Does the Department of Homeland Security (DHS) need to be hacked? Legislators seem to think so.
Recently, the SECURE Technology Act was passed in Congress. The bill, introduced by Rep. Will Hurd, R-Texas, who serves on the House Homeland Security and Intelligence committees, would require DHS to establish a bug bounty program and security vulnerability reporting process. This is the third round of legislation proposed in 2018 that would invite hackers to report security weaknesses directly to DHS to detect where they are most vulnerable.
Earlier this month, Sens. Rob Portman, R-Ohio, and Maggie Hassan, D-N.H., introduced the bi-partisan Public-Private Cybersecurity Cooperation Act. This is a companion bill to the House version (H.R. 6735) that passed earlier this year. The bill directs DHS to establish a vulnerability disclosure policy (VDP) for the DHS’s websites. A VDP authorizes individuals to look for vulnerabilities in specified assets.
“At a time when cyber threats are on the rise, the United States government must protect itself. Doing so involves drawing upon the vast expertise of hackers and security experts in our country to identify vulnerabilities and report them to the people in a position to fix those flaws in our systems,” said Senator Portman in a statement.
This statement gets it right: With no clear solution to the increasing threats to cybersecurity, the United States must enlist the help of hackers. Hackers have unique insights. They have diverse skill sets and expertise. And, there are a lot of them ready to help. They are good at building things, but importantly, they also enjoy breaking them. Different from the bad guys, they want to break things in order to have them fixed. To fully leverage the power of hackers, it’s important that they aren’t penalized for the work they do, and that the vulnerabilities they find are acknowledged, analyzed and eventually fixed.
How DHS should work with hackers
The Public-Private Cybersecurity Cooperation Act wisely gives guidance about what should be in a vulnerability disclosure policy — dubbed the “see something say something” of the internet for reporting security weaknesses. A VDP should state not only what a hacker can do, but what a hacker cannot. What testing techniques can be used, and importantly, which ones shouldn’t? What assets are covered and which ones are not? What types of vulnerabilities does DHS want the hackers to look for, and which ones are off limits?
This type of information is included for clarity, but also to provide a safe harbor from liability. The DHS VDP should eventually be written similar to the Department of Defense’s VDP which clearly states that it will not initiate or recommend any law enforcement or civil lawsuits related to activities permitted under the policy, and in the event of any law enforcement or civil action brought by anyone other than DOD, it will take steps to make known that the hacker’s activities were conducted pursuant to and in compliance with its policy.
The more mature version of the VDP is a bug bounty program, where an organization pays hackers monetary rewards for the security flaws they report. The Senate passed a bill to establish a bug bounty pilot program within DHS (S.1281) earlier this year called “Hack DHS Act.” Incentives add an additional layer of complexity. What, how much, and for what needs to be thought through. It involves taxes and forms if cash compensation is used. Most importantly, once hackers start hacking, bugs come in very quickly. Given the speed and volume of the findings, DHS has to be ready; and given its knowledge base and security expertise, I’m sure it will be. However, other agencies may not have as many resources or as developed of a security posture as DHS. In those cases, VDP is the better first step. Make sure that you’re ready to manage and remediate the vulnerabilities before moving on to the bug bounty.
The Department of Defense’s work with hackers has been extremely successful, paving the way for other agencies. Since 2016 the DOD has resolved more than 5,000 security vulnerabilities as a result. As we saw with Hack the Pentagon’s bug bounty program, the first submission was reported within 13 minutes of the launch. By the end of the month, over 130 valid bugs were resolved in the Pentagon’s systems and tens of thousands of dollars paid to hackers for their efforts. This is why the bills require the DHS to consult with the DOD. Information sharing amongst the agencies is important. Less time reinventing the wheel means more time improving security.
We know that not everything can be public, but requiring the number of unique vulnerabilities reported, who found them, and how long it took to remediate them is a good first step. The entire point of finding vulnerabilities is to remediate them. I’m hopeful that one or all of these bills pass by the end of the year because by leveraging the hacking community worldwide, they bring security to the forefront in a positive way. The message is, we’re all in it together.”
Deborah Chang joined HackerOne in 2018 as Vice President of Business Development and Policy. She started her career as an attorney at Wilson Sonsini Goodrich and Rosati in Palo Alto, working on IPOs, venture financings, M & A, and advising directors and officers. She has worked at many Silicon Valley companies, including Applied Materials, and most recently in senior business development roles at Massdrop and Shutterfly.