Like Countable?

Install the App
TRY NOW

house Bill H.R. 328

Should the State Dept. Have a Bug Bounty Program to Root Out Cyber Vulnerabilities?

Argument in favor

The State Dept. has been subject to repeated cyber attacks in recent years, and it doesn’t have the internal capacity and expertise to identify and fix its cyber vulnerabilities. Establishing a bug bounty program will help the State Dept. find its vulnerabilities, so it can address them.

···
01/21/2019
I approve of this bill if in addition to the bug bounty program, a comprehensive investigation and overhaul of the overall cyber security program at State is conducted at the same time. There is a tendency for stop-gap measures like a bug bounty to become entrenched and relied upon because they can be manipulated by political forces. A full investigation, followed by ongoing routine comprehensive reviews, is the best protection for the department.
Like (92)
Follow
Share
Kj's Opinion
···
01/23/2019
Application security is one of the most overlooked aspects of testing in software development. Bug bounty programs allow security professionals of various specialties and backgrounds to get rewarded for their work and to do it safely—without an official program, it is very easy for these professionals to get into legal trouble. The findings of freelance security specialists helps keep our technology secure, and they should get rewarded for that work.
Like (49)
Follow
Share
burrkitty's Opinion
···
01/21/2019
Spending on cyber security needs to be seriously ramping up. This is a good program that mimics what tech companies do to protect their own systems. Spending wise it’s a grain of sand on the beach. Go to it!
Like (37)
Follow
Share

Argument opposed

Bug bounty programs are expensive and cumbersome to maintain. They also aren’t a substitute for internal cybersecurity capacity. Rather than establishing a bug bounty program, the State Dept. should spend its time and money on improving its internal cyber defense capabilities.

Mark's Opinion
···
01/23/2019
Why not just hire the best and pay them well. Geez, it's just our national security.
Like (39)
Follow
Share
dEllett's Opinion
···
01/23/2019
Not just nay, but hell nay! This is ludicrous! This is another major indictment of our failing government and particularly our current legislature. I find this incredibly incompetent and very distressing. Were this not part of a larger pattern, I would think they were insane, but no, just incredibly incompetent and corrupt. I fully agree with the remarks by “Katie Moussouris, A BUG BOUNTY EXPERT and founder of Luta Security”: “Congress “should be funding an overhaul of internal capabilities” (my exact immediate reaction when I read this bill) Bug bounties should only be used in circumstances where you’ve done your best to find and fix issues yourself, not as a replacement for due diligence and process, and not as a replacement for professional penetration testing.” Considering all the things we waste time and money on, ESPECIALLY NON-GOVERNMENT ISSUES, to fail to address the root problems of a major, wide-ranging and serious issue with the appropriate dedication of time and priority of government resources is a disturbing abdication of their primary responsibilities, even considering their greater precedent and abject failure to address the looming economic catastrophe of Social Security, Medicare and Medicaid. We have witnessed a disturbing trend in both government and the private sector of waiting until a major hack occurs before addressing cybersecurity. Congress pretends to great protest and anger when the private sector does this. Not only do they then fail to do anything of significance, but they then pretend ignorance and anger when our own government exceeds the private sector in the depth and breadth of its data breaches, assuming we are even aware of all the government data breaches.
Like (17)
Follow
Share
operaman's Opinion
···
04/13/2019
Are our cybercrime experts paid a salary to discover cyber vulnerability? So why paid a bonus for them to discover bugs when it’s their job?
Like (12)
Follow
Share

bill Progress


  • Not enacted
    The President has not signed this bill
  • The senate has not voted
      senate Committees
      Committee on Foreign Relations
  • The house Passed January 22nd, 2019
    Roll Call Vote 377 Yea / 3 Nay
      house Committees
      Committee on Foreign Affairs
    IntroducedJanuary 8th, 2019

Log in or create an account to see how your Reps voted!

What is House Bill H.R. 328?

This bill, the Hack Your State Department Act, would require the State Dept. to design, establish, and make publicly known a Vulnerability Disclosure Program (VDP) to improve cybersecurity. The process requirements would include: 1) identifying what information technology should be included, 2) providing a readily available means of reporting discovered security vulnerabilities, and 3) identifying the offices and position that’d be responsible for addressing security vulnerability disclosures.

The bill would also require the State Dept. to establish a bug bounty pilot program to provide compensation for reports of previously unidentified security vulnerabilities of its internet-facing information technology. This bug bounty program would be modeled on similar cash rewards programs at the Pentagon, Army, and Air Force. Hackers participating would have to be vetted by the State Dept. or a private company hired to run the program and pass background checks.

The State Dept. would be required to establish the vulnerability disclosure policy within six months, and the bug bounty program within a year. It’d also be required to report to Congress on how many digital bugs participants found, and how long it took to patch those bugs.

Impact

Hackers; web bugs; State Dept; and Congress.

Cost of House Bill H.R. 328

When this bill was introduced in the 115th Congress, the CBO estimated that it’d cost less than $500,000 over the 2018-2023 period.

More Information

In-DepthRep. Ted Lieu (D-CA) reintroduced this bill from the 115th Congress to strengthen the State Dept’s cyber defenses by tapping ethical hackers to identify vulnerabilities in State’s networks and data systems:

“You are only as strong as your weakest link. Vulnerability to cyber-attacks has been and continues to be a serious threat to our national security. It is vital that we do all we can to find the weak links in our government systems and fix them as fast as possible. Hack the State Department enables us to effectively identify our vulnerabilities and use the brightest cybersecurity minds to strengthen our defenses.  Cyber threats are constantly evolving, and our cyber defenses must evolve with them.”

After this bill passed the House in the previous Congress, Rep. Lieu added:

“Cyber warfare is the next frontier of global conflict and our government needs to be prepared. As a recovering Computer Science major, I’ve long been concerned that we’re not doing enough to ensure our government’s data is secure. That’s why I’m grateful that the House has passed the Hack Your State Department Act… [I]t shows there’s a bipartisan willingness to come up with innovative ways to keep our country’s most sensitive information secure. Last week’s announcement of an email data breach at the State Department demonstrates that we can’t wait any longer to implement a program that will be responsive to ever-changing cyber threats and vulnerabilities.”

When this bill was introduced in the 115th Congress, Katherine Charlet, director of Carnegie’s Technology and International Affairs Program and former Acting Deputy Assistant Secretary of Defense for Cyber Policy, said this bill was a cost-effective, valuable way to improve the State Dept.’s cybersecurity:

“Executive agency networks are major targets for malicious actors in cyberspace. By using crowdsourcing policies, these agencies can identify and fix critical vulnerabilities. With this bill, Representatives Lieu and Yoho are promoting a cost effective and valuable way to raise the bar for cybersecurity. "

Katie Moussouris, a bug bounty expert and founder of Luta Security who helped the Pentagon set up its bug bounty program, argues that rather than setting up a bug bounty program, Congress “should be funding an overhaul of internal capabilities” at federal agencies to make them more secure, rather than relying on bug bounties to replace internal capabilities:

“Bug bounties should only be used in circumstances where you’ve done your best to find and fix issues yourself, not as a replacement for due diligence and process, and not as a replacement for professional penetration testing.”

The current version of this bill has the support of one cosponsor, Rep. Ted Yoho (R-FL). In the last Congress, this bill passed the House by a voice vote with the support of three bipartisan cosponsors, including two Democrats and one Republican. It also had the support of Carnegie’s Technology and International Affairs Program and the Coalition for Cybersecurity Policy and Law.


Of NoteBug bounties give ethical hackers cash rewards for finding bugs. In 2017, private companies and governments together paid out $11.7 million in bounties to hackers in 2017.

Some government agencies, including the Dept. of Defense (DOD), Air Force, and Army, have seen success with bug bounty programs. The DOD’s bug bounty program, “Hack the Pentagon,” which it started in 2016, helped the Pentagon identify and fix over 138 system vulnerabilities over a 24-day period. In the two years since Hack the Pentagon’s inception, over 3,000 vulnerabilities have been identified in public-facing Pentagon websites.

Bug bounties’ proponents say crowdsourcing bug hunting helps organizations uncover more digital vulnerabilities than they could be relying on just their own IT and security staffs. However, skeptics argue that bug bounties require a lot of time and money to manage, and can be counterproductive if an organization isn’t already patching known vulnerabilities or doesn’t have the resources to vet and patch bug reports that come in.

The traditional model of cyber defense isn’t working to protect federal agencies. As federal cyber investments increased 162 percent from 2006-2018, the number of federal cyber incidents increased 1512 percent over the same period.

When this bill was originally introduced in 2018, House Foreign Affairs Chairman Ed Royce (R-CA) cited a 2014 breach of the State Dept’s email system as evidence that the department needed to improve its cybersecurity. That breach by Russian hackers caused the State Dept. to temporarily shut down its email system.


Media:

Summary by Lorelei Yang

(Photo Credit: iStockphoto.com / ipopba)

AKA

Hack Your State Department Act

Official Title

To require the Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of internet-facing information technology of the Department of State, and for other purposes.

    I approve of this bill if in addition to the bug bounty program, a comprehensive investigation and overhaul of the overall cyber security program at State is conducted at the same time. There is a tendency for stop-gap measures like a bug bounty to become entrenched and relied upon because they can be manipulated by political forces. A full investigation, followed by ongoing routine comprehensive reviews, is the best protection for the department.
    Like (92)
    Follow
    Share
    Why not just hire the best and pay them well. Geez, it's just our national security.
    Like (39)
    Follow
    Share
    Application security is one of the most overlooked aspects of testing in software development. Bug bounty programs allow security professionals of various specialties and backgrounds to get rewarded for their work and to do it safely—without an official program, it is very easy for these professionals to get into legal trouble. The findings of freelance security specialists helps keep our technology secure, and they should get rewarded for that work.
    Like (49)
    Follow
    Share
    Spending on cyber security needs to be seriously ramping up. This is a good program that mimics what tech companies do to protect their own systems. Spending wise it’s a grain of sand on the beach. Go to it!
    Like (37)
    Follow
    Share
    Not just nay, but hell nay! This is ludicrous! This is another major indictment of our failing government and particularly our current legislature. I find this incredibly incompetent and very distressing. Were this not part of a larger pattern, I would think they were insane, but no, just incredibly incompetent and corrupt. I fully agree with the remarks by “Katie Moussouris, A BUG BOUNTY EXPERT and founder of Luta Security”: “Congress “should be funding an overhaul of internal capabilities” (my exact immediate reaction when I read this bill) Bug bounties should only be used in circumstances where you’ve done your best to find and fix issues yourself, not as a replacement for due diligence and process, and not as a replacement for professional penetration testing.” Considering all the things we waste time and money on, ESPECIALLY NON-GOVERNMENT ISSUES, to fail to address the root problems of a major, wide-ranging and serious issue with the appropriate dedication of time and priority of government resources is a disturbing abdication of their primary responsibilities, even considering their greater precedent and abject failure to address the looming economic catastrophe of Social Security, Medicare and Medicaid. We have witnessed a disturbing trend in both government and the private sector of waiting until a major hack occurs before addressing cybersecurity. Congress pretends to great protest and anger when the private sector does this. Not only do they then fail to do anything of significance, but they then pretend ignorance and anger when our own government exceeds the private sector in the depth and breadth of its data breaches, assuming we are even aware of all the government data breaches.
    Like (17)
    Follow
    Share
    Of course we should protect ourselves! And I love the fact that it will be an internal department and not contracted out to some corporation.
    Like (13)
    Follow
    Share
    Are our cybercrime experts paid a salary to discover cyber vulnerability? So why paid a bonus for them to discover bugs when it’s their job?
    Like (12)
    Follow
    Share
    Yes. Our state Department must be cyber secure. And humans must not share state secrets with dictator regimes ( trump and Pompeo are both national security threats)
    Like (11)
    Follow
    Share
    Foreign and domestic entities do not need to know where vulnerabilities lie within our net infrastructures. Locate and identify the weaknesses and let the companies know but don’t put it all out tbere
    Like (9)
    Follow
    Share
    Does a cat or dog scratch flees when they have them. This is a no-brainer. Yes, of course we should have and put into place all measures of security and protections against cyber threats as well concrete securities like the wall. Build that wall and save taxpayers money!
    Like (9)
    Follow
    Share
    This is a great place to start. What is really needed is a Government-wide cyber security operation that does its own research and coordinates with all of the other governmental resources.
    Like (9)
    Follow
    Share
    Anything this creep Ted Lieu supports I oppose. This guy is a hateful scumbag.
    Like (8)
    Follow
    Share
    Need a NON “gun-slinger” sensational bumper-sticker, thoughtful, FULL-TIME approach to something as SERIOUS as cyber security! ...something THIS president is totally incapable of doing...
    Like (6)
    Follow
    Share
    I have a serious problem with our own government not having the expertise or technical understanding to deal with these threats. This seems like a no brainer. Why would we, as a country, not have the best in cybersecurity working for the government on all aspects of cyber threats. This goes back to why we should have a Department of Science and Technology and committees made up of leaders in this industry. We should not be hiring bounty hunters to hunt these people down unless it is in relation to lending assistance in extreme cases. Americans should not feel like their infrastructure is not protected proactively but rather, reacts only when events happen.
    Like (5)
    Follow
    Share
    The projected cost is a drop in the bucket! Something needs to be done and as far as I'm concerned more $ needs to be spent on protecting our State Dept. as well as ALL depts. of government, state, local, federal
    Like (5)
    Follow
    Share
    Really? Hello enemies... here are our week doors that you can lock in and get access to our information. And as a bonus we will pay you to steel from us! Win win!! No way should this be made public. If you want to do this, vet teams to do this. Don’t make it public. It could be singular to a hackathon games.
    Like (4)
    Follow
    Share
    PROBABLY CAN'T PASS THE SENATE AFTER TRUMP SAID "I LOVE WIKILEAKS" 160 TIMES DURING ONE MONTH OF CAMPAIGNING. CROOKED TRUMP AND THE GOP WON'T STAND FOR TRANSPARENCY AND ACCOUNTABILITY.
    Like (3)
    Follow
    Share
    The State Dept. has been subject to repeated cyber attacks in recent years, and it doesn’t have the internal capacity and expertise to identify and fix its cyber vulnerabilities. Establishing a bug bounty program will help the State Dept. find its vulnerabilities, so it can address them.
    Like (3)
    Follow
    Share
    “With enough eyeballs, all bugs are shallow.” This is a good idea.
    Like (2)
    Follow
    Share
    Why not. It’s an efficient way to find the bugs in a system because hackers think outside the box!
    Like (2)
    Follow
    Share
    MORE