Following what is now widespread practice among private industry tech giants, a new bill proposes to force the DHS to introduce its own public-sector bug bounty program.
Senators Maggie Hassan (D-NH) and Rob Portman (R-OH) introduced the Hack Department of Homeland Security (DHS) Act on 25 May. Designated S.1281, it is described as “A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes.”
At the time of writing, there is no publicaly published text for the bill. Nevertheless, congress.gov lists it as having been read twice and referred to the Committee on Homeland Security and Governmental Affairs.
Hassan publicly announced the new bill on Friday. She described it as designed to “strengthen cyber defenses at DHS by utilizing ‘white-hat’ or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems.” It is modeled on the bug bounty programs of the tech industry, and last year’s ‘hack the Pentagon’ and ‘hack the Army’ programs.
Spanning April and May 2016, the Department of Defense (DoD) ran ‘Hack the Pentagon‘ via HackerOne. It attracted more than 1400 hackers; 250 of whom submitted at least one vulnerability report. 138 were judged valid and eligible for a bounty from the program’s $150,000 funding. Ash Carter, Secretary of Defense at the time, estimated that the program saved the department more than $800,000 against the cost of a similar exercise via the security industry.
Since then both the Army and the Air Force have engaged similar programs. Hack the Army ran from the end of November to 21 December 2016. 371 white-hat hackers registered and submitted a total of 471 vulnerability reports. Nearly 120 were adjudged actionable and were awarded a total of more than $100,000.
Hack the Air Force was announced in April 2017, and registrations opened on 15 May. The event will take place between May 30 and June 23, and is open to researchers from any of the Five Eyes nations: US, UK, Canada, Australia and New Zealand.
“Federal agencies like DHS are under assault every day from cyberattacks,” explained Hassan in her statement Friday. “These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help. The Hack DHS Act provides this help by drawing upon an untapped resource — patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens.”
“The networks and systems at DHS are vital to our nation’s security,” said Portman. “It’s imperative that we take every step to protect DHS from the many cyber attacks they face every day. One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats.”
The bill is getting cautious support from the private sector. “The proposed Hack DHS Act seems, on its surface, to be a very positive step forward to helping better secure the nation’s websites and other web-facing infrastructure,” Nathan Wenzler, chief security strategist at security consulting firm AsTech, told SecurityWeek. He pointed to the continuing success of bug bounties in the private sector. “Provided that appropriate measures are taken to vet the individuals who are performing the ethical hacking work, this could end up being a very valuable tool to help improve the security posture of some of the most heavily attacked sites out there.”
Chris Roberts, chief security architect at threat detection firm Acalvio, takes a similar view. Provided that adequate checks are made against the registrants and strict rules are devised and enforced, then “yes, in the ‘spirit’ of hacking it’s good.”
But he warned, “Let’s not devalue the red-team work and have someone hit the systems from all angles and all sides. That way there’s a true perspective. The whole idea of hacking the DHS would be to focus on the weakest links, which are humans and third parties. I’m going to assume those are out of scope, which in reality, makes it kind of a waste of time. On paper, it’s a good idea. But allow us to hit whenever and wherever we want, like a true attacker would and then let’s talk. Until then, it’s simply a face-saving thing which cheapens the whole assessment side of the world.”