Originally posted on New York University School of Law’s Just Security
It’s well known that government is in the computer hacking business and, we would argue, that under the right circumstances, has legitimate reasons to stay in it. But government-sponsored hacking also poses real security risks. Without well-established, well-understood mechanisms for accountability and transparency, government hacking can undermine privacy, interfere with free expression, jeopardize critical infrastructure and hobble American tech companies that need to offer strong privacy and security solutions to their users to compete against other companies in the global marketplace.
Mechanisms that provide insight into why, when, and how the government hacks aren’t written into law yet. But legislation under consideration by Congress — the Protecting our Ability to Counter Hacking Act of 2017, also known as the PATCH Act —would be an important first step toward improving and clarifying the framework under which we allow our government to hack. (The act’s name derives from the fact that fixing security problems in software and networks typically requires software “patches” that modify computer code.)
Right now, the United States government uses a less formal interagency process to decide whether to withhold previously unknown software vulnerabilities that it discovers, (often known as zero days) so that it may use them for its own hacking purposes, or to disclose them to companies so they can be fixed. But, given that the security of millions, if not billions, of global Internet users is often at stake, it’s shocking that the public knows so little about how this decision-making process works. Big policy questions — like whether the government should develop and collect computer “vulnerabilities” for primarily offensive or defensive purposes — deserve a bigger public debate, with Congress, not just agency bureaucrats, setting the ground rules.
But what ground rules need to be in place, precisely, to ensure the government strikes the right balance between public safety, corporate needs, and national security requirements?
[Read more of Michelle’s post over at Just Security.]