Should the State Dept. Have a Bug Bounty Program to Root Out Cyber Vulnerabilities? (H.R. 328)
Do you support or oppose this bill?
What is H.R. 328?
(Updated June 7, 2019)
This bill, the Hack Your State Department Act, would require the State Dept. to design, establish, and make publicly known a Vulnerability Disclosure Program (VDP) to improve cybersecurity. The process requirements would include: 1) identifying what information technology should be included, 2) providing a readily available means of reporting discovered security vulnerabilities, and 3) identifying the offices and position that’d be responsible for addressing security vulnerability disclosures.
The bill would also require the State Dept. to establish a bug bounty pilot program to provide compensation for reports of previously unidentified security vulnerabilities of its internet-facing information technology. This bug bounty program would be modeled on similar cash rewards programs at the Pentagon, Army, and Air Force. Hackers participating would have to be vetted by the State Dept. or a private company hired to run the program and pass background checks.
The State Dept. would be required to establish the vulnerability disclosure policy within six months, and the bug bounty program within a year. It’d also be required to report to Congress on how many digital bugs participants found, and how long it took to patch those bugs.
Argument in favor
The State Dept. has been subject to repeated cyber attacks in recent years, and it doesn’t have the internal capacity and expertise to identify and fix its cyber vulnerabilities. Establishing a bug bounty program will help the State Dept. find its vulnerabilities, so it can address them.
Argument opposed
Bug bounty programs are expensive and cumbersome to maintain. They also aren’t a substitute for internal cybersecurity capacity. Rather than establishing a bug bounty program, the State Dept. should spend its time and money on improving its internal cyber defense capabilities.
Impact
Hackers; web bugs; State Dept; and Congress.
Cost of H.R. 328
When this bill was introduced in the 115th Congress, the CBO estimated that it’d cost less than $500,000 over the 2018-2023 period.
Additional Info
In-Depth: Rep. Ted Lieu (D-CA) reintroduced this bill from the 115th Congress to strengthen the State Dept’s cyber defenses by tapping ethical hackers to identify vulnerabilities in State’s networks and data systems:
“You are only as strong as your weakest link. Vulnerability to cyber-attacks has been and continues to be a serious threat to our national security. It is vital that we do all we can to find the weak links in our government systems and fix them as fast as possible. Hack the State Department enables us to effectively identify our vulnerabilities and use the brightest cybersecurity minds to strengthen our defenses. Cyber threats are constantly evolving, and our cyber defenses must evolve with them.”
After this bill passed the House in the previous Congress, Rep. Lieu added:
“Cyber warfare is the next frontier of global conflict and our government needs to be prepared. As a recovering Computer Science major, I’ve long been concerned that we’re not doing enough to ensure our government’s data is secure. That’s why I’m grateful that the House has passed the Hack Your State Department Act… [I]t shows there’s a bipartisan willingness to come up with innovative ways to keep our country’s most sensitive information secure. Last week’s announcement of an email data breach at the State Department demonstrates that we can’t wait any longer to implement a program that will be responsive to ever-changing cyber threats and vulnerabilities.”
When this bill was introduced in the 115th Congress, Katherine Charlet, director of Carnegie’s Technology and International Affairs Program and former Acting Deputy Assistant Secretary of Defense for Cyber Policy, said this bill was a cost-effective, valuable way to improve the State Dept.’s cybersecurity:
“Executive agency networks are major targets for malicious actors in cyberspace. By using crowdsourcing policies, these agencies can identify and fix critical vulnerabilities. With this bill, Representatives Lieu and Yoho are promoting a cost effective and valuable way to raise the bar for cybersecurity. "
Katie Moussouris, a bug bounty expert and founder of Luta Security who helped the Pentagon set up its bug bounty program, argues that rather than setting up a bug bounty program, Congress “should be funding an overhaul of internal capabilities” at federal agencies to make them more secure, rather than relying on bug bounties to replace internal capabilities:
“Bug bounties should only be used in circumstances where you’ve done your best to find and fix issues yourself, not as a replacement for due diligence and process, and not as a replacement for professional penetration testing.”
The current version of this bill has the support of one cosponsor, Rep. Ted Yoho (R-FL). In the last Congress, this bill passed the House by a voice vote with the support of three bipartisan cosponsors, including two Democrats and one Republican. It also had the support of Carnegie’s Technology and International Affairs Program and the Coalition for Cybersecurity Policy and Law.
Of Note: Bug bounties give ethical hackers cash rewards for finding bugs. In 2017, private companies and governments together paid out $11.7 million in bounties to hackers in 2017.
Some government agencies, including the Dept. of Defense (DOD), Air Force, and Army, have seen success with bug bounty programs. The DOD’s bug bounty program, “Hack the Pentagon,” which it started in 2016, helped the Pentagon identify and fix over 138 system vulnerabilities over a 24-day period. In the two years since Hack the Pentagon’s inception, over 3,000 vulnerabilities have been identified in public-facing Pentagon websites.
Bug bounties’ proponents say crowdsourcing bug hunting helps organizations uncover more digital vulnerabilities than they could be relying on just their own IT and security staffs. However, skeptics argue that bug bounties require a lot of time and money to manage, and can be counterproductive if an organization isn’t already patching known vulnerabilities or doesn’t have the resources to vet and patch bug reports that come in.
The traditional model of cyber defense isn’t working to protect federal agencies. As federal cyber investments increased 162 percent from 2006-2018, the number of federal cyber incidents increased 1512 percent over the same period.
When this bill was originally introduced in 2018, House Foreign Affairs Chairman Ed Royce (R-CA) cited a 2014 breach of the State Dept’s email system as evidence that the department needed to improve its cybersecurity. That breach by Russian hackers caused the State Dept. to temporarily shut down its email system.
Media:
Roll Call (Context)
Summary by Lorelei Yang
(Photo Credit: iStockphoto.com / ipopba)The Latest
-
IT: Here's how you can help fight for justice in the U.S., and... 📱 Are you concerned about your tech listening to you?Welcome to Thursday, April 18th, communities... Despite being deep into the 21st century, inequity and injustice burden the U.S. read more...
-
Restore Freedom and Fight for Justice With GravvyDespite being deep into the 21st century, inequity and injustice burden the U.S., manifesting itself in a multitude of ways. read more... Criminal Justice Reform
-
Myth or Reality: Is Our Tech Listening?What's the story? As technology has become more advanced, accessible, and personalized, many have noticed increasingly targeted read more... Artificial Intelligence
-
IT: 🧊 Scientists say Antarctic ice melt is inevitable, and... Do you think Trump is guilty?Welcome to Tuesday, April 16th, members... Scientists say Antarctic ice melt is inevitable, implying "dire" climate change read more...