Tech Transformers

US spies could have to disclose their hacking tools to the public under a new proposal

Key Points
  • A bill proposed by two U.S. lawmakers could require the National Security Agency to disclose security vulnerabilities it finds in software.
  • It comes after the hackers behind the WannaCry cyberattack used an NSA exploit to deploy their virus.

The U.S. National Security Agency (NSA) could be required to make public any security flaws it finds in software that it exploits to spy on users under a bill proposed by two lawmakers on Wednesday.

According to the "Protecting our Ability to Counter Hacking Bill" or the "PATCH Bill", a board headed up by the Secretary of Homeland Security shall consider if a vulnerability discovered by the NSA should be disclosed to the companies concerned or the public.

The board will need to consider whether the flaw is used in core internet or critical infrastructure; what risks are posed by leaving the vulnerability unpatched; how likely another actor could be of exploiting it; and whether the NSA could achieve its objective without exploiting the security hole.

The seals of the U.S. Cyber Command, the National Secrity Agency and the Central Security Service greet employees and visitors at the campus the three organizations share March 13, 2015 in Fort Meade, Maryland.
Getty Images

Other board members will include the director of the Federal Bureau of Investigation (FBI), the director of the Central Intelligence Agency (CIA), and a handful of other important organizations.

The proposal by Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian Schatz of Hawaii comes after a major cyberattack hit 200,000 computers across the world last week. The virus known as WannaCry locked files up on a user's computer and demanded that they pay a bitcoin ransom in order to get them back.

But the hackers were able to exploit the flaw in Microsoft's Windows operating system because the NSA had previously found a hole. The NSA's exploit was leaked online by a group called the Shadow Brokers, which allowed the hacking group to find out about it.

Governments have received growing criticism about their surveillance methods. Microsoft's Chief Legal Officer Brad Smith said governments should stop stockpiling exploits.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Smith said in a blog post on Sunday.

Under the bill proposed, the board would create an annual report with an unclassified public version released too.