The NSA has two roles in life – OFFENSIVE cyber and DEFENSIVE cyber. The NSA spends, according to some estimates, 90% of its cyber budget on offensive cyber.
NSA, in its alter ego Cyber Command, is charged with defensive cyber.
What this means is that when NSA finds a bug like the one that was exploited in WannaCry, it has to make a decision as to whether it should disclose it to the vendor (and further its defensive mission) and therefore not be able to use it to further its offensive mission or keep it secret and be able to continue to use it.
The only problem is what happens if someone else discovers the bug and uses it against American companies. That is the conundrum.
Under President Obama the intelligence community was supposed to use something called the vulnerabilities equities process to decide whether to disclose or keep secret any vulnerabilities that they find. That process was voluntary. After WannaCry, Congress is kind of wondering whether the process is not working.
The bill, called the PATCH (Protecting our Ability To Counter Hacking) Act, is designed to take the control of the decision making process away from the NSA exclusively and create a review board including the FBI, Homeland Security, CIA, Director of National Intelligence, Commerce and NSA. State, Treasury, Energy and the FTC would be involved when needed. Homeland Security will chair the board.
That does not mean that the spies are going reveal every bug they find, but it may mean that the review process will be more balanced.
Since this bill was just introduced, it has a long way to go before it may become a law.
Information for this post came from The Register.