In-Depth: Rep. Ted Lieu (D-CA) reintroduced this bill from the 115th Congress to strengthen the State Dept’s cyber defenses by tapping ethical hackers to identify vulnerabilities in State’s networks and data systems:
“You are only as strong as your weakest link. Vulnerability to cyber-attacks has been and continues to be a serious threat to our national security. It is vital that we do all we can to find the weak links in our government systems and fix them as fast as possible. Hack the State Department enables us to effectively identify our vulnerabilities and use the brightest cybersecurity minds to strengthen our defenses. Cyber threats are constantly evolving, and our cyber defenses must evolve with them.”
After this bill passed the House in the previous Congress, Rep. Lieu added:
“Cyber warfare is the next frontier of global conflict and our government needs to be prepared. As a recovering Computer Science major, I’ve long been concerned that we’re not doing enough to ensure our government’s data is secure. That’s why I’m grateful that the House has passed the Hack Your State Department Act… [I]t shows there’s a bipartisan willingness to come up with innovative ways to keep our country’s most sensitive information secure. Last week’s announcement of an email data breach at the State Department demonstrates that we can’t wait any longer to implement a program that will be responsive to ever-changing cyber threats and vulnerabilities.”
When this bill was introduced in the 115th Congress, Katherine Charlet, director of Carnegie’s Technology and International Affairs Program and former Acting Deputy Assistant Secretary of Defense for Cyber Policy, said this bill was a cost-effective, valuable way to improve the State Dept.’s cybersecurity:
“Executive agency networks are major targets for malicious actors in cyberspace. By using crowdsourcing policies, these agencies can identify and fix critical vulnerabilities. With this bill, Representatives Lieu and Yoho are promoting a cost effective and valuable way to raise the bar for cybersecurity. "
Katie Moussouris, a bug bounty expert and founder of Luta Security who helped the Pentagon set up its bug bounty program, argues that rather than setting up a bug bounty program, Congress “should be funding an overhaul of internal capabilities” at federal agencies to make them more secure, rather than relying on bug bounties to replace internal capabilities:
“Bug bounties should only be used in circumstances where you’ve done your best to find and fix issues yourself, not as a replacement for due diligence and process, and not as a replacement for professional penetration testing.”
The current version of this bill has the support of one cosponsor, Rep. Ted Yoho (R-FL). In the last Congress, this bill passed the House by a voice vote with the support of three bipartisan cosponsors, including two Democrats and one Republican. It also had the support of Carnegie’s Technology and International Affairs Program and the Coalition for Cybersecurity Policy and Law.
Of Note: Bug bounties give ethical hackers cash rewards for finding bugs. In 2017, private companies and governments together paid out $11.7 million in bounties to hackers in 2017.
Some government agencies, including the Dept. of Defense (DOD), Air Force, and Army, have seen success with bug bounty programs. The DOD’s bug bounty program, “Hack the Pentagon,” which it started in 2016, helped the Pentagon identify and fix over 138 system vulnerabilities over a 24-day period. In the two years since Hack the Pentagon’s inception, over 3,000 vulnerabilities have been identified in public-facing Pentagon websites.
Bug bounties’ proponents say crowdsourcing bug hunting helps organizations uncover more digital vulnerabilities than they could be relying on just their own IT and security staffs. However, skeptics argue that bug bounties require a lot of time and money to manage, and can be counterproductive if an organization isn’t already patching known vulnerabilities or doesn’t have the resources to vet and patch bug reports that come in.
The traditional model of cyber defense isn’t working to protect federal agencies. As federal cyber investments increased 162 percent from 2006-2018, the number of federal cyber incidents increased 1512 percent over the same period.
When this bill was originally introduced in 2018, House Foreign Affairs Chairman Ed Royce (R-CA) cited a 2014 breach of the State Dept’s email system as evidence that the department needed to improve its cybersecurity. That breach by Russian hackers caused the State Dept. to temporarily shut down its email system.
Summary by Lorelei Yang(Photo Credit: iStockphoto.com / ipopba)