WASHINGTON – In case you missed it, the Washington Post highlighted efforts by Senator Maggie Hassan (D-NH) and colleagues from both parties in the U.S. Senate and House to push the Department of Homeland Security to strengthen its cyber defenses.
The bipartisan Hack DHS Act, authored by Senators Hassan and Rob Portman (R-OH), passed out of the House Committee on Homeland Security last week.
The bipartisan bill would establish a bug bounty pilot program – modeled off of similar programs at the Department of Defense and major tech companies –to strengthen cyber defenses at DHS by using “white-hat” or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems. A companion bill was introduced in the House by Representatives Ted Lieu (D-CA) and Scott Taylor (R-VA). The Senate version of the bill passed the Senate unanimously earlier this year.
See below for highlights of the coverage, or click here:
Lawmakers are going to bat in a big way for ethical hackers.
The House Homeland Security Committee advanced a pair of bipartisan bills late last week that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene.
One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks. The other would require DHS to set up a vulnerability disclosure policy that protects ethical hackers from legal action if they find a security flaw and report it responsibly. Both cruised through the committee with bipartisan support.
The votes highlight how Congress is shaking its old fears about hackers and embracing bug bounties as an effective way to address the federal government’s cybersecurity woes.
“There is a greater groundswell around this concept of turning these hackers into friends,” said Casey Ellis, founder of the Bugcrowd, which helps organizations manage bug bounty and vulnerability disclosure programs. Bug bounty programs in particular are “graduating from a weird Silicon Valley, tech company thing to something that’s being adopted as a normal part of cybersecurity strategy,” he told me.
Bug bounty programs, which offer financial rewards or special recognition to security researchers who identify security flaws in an organization's systems, have seen a surge popular in support in recent years from the private sector. Companies as wide ranging as Google, Reddit, Uber and Western Union have adopted them.
Government agencies have also been warming up to the idea of inviting well-intentioned hackers to poke around in federal IT systems. Hack the Pentagon, the federal government's first bug bounty challenge held over four weeks in spring 2016, was a watershed moment for the relationship between feds and security researchers, proving to be such a success that the Defense Department went on to create the government’s first vulnerability disclosure program later that year. The General Services Administration has since adopted a similar program, and lawmakers are considering a bill that would establish bug bounty pilot and vulnerability disclosure programs at the State Department.
Lawmakers are frustrated that DHS, the government’s main cybersecurity agency, isn’t leading the charge on these efforts -- or even showing it's serious about creating one. During last week's votes, Rep. Jim Langevin (D-R.I.), a co-sponsor of the vulnerability disclosure bill, accused Homeland Security Secretary Kirstjen Nielsen of dragging her feet on a pledge to work with the committee on creating such a policy at DHS. “Unfortunately, it appears they will not do so unless Congress requires it of them,” Langevin said.
[…] A Senate version of the legislation was introduced by Sen. Maggie Hassan (D-N.H.) and passed by the chamber in April.