Lawmakers Eye Cyber Bounties to Fix Bugs in Federal Networks
Lawmakers last week moved closer to mandating that the Department of Homeland Security start a bug bounty program that will pay computer security researchers to spot weaknesses in DHS’s computer networks. That requirement would bring the department in line with other U.S. agencies with similar cybersecurity programs.
The House Homeland Security Committee on Thursday by unanimous consent approved a Senate bill that would set up a pilot program at the department. The Senate passed the bill on April 17. The Pentagon, the IRS and the General Services Administration already operate such programs, and lawmakers have proposed legislation that would launch similar efforts at the departments of State and Treasury.
The committee also approved another measure that would require DHS to establish a vulnerability disclosure policy. Such a policy would help security researchers notify department officials if they come across weaknesses on DHS digital networks and websites. Both measures now to go the full House for consideration.
Noting that the Pentagon and the GSA already have disclosure policies and bounty programs, Rep. Jim Langevin said at the markup he was disappointed when he learned that DHS had no equivalent programs.
“After all, DHS is the lead civilian agency for cybersecurity and why should they fall behind the Pentagon or the General Service Administration?” the Rhode Island Democrat said. The department would have to boost its efforts to administer a bounty program because once bugs are identified, they need to be quickly patched, he added.
Langevin, one of the senior Democrats on the panel focused on cybersecurity issues, said he had written to DHS Secretary Kirstjen Nielsen for more information on how the agency planned to start a vulnerability disclosure policy but was disappointed she had not responded. A spokesman for DHS did not immediately respond to a request for comment.
Bug bounties, or crowd-sourced security programs as some experts call them, have long been an established practice in private industry since the early days of the internet. The explosion of new software across multiple platforms and devices and the attendant increase in vulnerabilities meant that in-house security experts could not identify all the bugs. Paying good hackers to find weaknesses before bad actors find and exploit the gaps became standard practice.
Private companies and governments together paid out about $11.7 million in bounties to hackers in 2017, according to a July 2018 report by HackerOne, a group that brings together hackers to work collectively on security problems.
Starting in 2016, the Defense Department began trying out bug bounty programs called Hack the Pentagon and it now runs Hack the Army and Hack the Air Force, along with the Defense Information Systems Agency. The IRS also launched its effort in 2016.
Federal agencies look to such programs to find vulnerabilities and patch them because the gap between the in-house talent available to find and fix such problems and the number of weaknesses is significant, said Anne-Marie Chun Witt, director of government services at Synack, a California-based technology company that manages the bug bounty programs at the Pentagon, the IRS and other agencies.
While the federal government’s cybersecurity budget has grown about 1.5 times between 2006 and 2018, the number of cyber incidents on federal computer networks has increased about 15 times in that period, according to Synack.
“Federal cyber budgets are growing, but it’s not working, and that’s why we are seeing an aggressive adoption of the crowd-sourced approach,” Witt said. “There’s an imbalance between the supply and demand for cyber talent, so even with all the money in the world you wouldn’t be able to find the expertise.”
While typical bug bounty programs are open to any hacker to find bugs on open computer networks, the approach doesn’t work for highly sensitive systems, said Jay Kaplan, CEO and founder of Synack.
Instead, “we have a completely closed model,” where the company vets security researchers through background checks and signs nondisclosure agreements with them before allowing them to work on classified computer systems, Kaplan said. “They are doing work through auditable ways, so we can see what they’re doing.”