It was files of such vulnerabilities that were released by the hacking group ShadowBrokers last year that resulted in a series of ransomware attacks over the Past few months.
The bill would require agencies that are holding such vulnerabilities to report to Congress on how they’re handling the existing requirements to report them to the responsible companies so they can be fixed.
There’s a common thread to these bills. Each of them places limits on what the agencies of the Executive Branch of the U.S. government can do in their efforts to gather information on American citizens and U.S. companies. In addition, they bring the agencies of the Executive Branch into some sort of harmony with current technology and security practices.
Part of this is necessary, and is supported by the agencies involved. The structure of DHS needs to be changed by Congress, because it was created by Congress in the first place. The revisions put into place by HR 3359 are supported by DHS, which needs a more coordinated structure to allow it to operate efficiently.
But the bills also provide a legal framework that requires agencies that keep cyber-vulnerability data must prove that they’re sharing the information with companies that own the affected computer code as required by law. There have been claims by Microsoft and others that this wasn’t happening and recent cyber-attacks have demonstrated that to be the case.
In addition, the House and Senate are putting into place a means to stop Executive Branch agencies from finding ways to get around the Fourth Amendment, which is that part of the Bill of Rights that limits government's power to search for information and seize property. This is a favorite target of government prosecutors who sometimes look upon the Constitution as a huge inconvenience.
If all three of these bills become law, then the agencies involved will have to follow the laws and the Constitution more specifically—in part because evidence gathered in a matter not allowed by the law can be suppressed in court.
The bills provide the means to control a whole range of secret government information gathering beyond the knowledge of the targets of the information searches.
This assumes that the legislation succeeds in eliminating the gag orders that have forced communications and data storage companies to remain silent while the government freely conducted warrantless searches and seizures. It also assumes that government prosecutors and intelligence agencies won’t think of some other way to ignore the Fourth Amendment.
Approval of these bills represents just one in a series of steps to reassert fourth amendment protections against unreasonable searches and seizures.
Assuming that the legislation is signed into law by the president in an increasingly dysfunctional White House, the hope is that it will rein in the worst abuses. But that’s not the same thing as stopping all of the abuses.