On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote. The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures. Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.
Although the new legislation does not define “cyber vulnerability,” CISA, which is often used in the U.S. as an indicator of common practice with regards to information sharing, defines a “cyber threat indicator” as information that is necessary to describe or identify:
- malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
- a method of defeating a security control or exploitation of a security vulnerability;
- a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
- a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
- malicious cyber command and control;
- the actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
- any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
- any combination thereof.
The requirements of the proposed legislation appear, in part, to supplement CISA’s goal of encouraging cyber information sharing by requiring DHS to report on its progress. This reporting obligations mandate DHS to submit “an annex with information on instances in which such DHS policies and procedures were used to disclose cyber vulnerabilities” during the preceding year “and, where available, information on the degree to which such information was acted upon by industry and other stakeholders.” The report may also include “a description of how the DHS Secretary is working with other Federal entities and critical infrastructure owners and operators to prevent, detect, and mitigate cyber vulnerabilities.” The report will be “submitted in unclassified form but may contain a classified annex.” Should this Act be enacted into law, a DHS report would offer more transparency on the policies and procedures DHS and potentially other federal agencies use in disclosing vulnerabilities.
The Act moves to the Senate for a possible vote. If passed by the Senate and signed by the President, the Secretary of DHS will have 240 days within which to submit the report to the House Committee on Homeland Security and the Senate Committee on Homeland Security and Governmental Affairs. Both the Executive Branch and Congress have been increasingly focused on the issue of cyber vulnerability disclosure in recent years.