
Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian
Schatz of Hawaii introduced the legislation in the U.S. Senate Homeland
Security and Governmental Affairs Committee.
“Striking the balance between U.S. national security and general cyber
security is critical, but it’s not easy,” said Senator Schatz in a
statement. “This bill strikes that balance.”
Tech companies have long criticized the practice of withholding
information about software flaws so they can be used by government
intelligence agencies for attacks.
Hackers attacked 200,000 in more than 150 countries last week using a
Microsoft Windows software vulnerability that had been developed by the
NSA and later leaked online.
Microsoft President Brad Smith harshly criticized government practices
on security flaws in the wake of the ransomware attacks. "Repeatedly,
exploits in the hands of governments have leaked into the public domain
and caused widespread damage," Smith wrote in a blog post.
[to top of second column] |
An undated aerial handout photo shows the National Security Agency (NSA)
headquarters building in Fort Meade, Maryland. NSA/Handout via
REUTERS
Agencies like the NSA often have greater incentives to exploit any security
holes they find for spying, instead of helping companies protect customers,
cyber security experts say.
"Do you get to listen to the Chinese politburo chatting and get credit from the
president?" said Richard Clayton a cyber-security researcher at the University
of Cambridge. "Or do you notify the public to help defend everyone else and get
less kudos?"
Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute,
said that in putting DHS in charge of the process, the new bill was an effort to
put the process "into civilian control."
The new committee's meetings would still be secret. But once a year it would
issue a public version of a secret annual report.
The NSA did not immediately respond to a request for comment.
(Reporting by Joel Schectman; Editing by Jonathan Weber and David Gregorio)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
 |
