[Senate Hearing 115-656]
[From the U.S. Government Publishing Office]


                                                S. Hrg. 115-656

                 DATA SECURITY AND BUG BOUNTY PROGRAMS:
                  LESSONS LEARNED FROM THE UBER BREACH
                        AND SECURITY RESEARCHERS

=======================================================================

                                HEARING

                               BEFORE THE

                  SUBCOMMITTEE ON CONSUMER PROTECTION,
                       PRODUCT SAFETY, INSURANCE,
                           AND DATA SECURITY

                                 OF THE

                         COMMITTEE ON COMMERCE,
                      SCIENCE, AND TRANSPORTATION
                          UNITED STATES SENATE

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                            FEBRUARY 6, 2018

                               __________

    Printed for the use of the Committee on Commerce, Science, and 
                             Transportation

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]


                Available online: http://www.govinfo.gov
       
                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
37-302 PDF             WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].        
       
       
       
       
       
       
       SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                   JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi         BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri                  MARIA CANTWELL, Washington
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                RICHARD BLUMENTHAL, Connecticut
JERRY MORAN, Kansas                  BRIAN SCHATZ, Hawaii
DAN SULLIVAN, Alaska                 EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma               GARY PETERS, Michigan
MIKE LEE, Utah                       TAMMY BALDWIN, Wisconsin
RON JOHNSON, Wisconsin               TAMMY DUCKWORTH, Illinois
SHELLEY MOORE CAPITO, West Virginia  MAGGIE HASSAN, New Hampshire
CORY GARDNER, Colorado               CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana                  JON TESTER, Montana
                       Nick Rossi, Staff Director
                 Adrian Arnakis, Deputy Staff Director
                    Jason Van Beek, General Counsel
                 Kim Lipsky, Democratic Staff Director
              Chris Day, Democratic Deputy Staff Director
                      Renae Black, Senior Counsel
                                 ------                                

  SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND 
                             DATA SECURITY

JERRY MORAN, Kansas, Chairman        RICHARD BLUMENTHAL, Connecticut, 
ROY BLUNT, Missouri                      Ranking
TED CRUZ, Texas                      AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska                EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada                  TOM UDALL, New Mexico
JAMES INHOFE, Oklahoma               TAMMY DUCKWORTH, Illinois
MIKE LEE, Utah                       MAGGIE HASSAN, New Hampshire
SHELLEY MOORE CAPITO, West Virginia  CATHERINE CORTEZ MASTO, Nevada
TODD YOUNG, Indiana
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on February 6, 2018.................................     1
Statement of Senator Moran.......................................     1
    Letter dated November 17, 2017 to Dara Khosrowshahi, Chief 
      Executive Officer, Uber Technologies, Inc. from Hon. John 
      Thune, Hon. Jerry Moran, hon. Orrin Hatch and Hon. Bill 
      Cassidy, M.D...............................................     2
    Response letter dated December 11, 2017 to Hon. John Thune, 
      Hon. Jerry Moran, hon. Orrin Hatch and Hon. Bill Cassidy, 
      M.D. from Dara Khosrowshahi, Chief Executive Officer, Uber 
      Technologies, Inc..........................................     5
Statement of Senator Blumenthal..................................     7
    Prepared statement of Kathleen McGee, Chief of the Bureau of 
      Internet & Technology, New York State Office of the 
      Attorney General...........................................    37
    Letter dated February 5, 2018 to Hon. Jerry Moran and Hon. 
      Richard Blumenthal from Representatives Jan Schakowsky and 
      Ben Ray Lujan..............................................    41
    Letter dated February 5, 2018 to Senator John Thune and 
      Senator Bill Nelson from Marc Rotenberg, President, EPIC; 
      and Christine Bannan, Administrative Law and Policy Fellow, 
      EPIC.......................................................    46
Statement of Senator Nelson......................................     8
    Prepared statement...........................................     9
Statement of Senator Cortez-Masto................................    48
Statement of Senator Blunt.......................................    51

                               Witnesses

John Flynn, Chief Information Security Officer, Uber 
  Technologies, Inc..............................................    10
    Prepared statement...........................................    11
Marten G. Mickos, CEO, HackerOne.................................    15
    Prepared statement...........................................    17
Katie Moussouris, Founder and CEO, Luta Security.................    22
    Prepared statement...........................................    24
Justin Brookman, Director, Privacy and Technology Policy, 
  Consumers Union................................................    27
    Prepared statement...........................................    28

                                Appendix

Response to written questions submitted to John Flynn by:
    Hon. Jerry Moran.............................................    57
    Hon. Brian Schatz............................................    58
Response to written questions submitted to Marten G. Mickos by:
    Hon. Jerry Moran.............................................    63
    Hon. Brian Schatz............................................    68
Response to written questions submitted to Katie Moussouris by:
    Hon. Amy Klobuchar...........................................    69
    Hon. Brian Schatz............................................    69
Response to written questions submitted to Justin Brookman by:
    Hon. Amy Klobuchar...........................................    69
    Hon. Brian Schatz............................................    71

 
                      DATA SECURITY AND BUG BOUNTY
                   PROGRAMS: LESSONS LEARNED FROM THE
                  UBER BREACH AND SECURITY RESEARCHERS

                              ----------                              


                       TUESDAY, FEBRUARY 6, 2018

                               U.S. Senate,
      Subcommittee on Consumer Protection, Product 
              Safety, Insurance, and Data Security,
        Committee on Commerce, Science, and Transportation,
                                                    Washington, DC.
    The Subcommittee met, pursuant to notice, at 3 p.m. in room 
SR-253, Russell Senate Office Building, Hon. Jerry Moran, 
Chairman of the Subcommittee, presiding.
    Present: Senators Moran [presiding], Blumenthal, Blunt, 
Nelson, and Cortez-Masto.

            OPENING STATEMENT OF HON. JERRY MORAN, 
                    U.S. SENATOR FROM KANSAS

    Senator Moran. Good afternoon. Welcome to the Consumer 
Protection Product Safety, Insurance, and Data Security 
Subcommittee's Hearing on ``Data Security and Bug Bounty 
Programs.''
    The Subcommittee will come to order. Thank you all for 
being here today to discuss the October 2016 Uber data breach 
and the allegations against the company regarding impermissible 
payments to concealed security incident through its Bug Bounty 
Program.
    A bug bounty is a reward offered to someone outside of the 
company who identifies an error or vulnerability in a computer 
program or system in connection with the Coordinated 
Vulnerability Disclosure Program.
    The Committee plans to examine the value of these 
innovative programs and other coordinated approaches to 
identify cyber vulnerabilities and prevent the types of 
instances that have occurred and, unfortunately, will probably 
occur in the future.
    In late 2016, Uber was notified by anonymous sources that 
certain archived copies of its database had been compromised. 
According to a letter in response to an inquiry made by this 
Committee, in partnership with the Senate Finance Committee, 
Uber's Security Team ``took immediate steps to respond to and 
limit the impact of the incident,'' including identifying the 
parties responsible and paying a $100,000 to them in exchange 
for assurances that the compromised data would be deleted.
    I have a letter and Uber's response that I would ask 
unanimous consent to be submitted for the record. Without 
objection.
    [The information referred to follows:]

    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
                                 ______
                                 
                                                       Uber
                                                  December 11, 2017

Hon. John Thune,
Chairman,
Committee on Commerce, Science, and Transportation,
Washington, DC.

Hon. Jerry Moran,
Chairman,
Subcommittee on Consumer Protection, Product Safety, Insurance, and 
Data Protection,
Washington, DC.

Hon. Orrin Hatch,
Chairman,
Committee on Finance,
Washington, DC.
  

Hon. Bill Cassidy, M.D.,
Chairman,
Subcommittee on Social Security, Pensions, and Family Policy,
Washington, DC.

Dear Chairmen Thune, Hatch, Moran, and Cassidy:

    Thank you for your letter dated November 27, 2017, requesting more 
information regarding the data security incident we announced on 
November 21, 2017. Thank you also for the interest shown and the time 
taken by your committee staff during our briefing on December 4, 2017. 
As Uber's new CEO, I am committed to setting our course for the future, 
which begins with building a company that everyone can trust and be 
proud of. For that to happen, we have to be honest and transparent as 
we work to repair our past mistakes.
    I appreciate the depth and range of interest reflected in the 
questions posed in your letter and at our briefings. As we described 
when we met with your staff, we think it is important for you to get 
the facts from us directly. Our work on this matter remains ongoing, 
but we are now able to share the information below, and we appreciate 
the opportunity to share more as it develops.
    On November 14, 2016, Uber's security team received e-mails from an 
anonymous individual who claimed to have accessed Uber data and 
demanded payment. Uber investigated and determined that the individual 
and another person working with him had obtained access to certain 
archived copies of Uber databases and files located on Uber's private 
cloud data storage environment on Amazon Web Services. Uber determined 
the means of access, shut down a compromised credential, and engaged in 
communications with the outside actors. To the best of Uber's 
knowledge, the outside actors' access began on October 13, 2016, and 
there was no further access by the actors to Uber's cloud storage after 
November 15, 2016.
    Uber's security team took immediate steps to respond to and limit 
the impact of the incident, including engaging in immediate and then 
ongoing communications with the original outside actor and a second 
individual subsequently identified to have been working with him. Uber 
agreed to pay the money demanded in exchange for an agreement to delete 
the data. Uber eventually paid $100,000 to the two individuals 
combined. The payment was made in December 2016 through HackerOne 
(www.hackerone.com), which Uber uses for its Bug Bounty program. Uber 
also worked to identify the real names and identities of the outside 
actors. It was successful in this effort, and it thereafter engaged in 
further communications with the two individuals using their real 
identities, including having them sign assurances that the data was 
destroyed. Although Uber mitigated damage precipitated by the breach, 
two of the Uber employees who led the response failed to disclose the 
incident to the appropriate parties. Uber does not know why these 
individuals failed to discharge properly their responsibility, but they 
were terminated as a result.
    Mandiant, an independent cybersecurity firm, conducted a forensic 
analysis of the data at issue. Mandiant found no indication that trip 
location history, credit card numbers, bank account numbers, Social 
Security numbers or dates of birth were downloaded. They found that the 
data includes:

   Information pertaining to approximately 57 million users 
        (both riders and drivers) worldwide, including approximately 
        7.7 million drivers. Approximately 32 million of these 
        individuals are outside the United States. Approximately 25 
        million users are inside the United States.

   For nearly all users, the downloaded files included names, 
        e-mail addresses, and mobile phone numbers.

   In some cases, the files also included other information 
        collected from or created about users by Uber, such as Uber 
        internal user IDs (UUIDs); the UUIDs of a user who invited 
        another user to sign-up with Uber or whom users shared rides 
        with if they had opted into certain programs; a small number of 
        short driver-related notes; certain one-time locational 
        information, such as the latitude and longitude corresponding 
        to the location where the user first signed up for the Uber 
        service; and other account information, including user tokens 
        and hashed and salted versions of user passwords.

   For approximately 600,000 of the 7.7 million drivers, the 
        files also included a driver's license number. Virtually all of 
        these individuals are in the United States.

    Uber provided individual notice to drivers with driver's license 
numbers in the data set starting on November 22, 2017, in most cases by 
mail but via e-mail if Uber has no mailing address for the individual 
on file. That notification offered one-year complimentary credit and 
identity theft protection services from Experian and provided 
information on how to sign up. Uber also provided information pages for 
riders and drivers on its website. Uber notified the United States 
Attorney's Offices for the Southern District of New York and for the 
Northern District of California, the Federal Trade Commission, the 
attorneys general of states with a regulator notice requirement in 
their data breach law, and the Dutch Autoriteit Persoonsgegevens (data 
protection authority, our lead regulator for user data outside the 
United States) on November 21, 2017. Uber is continuing to provide 
information as requested on an ongoing basis to regulators, law 
enforcement, and government entities worldwide. We note that some of 
your questions relate to other ongoing legal proceedings and 
investigations to which the company is a party, including the Federal 
Trade Commission's ongoing investigation, which remains open. We do not 
here comment on other ongoing legal proceedings and investigations.
    In addition to the steps taken to confirm the data taken had been 
destroyed, Uber has not seen evidence of fraud or misuse tied to the 
incident; it is monitoring the affected accounts and has flagged them 
for additional fraud protection. As to Uber's privacy and data security 
practices generally, Uber's privacy policies detail what information it 
collects relating to riders and drivers and how it uses and discloses 
that information. Uber's current privacy policy is available at https:/
/privacy.uber.com/policy, and that page also contains a link to Uber's 
previous policy, dated from 2015. (Uber's 2013 privacy policy is 
available on archive.org as well.) Uber provided notice of both the 
2015 and 2017 revisions by e-mail to users. Uber's data security 
practices include access controls, multi-factor authentication, 
credential management systems, and use of encryption in transit and, 
where technically feasible, at rest. This particular incident (as we 
discussed in our recent briefings with your staff) nonetheless occurred 
because, unfortunately, the outside actors determined valid Uber login 
credentials for a particular workspace. After this incident (and well 
before providing notice of it in November 2017), Uber put in place 
several additional protections designed to mitigate the chance that the 
same form of intrusion could succeed today, such as adding two-factor 
authentication to one of the services that was involved in this 
incident.
    Thank you for the opportunity to share this information with you. 
Please know that we take this matter very seriously, and Uber is 
available to help answer any additional questions you may have.
            Sincerely,
                                         Dara Khosrowshahi,
                                                               CEO,
                                                Uber Technologies, Inc.

    Senator Moran. An independent forensics analysis found that 
the exposed data included information pertaining to 
approximately 57 million users in total, both drivers and 
riders, 25 million of those affected users were from the United 
States, and driver's license numbers of about 600,000 drivers 
were compromised in the breach.
    The fact that the company took approximately a year to 
notify impacted users raises red flags within this committee as 
to what systematic issues prevented such time-sensitive 
information from being made available to those left vulnerable.
    Additionally, my colleagues and I seek specific 
clarification as to what policy safeguards are currently in 
place to prevent bug bounty programs from being used as 
extortion pay-out mechanisms in the future.
    These substantive concerns, however, should not completely 
outweigh the overall utility of this innovative crowd-sourced 
approach that many industry actors have taken to proactively 
identify chinks in their technological armor through 
effectively administered bug bounty programs and other cyber 
vulnerability disclosure efforts.
    As the American public becomes more and more dependent and 
dependent on innovative technologies to complete everyday 
tasks, cyber security vulnerabilities pose a direct threat. 
Whether it's through a critical telehealth monitoring system, 
autonomous vehicle transporting your family, or access to 
personally identifiable information, cyber threats are 
continuously evolving with the technology we rely on.
    My goal for this hearing is to find out exactly what 
prevented Uber from immediately notifying its users who are 
impacted by the 2016 breach, the specifics of the related 
payments and what steps Uber is taking internally to improve 
its notification protocols.
    I also want to have a larger discussion of how 
vulnerability disclosure programs, like bug bounties, can be 
used effectively to deter cyber threats from harming consumers.
    It's my pleasure to introduce our panel today and I again 
appreciate, as I expressed to you personally, my gratitude for 
your presence here today.
    Mr. John ``Four'' Flynn is the Chief Information Security 
Officer for Uber Technologies. He's an expert in information 
security with over 10 years' experience in the field, including 
leading Infrastructure Security at Facebook and managing 
Security Operations at Google.
    Mr. Marten Mickos is the Chief Executive Officer of 
HackerOne, which is a leading bug bounty firm in the country, 
serving a variety of government and private sector clients, 
including Uber, and administering their Crowd Source 
Vulnerability Disclosure Programs.
    Ms. Kate Moussouris is the Founder and CEO of Luta 
Security, Inc., which advises its clients on vulnerability 
coordination programs and applicable internal company policies.
    And, finally, Mr. Justin Brookman is the Director of 
Consumer and Technology Policy for the Consumers Union, which 
is an independent nonprofit consumer organization. In his role, 
he focuses on policies related to consumer data privacy 
security.
    I look forward to the testimony of these experts on our 
witness panel.
    I either now turn to the Ranking Member of the Full 
Committee or the Ranking Member of the Subcommittee for their 
opening remarks.
    Gentlemen. The Senator from Connecticut.

             STATEMENT OF HON. RICHARD BLUMENTHAL, 
                 U.S. SENATOR FROM CONNECTICUT

    Senator Blumenthal. Thank you. Thank you very much, Mr. 
Chairman, and I'd like to thank you and the Chairman as well as 
our Ranking Member for holding this hearing, which is truly of 
paramount importance to consumers in our country.
    There ought to be no question here that Uber's payment of 
this blackmail without notifying consumers who were gravely at 
risk was morally wrong and legally reprehensible and violated 
not only the law but also the norm of what should be expected.
    At the same time that Uber was negotiating with its 
blackmailers, it also was speaking with the Federal Trade 
Commission for a smaller 2014 breach affecting the personal 
information of more than a 100,000 Uber drivers.
    Drivers and riders were not informed of the breach that 
brings us here today. Neither were law enforcement authorities. 
It was not only kept secret but the company paid those hackers 
a $100,000 ransom to destroy evidence and keep quiet. In 
effect, it was almost a form of obstruction of justice.
    The Online Trust Alliance says that 93 percent of all 
breaches in 2017 did not stem from software vulnerabilities. 
They were the result of poor security protocols, like failing 
to update software, use e-mail authentication, and training 
people to recognize phishing attacks. These kinds of weaknesses 
are readily correctable and the industry has a responsibility 
for doing it.
    We've had repeated hearings and we ought to be demanding 
more action of law enforcement authorities as well as the 
industry over the years. In fact, we've had one hearing after 
another focused on data breaches. Very recently, we heard from 
the current and former heads of Equifax and Yahoo following 
their historic breach disasters.
    A piecemeal after-the-fact approach would be better served 
if the Commission, the Federal Trade Commission, were able to 
prescribe rules that prevent these kinds of data breaches by 
requiring reasonable security practices in the first place and 
that's why the Ranking Member and I, Ranking Member Nelson, 
who's here today, reintroduced the Data Security and Breach 
Notification Act.
    This bill directs the FTC to develop robust, flexible rules 
that require businesses to adopt reasonable security protocols 
to protect consumers' personal information from unauthorized 
access and establish strong breach notification requirements.
    Whether driving a ride-share or calling a ride-share, 
individuals expect companies collecting their sensitive 
personal information to do everything in their power to protect 
their data and their security and privacy, notify them promptly 
when there is a breach that endangers those consumers and 
riders.
    These kinds of expectations are not unreasonable or 
inflated. These expectations are realistic. They are 
commonsense measures that all Americans have a right to expect, 
and I look forward to hearing from the witnesses.
    Thank you, Mr. Chairman.
    Senator Moran. Thank you, Senator.
    The Senator from Florida, we're honored to have the Ranking 
Member of the Full Committee with us today, Senator Nelson.

                STATEMENT OF HON. BILL NELSON, 
                   U.S. SENATOR FROM FLORIDA

    Senator Nelson. Mr. Chairman, thank you very much, and what 
Senator Blumenthal has just said, the legislation is out there.
    We will continue to work with the Chairman of the Full 
Committee, Senator Thune, in order to try to get meaningful 
data security legislation, but any such bill cannot simply 
cater to corporate interests.
    A bipartisan bill must provide consumer protections that 
are better than is in the current law and why is this? Well, 
this hearing today is just the latest edition in a long history 
of hearings that this Full Committee has held on high-profile 
data breaches.
    Uber now joins Equifax, Yahoo, Target, Sony, and the 
University of Maryland, among others, as a breached entity 
telling a story to this committee and to Congress, and this 
story at this hearing only once again underscores the need for 
the comprehensive and strong Federal legislation to provide the 
protections.
    Currently, the FTC is the key Federal agency that's 
bringing enforcement actions against the breached companies 
that have collected and stored vast amounts of consumer data, 
unfortunately, with lax security standards.
    A myriad of state laws currently provide American consumers 
with a limited degree of protection. So we should not adopt 
Federal legislation that undercuts the FTC's existing 
longstanding well-established authority nor should we consider 
a bill that eviscerates all state legal protections and 
replaces them with weak Federal standards.
    From this Senator's standpoint and I think Senator 
Blumenthal's, we can support only a data security bill that 
provides consumers with protection that are stronger than the 
current ones. It would be better for Congress to pass no bill 
than to pass a bill that provides less protections to the 
consumers compared to the status quo.
    So thank you, Mr. Chairman, for having this hearing.
    [The prepared statement of Senator Nelson follows:]

   Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida
    Today's hearing is the latest edition in a long history of hearings 
that the Commerce Committee has held on high profile data breaches. 
Uber now joins Equifax, Yahoo, Target, Sony, and the University of 
Maryland, among others, as a breached entity telling its story to this 
committee and to Congress. And this story at this hearing only once 
again underscores the need for comprehensive and strong Federal 
legislation that will provide adequate protections to consumers.
    In this regard, Senator Blumenthal and I have once again introduced 
such legislation, the Data Security and Breach Notification Act, which 
would require companies to secure their data and to promptly notify 
consumers when there is a breach.
    The bill would also impose criminal penalties on corporate 
officials that willfully disguise breaches from the public, and it 
would provide for robust enforcement by the Federal Trade Commission 
and state attorneys general working together to hold companies 
accountable.
    As in previous Congresses, I will continue to work with Chairman 
Thune and other interested members of the committee to craft bipartisan 
and meaningful data security legislation.
    However, any such bill cannot simply cater to corporate interests. 
A bipartisan bill must provide consumer protections that are better 
than what is in current law.
    Currently, the FTC is the key Federal agency that is bringing 
enforcement actions against breached companies that collected and 
stored vast amounts of consumer data with lax security standards in 
place. And a myriad of state laws currently provide American consumers 
with a limited degree of protection from data breaches.
    We should not adopt Federal legislation that undercuts the FTC's 
existing, long-standing and well-established authority; nor should we 
consider a bill that eviscerates all state legal protections and 
replaces them with weak Federal standards.
    From my standpoint, I can only support a data security bill that 
provides consumers with protections that are stronger than current 
ones. It would be better for Congress to pass no bill at all than pass 
a bill that provides consumers with less protections under the status 
quo.
    Thank you again, Mr. Chairman. I look forward to hearing from our 
witnesses.

    Senator Moran. You're welcome, Senator Nelson. Thank you 
for joining us.
    We're now ready for the testimony of our witnesses, and I 
would call on Mr. Flynn for his opening statement.
    Thank you.

 STATEMENT OF JOHN FLYNN, CHIEF INFORMATION SECURITY OFFICER, 
                    UBER TECHNOLOGIES, INC.

    Mr. Flynn. Thank you, Mr. Chairman.
    Mr. Chairman, Ranking Member Blumenthal, and members of the 
Subcommittee, my name is John Flynn, and I serve as the Chief 
Information Security Officer of Uber.
    I'm grateful for the opportunity to testify today regarding 
bug bounty programs, the 2016 data security incident at Uber, 
and lessons that we have all learned from this incident.
    I'm honored to be here with an esteemed panel of people who 
have brought such an important security practice to companies 
worldwide.
    Today, I'd like to focus on three topics. First, bug bounty 
programs and the important role they play in the never-ending 
battle against cyber threats. Second, the 2016 data security 
incident at Uber where I worked to determined how the intrusion 
occurred and close the gaps that the intruders exploited. 
Third, the lessons learned and additional layers of protections 
that we've implemented.
    Bug bounty programs are a critically important tool. In 
addition to internal security efforts that are widely used as 
part--they are widely used as part of a comprehensive data 
security program. Bug bounty programs are an invitation to 
outside experts to search for vulnerabilities and report them. 
In exchange, companies offer rewards in recognition of that 
work.
    Monetary bounties can range from hundreds of dollars to 
hundreds of thousands of dollars. Some companies offer non-
monetary rewards, including branded apparel or public 
recognition.
    Because of the security benefits of bug bounty programs, 
many major technology companies use them, including Uber, 
Google, Facebook, Microsoft, and others. The U.S. Government 
also has bug bounty programs, including at the Department of 
Defense.
    Since we publicly launched our program in 2016, Uber's Bug 
Bounty Program has assisted in resolving more than 800 
vulnerabilities and paid about $1.3 million in bounties. It has 
achieved very significant improvements for a relatively modest 
expenditure, including addressing a bug in the SSH 
Authentication System and a remote code execution bug in one of 
our websites.
    The 2016 data security incident unfolded in a way that's 
entirely different than a typical bug bounty. On November 14, 
2016, our Security Team received e-mails from an anonymous 
individual who claimed to have access to Uber data and demanded 
a six-figure payment.
    We investigated the incident and assembled an Incident 
Response Team. The team of technical experts, which I directed, 
quickly determined the means of access and shut down the 
compromised credentials. Specifically, our first step was to 
validate the intruder's claims. We determined that the data 
came from backup files stored in an AWS S3 bucket.
    We next determined the intruder gained access to AWS S3 
through credentials contained within code on a private 
repository on GitHub. Despite the limited information, we 
locked down the point of entry within 24 hours.
    Separately, our Chief Security Officer Joe Sullivan led an 
effort to identify the intruders, a process we call 
attribution. Although I was not directly involved, I understand 
that the Attribution Team used various methods, including 
forensics, to gather further information on the intruders.
    It ultimately ascertained the identities of both intruders, 
made contact, and received assurances that the data had been 
destroyed.
    As you know, Uber paid the intruders a $100,000 through 
HackerOne and our Bug Bounty Program. Our primary goal in 
paying the intruders was to protect our customers' data. 
However, this was not done consistent with the way our Bug 
Bounty Program normally operates.
    In my view, the key distinction regarding this incident is 
that the intruders not only found a weakness, they also 
exploited that vulnerability in a malicious fashion to access 
and download data and made extortion demands.
    We recognize that the Bug Bounty Program is not an 
appropriate vehicle for dealing with intruders who seek to 
extort funds from the company. My written testimony contains 
additional details regarding the contents of the data.
    While the incident remains under the investigation by the 
company and others, I echo statements by Uber's new leadership 
that it was wrong to not disclose the breach earlier. We are 
working to make transparency and honesty core values of our 
company, which I am gratified to see.
    Thank you again for the opportunity to appear and testify 
today. I would be happy to answer your questions.
    [The prepared statement of Mr. Flynn follows:]

 Prepared Statement of John Flynn, Chief Information Security Officer, 
                        Uber Technologies, Inc.
    Mr. Chairman, Ranking Member Blumenthal, and members of the 
Subcommittee, my name is John Flynn. Since July 2015, I have served as 
the Chief Information Security Officer for Uber Technologies, Inc. I am 
grateful for the opportunity to testify today regarding bug bounty 
programs, the 2016 data security incident at Uber, and lessons that 
we--and the broader technology community--have learned from that 
incident. I am honored to be on such an esteemed panel with people who 
have brought such an important security practice to companies 
worldwide.
    Before addressing today's topics, I would like to tell you a little 
about myself. My parents were USAID diplomats and Peace Corps 
volunteers. After studying computer engineering at the University of 
Minnesota, I too joined the Peace Corps. As a Peace Corps volunteer, I 
served for more than two years in Belize, where I helped lead a program 
that ensured teachers had access to computers and I taught classes on 
information security. After the Peace Corps, I attended night classes 
to obtain a master's degree in computer science while working full time 
as a Security Engineer at the George Washington University here in 
Washington.
    Before joining Uber, I held positions as an Information Security 
Manager at Google, and as an Information Security Director at Facebook. 
I have spent over a decade working on highly technical data security 
issues, during a period in which data security has expanded 
dramatically as a field and as a paramount priority for the technology 
industry and the country.
    I would like to focus on three topics in my testimony today. First, 
I have significant experience with bug bounty programs from working for 
multiple companies, and will explain the important role that such 
programs play in the never-ending battle against cyber threats. Second, 
I will provide my perspective on the 2016 data security incident at 
Uber. My primary involvement in that matter was on the technical side, 
working under our chief security officer, and leading the effort to 
determine how the intrusion occurred and then to close the gaps that 
intruders exploited. While I am in a strong position to address the 
technical aspects of that incident, I was not actively involved in the 
process of identifying the intruders or interacting with the intruders 
once they were identified by others. Third, we learned valuable lessons 
from the 2016 incident, and I will describe the additional layers of 
protection and other enhancements that we have implemented to secure 
our users' data and minimize the risk of future intrusions.
Importance of Bug Bounty Programs
    Bug bounty programs are a critically important tool and widely used 
as part of comprehensive data security programs. Of course, bug bounty 
programs do not take the place of dedicated internal security teams who 
work throughout the entire software development lifecycle to detect and 
repair vulnerabilities. At Uber, there are multiple teams of 
specialized experts constantly working to ensure that our systems are 
secure. My team consists of more than 100 people with experience in 
technical areas of security. Our security efforts generally involve the 
following: (1) controlling access to our systems and services; (2) 
using security by design principles during the planning process; (3) 
auditing and testing code during development and throughout its 
lifecycle; (4) monitoring for threats; and (5) managing ongoing 
reinforcement and patching processes to protect our systems and 
software from reported vulnerabilities.
    Bug bounty programs are a useful addition to these steps. Let me 
briefly explain bug bounty programs. All complex systems have 
``bugs''--imperfections unintentionally written within the software's 
code. Sometimes these bugs create vulnerabilities, which could be 
exploited by an intruder to gain access to confidential data. Security 
teams across the industry, including those at Uber, invest heavily in 
preventing and identifying as many of these bugs as we can before code 
is updated in our products. However, due to the evolving nature of 
software, programmers continuously update code by augmenting, 
rewriting, and overwriting their prior work. That process inevitably 
results in unexpected errors and vulnerabilities. To help mitigate this 
reality, bug bounty programs allow companies to access additional 
skilled individuals to augment our in-house engineers. This outside 
perspective is also valuable in providing a fresh set of eyes and new 
ways of thinking to help our security teams address various challenges 
with innovative solutions.
    Typically, a bug bounty program is an invitation for outside 
experts (commonly referred to as ``researchers'') to search voluntarily 
for vulnerabilities and report them to the company or government agency 
that is the sponsor of the particular bug bounty program. This is 
supposed to be done pursuant to specific guidelines, as well as defined 
parameters regarding the types of systems that should be searched. For 
example, Uber posts a ``treasure map'' online to tell our researchers 
where to look for bugs in our systems. It points our researchers to the 
systems we care the most about.
    Companies typically offer rewards, or ``bounties,'' in recognition 
of the work performed by the researchers. Monetary bounties vary in 
size, from hundreds of dollars to hundreds of thousands of dollars, 
depending on the severity of the bug. Companies may also offer physical 
items, such as branded apparel, commemorating bugs that are found, as a 
non-monetary reward for the researcher. ``Street cred'' and public 
recognition also go a long way to motivate researchers, so many 
companies publish information about the most impressive bugs found.
    Not surprisingly, the security benefits of bug bounty programs have 
motivated many major technology companies, including Uber, Google, 
Facebook, Microsoft, and others, to implement bug bounty programs. 
Moreover, the U.S. Government also has recognized the value of bug 
bounty programs to protect its sensitive information technology 
systems. For example, the U.S. Department of Defense has bug bounty 
programs such as ``Hack the Pentagon'' and ``Hack the Air Force,'' 
which the Department has operated with great success. In addition, last 
July, the Computer Crime and Intellectual Property Section of the U.S. 
Department of Justice issued A Framework for a Vulnerability Disclosure 
Program for Online Systems, which provides helpful guidance on how to 
design and operate a bug bounty program.
    In 2015, when I joined the company, one of the first things we did 
to improve security was launch a bug bounty program. This was a private 
``beta'' program and included about two hundred researchers who helped 
us identify and remediate nearly 100 bugs. Following the success of our 
beta program, we launched a public bug bounty program in March 2016. 
Our current program, hosted by HackerOne, offers a combination of 
public recognition and monetary bounties as incentives for researchers 
to search our products and websites for potential bugs.
    Since its initial launch, this bug bounty program has assisted Uber 
in resolving more than 800 system vulnerabilities. The program's 
monetary payout stands at approximately $1.3 million in total. For us, 
this bug bounty program has been incredibly valuable, achieving very 
significant improvements in our data security posture for a relatively 
modest expenditure. I believe many other companies and agencies have 
had a similar experience with bug bounty programs.
    Our bounties typically range from a few hundred dollars to several 
thousand dollars--depending on the impact and severity of the bug. 
Given the large number of companies with bug bounty programs, monetary 
payments can help incentivize bug hunters to focus on Uber's bugs. That 
is, companies compete for the time and attention of these outside 
researchers, and relatively modest monetary incentives help ensure that 
researchers focus their attention on our software. Again, I think many 
companies and agencies have reached this same view.
    The vulnerabilities found by our researchers demonstrate the 
concrete value of bug bounty programs. As we have publicly shared, one 
researcher discovered a bug in the SSH authentication system used 
between different internal services. If exploited, the bug could have 
allowed escalation of internal privileges. This would have allowed 
people to access systems they did not have privileges to access. 
Another researcher who participated in our public bug bounty program 
found a ``remote code execution'' bug on one of our websites. This was 
an important issue because remote code execution gives attackers the 
ability to run commands on a target computer. In this case, the 
researcher demonstrated the ability to execute commands on a system 
within our data center. Potentially, a malicious attacker could have 
used this vulnerability to access sensitive user data.
    Uber's bug bounty program unquestionably has increased the scale 
and speed at which we are able to identify and eliminate cybersecurity 
threats. We are constantly refining our tools to prevent the bugs that 
are found from being written into our code in the first place.
    Over the nearly three years we have been running this program, more 
than 500 researchers have participated. Through our bug bounty program, 
we can benefit from a vast, diverse, worldwide pool of talent, often 
beyond our ability to hire.
    Of course, operating a bug bounty program is not without its 
challenges. Security researchers can be an eccentric group, and within 
this community there are individuals with varying degrees of technical 
experience and professionalism who engage through bug bounty programs. 
Researchers sometimes express concern with the amount of the bounty 
that is paid, believing that their discovery may be worth more than we 
determine was appropriate, based on our program guidelines. Other 
times, a researcher may identify a bug that we already know and are 
working to fix. The researcher sometimes takes issue with not receiving 
a monetary reward for those already identified bugs. Occasionally, a 
person may contact the company to report a vulnerability (without 
exploiting it), completely unaware of our bug bounty program, and make 
a demand for compensation. We try to work with such persons to submit 
their report through the bug bounty program in exchange for a fair 
reward under the program guidelines.
2016 Uber Data Security Incident
    The 2016 data security incident unfolded in a way that is entirely 
different from the typical bug bounty program scenario. On November 14, 
2016, Uber's security team received e-mails from an anonymous 
individual who claimed to have accessed Uber data and demanded a six-
figure payment. Uber investigated and determined that the individual 
and another person working with him had obtained access to certain 
archived copies of Uber databases and files located on Uber's private 
cloud data storage environment on Amazon Web Services (``AWS''). In 
line with standard protocol, Uber assembled an incident response team. 
This team included technical experts whom I directed, and we worked 
quickly to determine the means of access, shut down the compromised 
credential, and take various steps to secure our systems against a 
further attack. To the best of Uber's knowledge, the intruders' access 
began on October 13, 2016, and there was no further access by the 
intruders after November 15, 2016.
    For the Subcommittee's information, I would like to explain in 
greater detail how Uber responded to this security incident. As with 
any security incident, the first step was to validate the claims that 
the intruder had made. Very often these situations are hoaxes. The Uber 
security team requested data from the intruder, which he provided, and 
then confirmed that the data were Uber's. With that validation, we 
initiated an incident response procedure. Incident response to any data 
incident is an orchestrated affair. The first steps involve fast, 
intense work with limited information and a very short time to 
eliminate the threat. We set up a command center where members of the 
team could work in parallel and discuss issues in real time.
    The overall effort was led by our former Chief Security Officer, 
Joe Sullivan, to whom I reported. I led the technical work to identify 
how the intrusion occurred and remove the vulnerability. Joe Sullivan 
and others led what we call ``attribution''--the process of identifying 
the intruders.
    During the technical effort, we immediately began the process of 
determining where the data at issue resided and how the intruder gained 
access. Within 24 hours, we determined that the data came from back-up 
files stored in an AWS S3 bucket. S3 stands for ``simple storage 
service.''
    The next step of the investigation for my team was to determine how 
the intruder gained access to the AWS S3 bucket, which requires access 
credentials. We learned that the intruder found the credential 
contained within code on a private repository for Uber engineers on 
GitHub, which is a third party site that allows people to collaborate 
on code. We immediately took steps to implement multifactor 
authentication for GitHub and rotated the AWS credential used by the 
intruder. Despite the complexity of the issue and the limited 
information with which we started, we were able to lock down the point 
of entry within 24 hours.
    Subsequently, we did a thorough review of our GitHub repositories. 
My technical team initiated the process of removing additional code 
from GitHub that could be considered sensitive, and confirming rotation 
of keys. We ceased using GitHub except for items like open source code. 
The incident response team also worked to identify the type of data 
downloaded to assess the risk.
    In addition to the technical response, another team worked on 
attribution. Although I was not directly involved, I understand that 
the attribution team used various methods, including forensics, to 
gather further information on the intruders. This was a challenging 
endeavor because the intruders were extremely adept at covering their 
tracks.
    Ultimately, the attribution team ascertained the real identity of 
both the original individual who contacted the company, and the second 
person working with him. I understand that the original individual was 
located in Canada, and that his partner, who actually obtained the 
data, was in Florida. I further understand that the attribution team 
made contact with both individuals and received assurances that the 
data had been destroyed.
    As you know, Uber paid the intruders $100,000 through HackerOne and 
our bug bounty program. Our primary goal in paying the intruders was to 
protect our consumers' data. This was not done in a way that is 
consistent with the way our bounty program normally operates, however. 
In my view, the key distinction regarding this incident is that the 
intruders not only found a weakness, they also exploited the 
vulnerability in a malicious fashion to access and download data.
    In 2017, after learning about the incident, new company leadership 
at Uber asked an independent cybersecurity firm, Mandiant, to conduct a 
thorough analysis of the data at issue. Mandiant's analysis showed that 
the data included information pertaining to approximately 57 million 
users worldwide, including approximately 25 million users in the United 
States. Of these, approximately 4.1 million users in the United States 
were drivers. For nearly all users, the downloaded files included 
names, e-mail addresses and phone numbers. In some cases, the 
information also included information collected from or created about 
users by Uber, such as Uber user IDs, certain one-time locational 
information (e.g., the latitude and longitude corresponding to the 
location where the user first signed up for the Uber service), user 
tokens, and passwords encrypted using hashing and salting techniques. 
Of the driver accounts, approximately 600,000 thousand included 
driver's license numbers.
    In their independent analysis, Mandiant found no indication that 
trip location history, credit card numbers, bank account numbers, 
Social Security numbers, or dates of birth were compromised.
Lessons Learned and Data Security Enhancements at Uber
    While the circumstances surrounding the 2016 security incident 
remain under investigation by the company and multiple regulators, and 
I am not privy to the details of those ongoing investigations, there 
are a number of lessons learned that I would like to highlight today.
    First, I would like to echo statements made by new leadership, and 
state publicly that it was wrong not to disclose the breach earlier. 
The breach should have been disclosed in a timely manner. The company 
is taking steps to ensure that an incident like this does not happen 
again, with personnel changes and additional remedial actions. We are 
working to make transparency and honesty core values of our company. I 
would add that this is a change that I personally am gratified to see 
and wholeheartedly support.
    Although we regret that we did not publicly report the incident in 
2016, we did at that time take numerous steps internally to improve our 
security posture in response to the incident. As I noted previously, we 
immediately instituted multifactor authentication on Github. We then 
subsequently ceased using GitHub except for items like open source 
code. As to AWS, we were already using multifactor authentication for 
individual access accounts--which these intruders did not compromise. 
After the incident we expanded the use of multifactor authentication 
protocols for AWS service accounts using techniques such as IP 
restrictions, commonly referred to as ``white listing.'' We have also 
taken other steps to enhance security for AWS data storage, such as 
refining Identity & Assessment Management permissions, improving our 
ability to authenticate someone before granting access to these systems 
and to confirm whether they are authorized to access them. We also 
added auto-expiring credentials to protect further against attacks 
using exposed, lost, or shared credentials. We continue to look to 
Amazon's evolving best practices and guidance to protect our AWS 
system.
    We recognize that the bug bounty program is not an appropriate 
vehicle for dealing with intruders who seek to extort funds from the 
company. The approach that these intruders took was separate and 
distinct from those of the researchers in the security community for 
whom bug bounty programs are designed. While the use of the bug bounty 
program assisted in the effort to gain attribution and, ultimately, 
assurances that our users' data were secure, at the end of the day, 
these intruders were fundamentally different from legitimate bug bounty 
recipients.
    Going forward, Uber is revisiting its incident response approach in 
circumstances such as these. We have hired Matt Olsen, a former general 
counsel of the National Security Agency and director of the National 
Counterterrorism Center, to help structure the security team and guide 
new processes going forward. I have already seen some of these changes 
take place, such as more stakeholders involved in the decision-making 
process for how to handle security incidents, and informing law 
enforcement of potential security incidents right away.
    I would like to conclude by stating that we strongly support a 
unified, national approach to data security and breach standards. We 
are proactively engaged in the many conversations in both the technical 
and policy communities to help identify what the critical components of 
federal data breach legislation should be, and are pleased to see this 
robust conversation taking place with various Members of Congress and 
your staff. We welcome the opportunity to be at the table to help all 
stakeholders understand the best practices.
                                 *  *  *
    Thank you again for the opportunity to appear and testify today. I 
would be happy to answer your questions.

    Senator Moran. Thank you.
    Mr. Mickos.

         STATEMENT OF MARTEN G. MICKOS, CEO, HACKERONE

    Mr. Mickos. Chairman Moran, Senator Blumenthal, Ranking 
Member Nelson, and members of the Subcommittee, thank you for 
inviting me to testify today.
    I look forward to providing you with my perspective on data 
security and bug bounty programs.
    Mr. Chairman, a brief note. As I have informed your staff, 
there are legal proceedings with respect to the Uber incident. 
We are cooperating fully and eagerly in those proceedings. As a 
result of these proceedings, however, I will unfortunately not 
be able to discuss many aspects of that incident.
    I am the Chief Executive Officer of HackerOne, the world's 
leading provider of hacker-powered security. HackerOne operates 
bug bounty programs that connect companies and governments with 
the world's best white hat hackers to find and fix 
vulnerabilities before malicious actors exploit them.
    It all starts with the vulnerability disclosure program, 
which is essentially a neighborhood watch for software. When an 
entity decides to offer financial rewards to finders of 
vulnerabilities, the vulnerability disclosure program becomes a 
bug bounty program.
    Such programs are useful for organizations large and small, 
in the private and in the public sector. Examples include: 
Adobe Systems, GSA, General Motors, Qualcomm, Starbucks, United 
Airlines, and many more. Some of them run their own homegrown 
programs, others will run their program on a platform, such as 
HackerOne.
    The nature of HackerOne's business is preventative. We are 
not in the incident response business. We are in the data 
breach prevention business. Through HackerOne's service alone, 
over 63,000 vulnerabilities have been found and fixed. The 
average bounty is approximately $500 and the current maximum 
bounty listed on HackerOne is $250,000. No other method has 
been shown to produce similar results with such favorable 
economics.
    Organizations signing up with HackerOne typically start 
with an invitation-only program. Later, the program can be made 
public, in which case any hacker is allowed to submit reports.
    It is the customer who decides on the bounties. To receive 
any form of payment by a HackerOne, the hacker must submit 
identifying information and the appropriate tax forms.
    HackerOne is committed to compliance with all relevant 
rules and regulations. Additionally, we have internal 
guidelines and specific terms and conditions that apply to 
hackers and to customers, respectively.
    The Federal Government is an innovator in this area. The 
U.S. Department of Defense and HackerOne pioneered the first 
Federal Government Bug Bounty Program called ``Hack the 
Pentagon.'' Since the program's inception, more than 3,600 
security vulnerabilities have been safely resolved in critical 
DoD assets.
    FTC, NTIA, FDA, NHTSA, and the Department of Justice have 
declared vulnerability disclosure programs as cyber security 
best practice. These agencies recognized the critical role that 
hackers play in securing technology and protecting consumers.
    For instance, in July 2017, the Department of Justice 
published a framework for vulnerability disclosure program for 
online systems to provide guidance to entities on setting up a 
program.
    Our goal must be an internet that enables privacy and 
protects consumers. This is not achievable without ethical 
hackers taking an active role in safeguarding our collective 
security, and that in turn requires a safe legal environment 
encouraging all individuals to come forward with vulnerability 
information, no matter the circumstances.
    I would like to offer three recommendations. First, I 
encourage you to support CFAA reform that removes criminal 
penalties on actions that do no harm, protecting individuals 
that act in good faith to identify and report potential 
vulnerabilities.
    Second, I encourage you to support a harmonized and 
unambiguous breach notification law governing all consumer-
facing entities. Those who in good faith operate or participate 
in a vulnerability disclosure policy should not be legally 
exposed.
    Third, Congress should encourage data security best 
practices that require all companies responsible for 
safeguarding consumer data to implement a vulnerability 
disclosure policy.
    In summary, Mr. Chairman, we need hackers. Ethical hacking 
may be the only force that can stop criminal hacking. Hundreds 
of thousands of security vulnerabilities have already been 
found and remediated. Hacker-powered security does not only 
protect consumers, it also creates opportunity for aspiring 
hackers across the country.
    With this, thank you for the opportunity to testify on this 
important issue, and I look forward to any questions you may 
have.
    [The prepared statement of Mr. Mickos follows:]

   Prepared Statement of Marten G. Mickos, Chief Executive Officer, 
                               HackerOne
Introduction
    Chairman Moran, Ranking Member Blumenthal, and Members of the 
Subcommittee, thank you for inviting me to testify today. I look 
forward to providing you with my perspective on Data Security and Bug 
Bounty Programs.
    I am Chief Executive Officer of San Francisco-based HackerOne, the 
world's leading provider of hacker-powered security. I have spent my 
entire 30-year career in software, including as Senior Vice President 
at both Hewlett-Packard and Sun Microsystems, and prior to that as CEO 
of MySQL. In addition, I served on the Board of Directors of Nokia 
Corporation.
    HackerOne operates bug bounty programs that connect companies and 
governments with the best white hat hackers in the world to find and 
fix vulnerabilities before malicious actors exploit them. As of January 
2018, over 160,000 white hat hackers have registered with HackerOne to 
defend customers, among them the United States Department of Defense, 
removing over 60,000 vulnerabilities and preventing an untold number of 
breaches in the process.
The Threat of Weak Cybersecurity
    Today's cybersecurity practices are severely outdated in contrast 
to the cyber threats that society faces. When exploited for criminal 
purposes, even just one single and relatively unremarkable security 
vulnerability can create havoc, as the Equifax data breach \1\ grossly 
reminded us of in 2017.
---------------------------------------------------------------------------
    \1\ https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-
what-do
---------------------------------------------------------------------------
    Unfortunately it is only a question of time before cybercrime 
causes physical damage to structures or, worse, physical harm to 
humans. Citizens in general and consumers in particular are exposed to 
risks that they cannot possibly deal with themselves. Privacy is 
threatened. Consumer protection against faulty and vulnerable software-
based products is presently inadequate.
    The economic repercussions are enormous, and we are only now 
starting to see the true costs of lax cyber hygiene. When data breaches 
occur, corporations lose millions of dollars. These costs are often 
passed along to consumers who additionally face unquantifiable burdens 
associated with the breaches, including compromise of privacy.
    It is an unfortunate fact that in the digital realm, society is 
currently failing to provide its citizens with what societies were 
established for: safety and security.
Hacker-Powered Security Offers a Solution
    Whatever protections and defenses we build into our digital 
assets--and we should build a lot of them--there is one practice that 
covers every possible cause of cyber breach. There is an ``immune 
system'' \2\ that will approach the digital assets from the same 
direction as adversaries and criminals do--from the outside. There is a 
mechanism that at scale has the opportunity to ultimately detect every 
hole, every weakness and every security vulnerability in a system or 
product built by humans.
---------------------------------------------------------------------------
    \2\ https://www.ted.com/talks/
keren_elazari_hackers_the_internet_s_immune_system
---------------------------------------------------------------------------
    This practice is often called ``Hacker-Powered Security.'' It is a 
mechanism that turns the asymmetry that favors the attacker into an 
asymmetry that favors the collaborating defenders. It is a collective 
effort that relentlessly looks for more vulnerabilities. Its 
outstanding success metrics are a result of stochastic probability: the 
more attempts there are at finding vulnerabilities, the higher the 
likelihood that these will be found. Over time the result improves 
asymptotically towards 100 percent.
    Hacker-powered security is a model that invites external and 
independent security researchers and ethical hackers--we will here 
simply call them ``hackers''--to hunt for vulnerabilities in 
computerized systems. Today there are over one hundred thousand white 
hat hackers in the world. These are individual experts who have signed 
up to help corporations and organizations to detect and fix their 
security weaknesses. These hackers are motivated by the challenge, by 
the opportunity to do good and by peer recognition. They are rewarded 
for their finds with bounties. They are bug bounty hunters.
How Hacker-Powered Security Works
    Hacker-Powered Security covers any cybersecurity-enhancing services 
and automations that are partially or wholly produced by independently 
operating security experts outside the company or organization in 
question.
    The most fundamental function of hacker-powered security is a 
Vulnerability Disclosure Program, also called Responsible Disclosure or 
Coordinated Vulnerability Disclosure.
    A vulnerability disclosure program is essentially a neighborhood 
watch for software. The motto is ``If you see something, say 
something.'' Concretely, if and when an ethical hacker finds a security 
vulnerability in and company or government organization's website or 
mobile app or other computer system, this person will be invited to 
disclose the vulnerability found to the system's owner.
    Most human beings are ready to help their neighbor, so the impetus 
for vulnerability disclosure is enormous. Issues of legality and trust, 
however, make vulnerability disclosure more complicated than a regular 
neighborhood watch. To solve this issue, leading companies have created 
their own policy frameworks for the disclosure of vulnerabilities to 
them, and others turn to companies such as HackerOne to organize and 
coordinate such programs.
    When an entity decides to offer financial rewards to finders of 
vulnerabilities, the vulnerability disclosure program is called a Bug 
Bounty Program. Bug bounty programs have existed at least since 
1983.\3\ The practice was perfected by Google, Facebook and Microsoft 
over the past half-dozen years. Around the same time, companies such as 
HackerOne emerged for the purpose of bringing this powerful method 
within reach of any organization that owns and operates a digital asset 
(meaning a computer system, a website, a mobile application, an 
Internet-of-Things device, or some other digital product).
---------------------------------------------------------------------------
    \3\ Hunter & Ready ran a campaign in 1983 called ``Get a bug if you 
find a bug'', offering a VW beetle as reward for bugs found in their 
real-time operating system. Netscape launched a bug bounty program in 
1995.
---------------------------------------------------------------------------
Proven Effectiveness
    Hacker-powered security programs have demonstrated their 
effectiveness compared to other methods for vulnerability detection. 
Hiring full-time employees or external service or product vendors to 
test for vulnerabilities is more expensive. Through HackerOne's service 
alone, over 63,000 security vulnerabilities have been found and fixed. 
The current maximum bounty listed on HackerOne is $250,000. No other 
method for validating software or manufactured products that are in use 
by consumers has been shown to produce similar results at such a 
favorable economic unit price.
    Hacker-powered security is a model that scales. Today there are 
over 160,000 registered ethical hackers, and over the coming years this 
number is likely to grow to over a million. This army of hackers will 
be able to take on the work of the entire digital realm of our society.
    Thanks to the diversity and scale of the hacker community, hacker-
powered security finds vulnerabilities that automated scanners or 
permanent penetration testing teams do not find. Existing models are 
good at finding predictable security vulnerabilities, but even more 
important is to find the unpredictable ones--the unknown unknowns. 
Given a large enough hacker community and enough time, such 
vulnerabilities will be identified.
Vast and Diverse Clientele
    Hacker-powered security emanated over the past decade as a best 
practice among Silicon Valley tech companies. Today, the model has 
matured and became applicable to all types of businesses. Any company, 
corporation, association or public sector agency that develops and 
deploys software (in whatever form, such as embedded in hardware) can 
benefit from hacker-powered security.
    The vendors providing hacker-powered services have established 
communities of ethical hackers for whom they keep track of skill 
profiles and performance metrics. Bug bounty programs may be self-
managed by the customer, or fully managed by the vendor. In the latter 
scenario, customers save both time and money while being presented with 
valid security vulnerabilities on a continuous basis. In either 
scenario, it is up to the customer to remediate the vulnerability once 
found.
    Entities that operate such vulnerability disclosure and/or bug 
bounty programs include: Adobe, AT&T, CERT Coordination Center, U.S. 
Department of Defense, Dropbox, Facebook, Fiat Chrysler, U.S. General 
Service Administration, General Motors, GitHub, Google, LendingClub, 
Microsoft, Nintendo, Panasonic Avionics, Qualcomm, Snapchat, Starbucks, 
Spotify, Twitter, and United Airlines. Hacker-powered security is 
useful and accessible for organizations both large and small, 
technology-focused or not, in the private or public sector. The model 
is suitable for all entities that develop and deploy software.
Who are the Hackers?
    The original experts at the Massachusetts Institute of Technology 
(MIT) defined themselves as ``one who enjoys the intellectual challenge 
of creatively overcoming limitations.''
    Security experts may be described using a variety of titles 
including ``ethical hacker'', ``white hat'', ``security researcher'', 
``bug hunter'', and ``finder.'' One title is conspicuously absent: 
Criminal. Hackers are not criminals. Specifically, bug bounty platforms 
offer no benefit to someone with criminal intent. On the contrary, 
HackerOne will record data about every hacker on the platform and only 
reward actions that follow the rules. For these reasons, criminals go 
elsewhere.
    Hackers are driven by a variety of motivations, many of which 
altruistic. The security advocacy organization I Am The Calvary 
summarizes these motivations \4\ as: Protect (make the world a safer 
place), Puzzle (tinker out of curiosity), Prestige (seek pride and 
notability), Profit (to earn money), and Protest/Patriotism 
(ideological and principled).
---------------------------------------------------------------------------
    \4\ https://www.iamthecavalry.org/motivations
---------------------------------------------------------------------------
    The HackerOne 2018 Hacker Report \5\--a survey of over 1,000 
hackers--revealed that profit was only the fourth most common 
motivation for why hackers do their work. Before that came the desire 
to learn, be challenged, and have fun. To protect and defend is also a 
central motivation for hackers. A 2016 study by the National 
Telecommunications and Information Administration (NTIA) within the 
Department of Commerce found that only 15 percent of security 
researchers expect financial compensation in response to a 
vulnerability disclosure.\6\
---------------------------------------------------------------------------
    \5\ https://www.hackerone.com/sites/default/files/2018-01/
2018_Hacker_Report.pdf
    \6\ https://www.ntia.doc.gov/files/ntia/publications/
2016_ntia_a_a_vulnerability_disclosure
_insights_report.p
---------------------------------------------------------------------------
    Hacker-powered security does not only improve security. The model 
democratizes opportunity and offers meaningful work to anyone with the 
inclination and drive to be a useful ethical hacker. Many hackers are 
young adults. They can do their work from anywhere. The money hackers 
make is used to support their families, pay for education, and catapult 
them into successful professional careers. Hacking brings meaning and 
mandate to enterprising people irrespective of their location. Hacking 
brings positive societal impact across the Nation.
Case Studies
    The U.S. Department of Defense (DoD) and HackerOne pioneered the 
first Federal government bug bounty program. Since the program's 
inception, more than 3,600 security vulnerabilities have been safely 
resolved in DoD critical assets with hacker-powered security. While the 
majority of the vulnerabilities reported through the DoD vulnerability 
disclosure policy were without financial compensation, hackers have 
been awarded hundreds of thousands of dollars in bug bounty payments by 
DoD.
    ``Hack the Pentagon'' was initially launched as a pilot program 
under the leadership of Secretary of Defense Ash Carter. This pilot ran 
from April 18 to May 12, 2016. During that short time more than 250 
vetted ethical hacker participants submitted vulnerability reports. A 
total of 138 valid vulnerabilities were found and remediated.
    ``We know that state-sponsored actors and black-hat hackers want to 
challenge and exploit our networks,'' said Secretary Carter of Hack the 
Pentagon.\7\ ``What we didn't fully appreciate before this pilot was 
how many white-hat hackers there are who want to make a difference--
hackers who want to help keep our people and nation safer.''
---------------------------------------------------------------------------
    \7\ https://www.defense.gov/News/News-Releases/News-Release-View/
Article/802929/defense-secretary-ash-carter-releases-hack-the-pentagon-
results/
---------------------------------------------------------------------------
    ``It's not a small sum, but if we had gone through the normal 
process of hiring an outside firm to do a security audit and 
vulnerability assessment, which is what we usually do, it would have 
cost us more than $1 million,'' \8\ Carter said of the $150,000 pilot 
program.
---------------------------------------------------------------------------
    \8\ https://www.defense.gov/News/Article/Article/802828/carter-
announces-hack-the-pentagon-program-results/
---------------------------------------------------------------------------
    The Pentagon announced it would continue Hack the Pentagon program 
and bring this successful model to other agencies.
Hack the Army
    The ``Hack the Army'' Bug Bounty program \9\ ran from November to 
December 2016 with 371 registered, vetted and eligible participants. Of 
those who participated 25 were government employees including 17 
military personnel. Of the 416 vulnerability reports submitted by 
hackers, 118 were unique, valid and actionable. The first one was filed 
within 5 minutes of the launch of the program.
---------------------------------------------------------------------------
    \9\ https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In
---------------------------------------------------------------------------
    While bug bounties are a way for the DoD to tap into private sector 
talent, sometimes the cybersecurity talent is already within their 
ranks. One of the researchers that successfully hacked the U.S. Army 
was an Army Captain presently in school at the Army's Cyber Center of 
Excellence at Fort Gordon, Georgia. In addition to having a full-time 
job and family, this officer registered for Hack the Army to get real, 
operational hands-on training in addition to his extensive schooling.
Hack the Air Force
    It took just under one minute for hackers to report the first 
security vulnerability to the U.S. Air Force. Within the first 24 
hours, 70 reports were submitted, 23 of which were valid. During the 
``Hack the Air Force'' bug bounty challenge, 207 valid vulnerabilities 
were discovered. Nearly 300 vetted individuals had registered to 
participate in the Hack the Air Force bug bounty challenge and more 
than 50 earned bounties.
    ``Adversaries are constantly attempting to attack our websites, so 
we welcome a second opinion--and in this case, hundreds of second 
opinions--on the health and security of our online infrastructure,'' 
\10\ said Peter Kim, the Air Force Chief Information Security Officer. 
``By engaging a global army of security researchers, we're better able 
to assess our vulnerabilities and protect the Air Force's efforts in 
the skies, on the ground and online.''
---------------------------------------------------------------------------
    \10\ http://www.af.mil/News/Article-Display/Article/1274518/hack-
the-air-force-results-released/
---------------------------------------------------------------------------
    Two of the Hack the Air Force participants were military personnel 
opting to help as an act of patriotism despite being ineligible for 
bounties, and 33 participants came from outside the U.S. Some of the 
top participating hackers were under 20 years old, including a 17 year-
old from Chicago who earned the largest bounty sum for 30 separate 
discoveries.
    The Hack the Air Force bug bounty challenge was so successful that 
the Air Force ran a second bug bounty challenge--Hack the Air Force 
2.0--in December 2017.
Consistency with Existing Laws & Best Practices
    Federal regulatory agencies responsible for consumer safety have 
acknowledged and adopted vulnerability disclosure programs as a 
cybersecurity best practice. These agencies recognize the critical role 
that hackers play in securing technology and protecting consumers.
    In June 2015, the Federal Trade Commission (FTC) published security 
guidance for businesses summarizing security best practices from the 
agency's 50+ data security settlements.\11\ One common cause for 
complaint against an organization's security practices was the lack of 
a vulnerability disclosure process. For example: ``FTC charged that the 
company didn't have a process for receiving and addressing reports 
about security vulnerabilities. HTC's alleged delay in responding to 
warnings meant that the vulnerabilities found their way onto even more 
devices across multiple operating system versions.''
---------------------------------------------------------------------------
    \11\ https://www.ftc.gov/tips-advice/business-center/guidance/
start-security-guide-business#
current
---------------------------------------------------------------------------
    In later comments made by the FTC to the NTIA Safety Working 
Group,\12\ the commission reaffirmed the importance of this practice: 
``[FTC] staff highlighted the important role that vulnerability reports 
play in ensuring product security, and recommended that businesses 
implement reasonable vulnerability disclosure processes to facilitate 
communication with the research community.''
---------------------------------------------------------------------------
    \12\ https://www.ftc.gov/system/files/documents/advocacy_documents/
ftc-staff-comment-national-telecommunications-information-
administration-regarding-safety-working/170215ntia
comment.pdf
---------------------------------------------------------------------------
    In October 2016, the National Highway Traffic Safety Administration 
(NHTSA) published Cybersecurity Best Practices for Modern Vehicles.\13\ 
It states: ``Automotive industry members should consider creating their 
own vulnerability reporting/disclosure policies, or adopting policies 
used in other sectors or in technical standards. Such policies would 
provide any external cybersecurity researcher with guidance on how to 
disclose vulnerabilities to organizations that manufacture and design 
vehicle systems.'' Major automakers, including General Motors \14\ and 
Tesla,\15\ have adopted policies for encouraging hackers to identify 
and disclose vulnerabilities in their connected automobiles.
---------------------------------------------------------------------------
    \13\ https://www.nhtsa.gov/staticfiles/nvs/pdf/
812333_CybersecurityForModernVehicles.pdf
    \14\ https://hackerone.com/gm
    \15\ https://www.tesla.com/about/security
---------------------------------------------------------------------------
    In December 2016, the Food and Drug Administration published 
Postmarket Management of Cybersecurity in Medical Devices,\16\ noting 
that ``. . .cybersecurity information may originate from an array of 
sources including independent security researchers..'' and described 
``Adopting a coordinated vulnerability disclosure policy and practice'' 
as a critical component of any medical device manufacturer 
cybersecurity program.
---------------------------------------------------------------------------
    \16\ https://www.fda.gov/downloads/medicaldevices/
deviceregulationandguidance/guidance
documents/ucm482022.pdf
---------------------------------------------------------------------------
    In July 2017, the Department of Justice (DoJ) Criminal Division's 
Cybersecurity Unit published ``A Framework for a Vulnerability 
Disclosure Program''.\17\ The DoJ observes ``[organizations are] 
adopting vulnerability disclosure programs to improve their ability to 
detect security issues on their networks that could lead to the 
compromise of sensitive data'' and goes on to provide guidance for 
operating these programs in a manner consistent with existing 
cybercrime laws.
---------------------------------------------------------------------------
    \17\ https://www.justice.gov/criminal-ccips/page/file/983996/
download
---------------------------------------------------------------------------
    In October 2017, deputy attorney general Rod Rosenstein made this 
public statement:\18\ ``All companies should consider promulgating a 
vulnerability disclosure policy, that is, a public invitation for white 
hat security researchers to report vulnerabilities. The U.S. Department 
of Defense runs such a program. It has been very successful in finding 
and solving problems before they turn into crises.''
---------------------------------------------------------------------------
    \18\ https://www.justice.gov/opa/speech/deputy-attorney-general-
rod-j-rosenstein-delivers-remarks-global-cyber-security-summit
---------------------------------------------------------------------------
    These Federal agencies have recognized the critical role that 
ethical hackers play in enabling public and private sector 
organizations to provide secure services that are resilient to 
cybersecurity vulnerabilities.
Conclusion and recommendation
    We need hackers. Our goal must be an Internet that enables privacy 
and protects consumers. This is not achievable without ethical hackers 
taking an active role in safeguarding our collective security.
    Hackers are truly the immune system of the internet. They are a 
positive power in society. We must enable and encourage them to make 
their best security contributions. This requires a safe legal 
environment encouraging all individuals to come forward with 
vulnerability information, no matter the circumstances.
    I provide you with the following recommendations:

    First, the Computer Fraud and Abuse Act (CFAA), enacted in 1984, 
contains vague wording that has not kept pace with the proliferation of 
the internet. The act is in need of modernization. I encourage the 
members of the committee to support CFAA reform \19\ to remove imposed 
criminal penalties on actions that do no harm to consumers. Individuals 
that act in good faith to identify and report potential vulnerabilities 
should not be legally exposed.
---------------------------------------------------------------------------
    \19\ https://www.eff.org/document/letter-def-con-cfaa-reform
---------------------------------------------------------------------------
    Second, the patchwork of breach notification laws enacted primarily 
at the state level may create uncertainty and perverse incentives for 
those who safeguard consumer data. I encourage this subcommittee to 
support a harmonized and unambiguous breach notification law governing 
all U.S. companies and consumers. It is important that such a law 
provide clarity on the definition of a data breach to ensure that those 
who operate or participate in a good faith vulnerability disclosure 
policy are not legally exposed.
    Third, I repeat the words of numerous experts that a ubiquitous 
``See something, Say something'' practice for vulnerabilities is a 
vital and critical step towards improving cybersecurity for consumers. 
The absence of a formal channel to receive vulnerability reports 
reduces a vendor's security posture and introduces unnecessary risk. 
Corporations should welcome input from external parties regarding 
potential security vulnerabilities and Congress should encourage that 
behavior.
    As Jeff Massimilla, Vice President for Vehicle Safety and Product 
Cybersecurity at General Motors, stated: ``To improve the security of 
their connected systems, every corporation should have a vulnerability 
disclosure policy that allows them to receive security submissions from 
the outside world.'' \20\
---------------------------------------------------------------------------
    \20\ https://www.cnet.com/roadshow/news/general-motors-
cybersecurity/
---------------------------------------------------------------------------
    Hacker-powered security has matured as a model to be ready to help 
society solve one of its most pressing problems: cyber threats.
    Pioneering entities have perfected the practice of hacker-powered 
security. Hundreds of thousands of security vulnerabilities have 
already been found and remediated. The vast community of hackers stands 
ready. The hackers are not asking what society can do for them. They 
are asking what they can do for society. Ethical hacking may be the 
only force that can stop criminal hacking. The asymmetry of digital 
threats can be turned around with pooled defense. Together we hit 
harder against cybercrime.
    Thank you for the opportunity to testify on this important issue.

    Senator Moran. Thank you for joining us.
    Ms. Moussouris.

 STATEMENT OF KATIE MOUSSOURIS, FOUNDER AND CEO, LUTA SECURITY

    Ms. Moussouris. Chairman Moran, Ranking Member Blumenthal, 
and distinguished members of the Committee, thank you for the 
opportunity to testify at this hearing on behalf of Luta 
Security and the security research community.
    We commend the Committee for holding this open hearing to 
help understand, clarify, and differentiate between defensive 
security research and vulnerability disclosure activities which 
may or may not include bug bounties versus internet-enabled 
crimes which may include extortion for unauthorized access to 
consumer data.
    I'm the Founder and CEO of Luta Security, working with 
governments and complex organizations on multi-party supply 
chain vulnerability coordination to create mature, robust, and 
sustainable vulnerability coordination and disclosure programs.
    We base these programs on the Industry International 
Standards, ISO 29147, Vulnerability Disclosure, and ISO 30111, 
Vulnerability Handling Processes, and our own Vulnerability 
Coordination Maturity Model.
    I am the co-author and co-editor of these international 
standards, was Co-chair of the NTIA's Multi-stakeholder 
Vulnerability Disclosure Working Group Subcommittee of 
Multiparty Vulnerability Coordination, and I have over 20 years 
of professional, technical, and strategic work in technology 
and information security as a former penetration tester or 
ethical hacker for hire at the company called @stake to 
creating Microsoft vulnerability research, the first Microsoft 
bug bounties, and advising the U.S. Department of Defense for 
several years resulting in the launch of the ``Hack the 
Pentagon'' Program.
    But today, I'm here as a witness to talk about the defense 
market for bugs, the role of bug bounties and other security 
research, and the role of the defensive ecosystem to shape 
these new markets.
    When I was a teenager learning to hack in the late 1980s, 
there was no broadly recognized and accessible defense market 
for hacking skills. There were no online banks or e-commerce 
sites to hire us to test their internet-facing systems for 
holes, and there certainly weren't any bug bounty programs.
    Even the U.S. Government had only a few years earlier 
become aware of threats to national security across the 
burgeoning early internet through Hollywood films, such as War 
Games.
    Only in the past five to eight years have we seen any major 
acceptance by governments and companies working cooperatively 
and openly with hackers. However, there is still a great fear 
among many organizations that opening a front door for hackers 
to report security holes will cause damage from disruption of 
operations, intellectual property theft, fraud, reputational 
damage, and, of course, data breaches.
    In 2015, 94 percent of the Forbes Global 2000 had no 
published way to report a security hold to them. If you saw 
something, it was very difficult and risky to say something.
    So while the Computer Fraud and Abuse Act hasn't materially 
changed over the past 34 years to grant security researchers 
safe harbor, in July 2017, the Department of Justice issued 
``Framework for Vulnerability Disclosure Program for Online 
Systems'' and this guide is meant as a way to help 
organizations think through important scoping issues around 
protected classes of data and systems when creating 
vulnerability disclosure programs with or without cash 
incentives.
    The main premises are: decide whether sensitive systems and 
data are in scope for discovery; encourage the use of test 
accounts whenever possible to avoid the unnecessary compromise 
of other users' privacy and data without their permission; make 
it clear that only the minimum necessary proof is required to 
prove that a vulnerability exists and no further access or 
exploitation past that point is authorized.
    Further, define how any deliberately or accidentally, 
because ``hackidents'' happen, accidentally accessed private 
data should be stored and transmitted and specify the manner in 
which the proof of the hack is conveyed, perhaps using a screen 
capture so as to not further transmit unauthorized accessed 
data.
    So this is to protect both the well-intentioned researchers 
from ambiguity and accidental overstepping as well as to 
protect consumers whose data may be subject to access.
    And, finally, as a creator and advisor to some of the major 
new bug bounty programs in the past several years, I want to 
point out that the ecosystem for reward bug hunting is skewing 
the markets toward more bug hunters but not necessarily more 
bug fixers.
    This imbalance that's being created in these markets may 
very well shift the ecosystem toward rewarding more data theft 
than bug hunting. Already we are facing a global shortage of 
talent in cyber security and an overall workforce creation is 
necessary in defense.
    We have got over 350,000 unfilled cyber security positions 
in the United States that are open and, according to a 2016 
study, none of the top 10 U.S. computer science programs 
required a cyber security course for graduation and three of 
the top 10 universities don't even offer an elective course in 
cyber security.
    The defense market for bugs that we are creating needs to 
be focused. Markets are not inevitable. They are actively 
created. If I were to recommend three practices, it would be 
funding for increased education in security to be set for all 
grades, setting forth requirements that all college majors in 
computer science understand secure coding and organizational 
cyber risk management, and a reflection on fewer ``hack the X'' 
bills being introduced without proper assessment of sustainable 
defensive capabilities in each government agency considering a 
bug bounty.
    Thank you for the opportunity of testifying. I welcome your 
questions and comments.
    [The prepared statement of Ms. Moussouris follows:]

Statement of Katie Moussouris for the hearing entitled, ``Data Security 
   and Bug Bounty Programs: Lessons Learned from the Uber Breach and 
 Security Researchers'' for the Senate Committee on Commerce, Science, 
   and Transportation's Subcommittee on Consumer Protection, Product 
 Safety, Insurance, and Data Security \1\ on Tuesday, February 6, 2018
---------------------------------------------------------------------------
    \1\ https://www.commerce.senate.gov/public/index.cfm/2018/2/data-
security-and-bug-bounty-programs-lessons-learned-from-the-uber-breach-
and-security-researchers
---------------------------------------------------------------------------
    Chairman Moran, Ranking Member Blumenthal, and distinguished 
members of the Committee, thank you for the opportunity to testify at 
this hearing on behalf of Luta Security and the security research 
community.
    We commend the Committee for holding this open hearing to help 
understand, clarify, and differentiate between defensive security 
research and vulnerability disclosure activities, which may or may not 
include bug bounties, versus Internet-enabled crimes, which may include 
extortion for unauthorized access to consumer data.
    I am the founder and CEO of Luta Security, working with governments 
and complex organizations on multi-party supply chain vulnerability 
coordination to create mature, robust, sustainable vulnerability 
coordination and disclosure programs. We base these programs on the 
industry international standards ISO/IEC 29147 Vulnerability 
disclosure,\2\ ISO/IEC 30111 Vulnerability handling processes,\3\ and 
our Vulnerability Coordination Maturity Model.
---------------------------------------------------------------------------
    \2\ http://standards.iso.org/ittf/PubliclyAvailableStandards/
c045170_ISO_IEC_29147
    \3\ https://www.iso.org/standard/53231.html
---------------------------------------------------------------------------
    I am the co-author & co-editor of these international standards, 
was co-chair of the NTIA's multi-stakeholder vulnerability disclosure 
working group subcommittee of multi-party vulnerability 
coordination,\4\ with over 20 years of professional technical and 
strategic work in technology and information security, as a former 
penetration tester at @stake,\5\ to creating Microsoft Vulnerability 
Research, the first Microsoft bug bounties, and advising the U.S. 
Department of Defense for years, resulting in the launch of the Hack-
the-Pentagon program. I am also one of two private industry official 
delegates of the U.S. technical experts working group to renegotiate 
the Wassenaar Arrangement,\6\ successfully helping clarify exemptions 
for vulnerability disclosure and incident response in export 
controls.\7\ I served as an expert witness for European Parliament's 
consideration of dual-use export control reform in the context of 
vulnerability disclosure and bug bounty programs.\8\
---------------------------------------------------------------------------
    \4\ https://www.first.org/global/sigs/vulnerability-coordination/
multiparty/FIRST-Multiparty-Vulnerability-Coordination-draft.pdf
    \5\ https://en.wikipedia.org/wiki/@stake
    \6\ https://langevin.house.gov/press-release/langevin-statement-
wassenaar-arrangement-plenary-session
    \7\ http://thehill.com/opinion/cybersecurity/365352-serious-
progress-made-on-the-wassenaar-arrangement-for-global
    \8\ https://www.youtube.com/watch?v=kDJxAm-AVNA&feature=youtu.be
---------------------------------------------------------------------------
    Today, I'm here as a witness to talk about the defense market for 
bugs, the role of bug bounties and other security research, and the 
role of the defensive ecosystem to shape these new markets.
    When I was a teen learning to hack in the late `80s, there was no 
broadly-recognized and accessible defensive market for hacking skills, 
no online banks or e-commerce sites to hire us to test their Internet-
facing systems for holes, no bug bounty programs, and even the United 
States government had only a few years earlier become aware of threats 
to national security across the burgeoning early Internet--through 
Hollywood films such as War Games.
    This awareness of the power of hackers had prompted not job offers 
or viable legal career paths, but legislation that made hacking a 
criminal offense.\9\ This law not only gave prosecutors the necessary 
legal tools to go after nation state actors and criminals, but to this 
day has caused a chilling effect on security research for defensive 
purposes. This chilling effect on researchers has also been reflected 
in the reluctance of governments and organizations to engage with 
hackers, further complicated by recent data breaches under the mis-
applied term ``bug bounty''.
---------------------------------------------------------------------------
    \9\ https://www.nytimes.com/2016/02/21/movies/wargames-and-
cybersecuritys-debt-to-a-hollywood-hack.html
---------------------------------------------------------------------------
    Only in the past 5 to 8 years have we seen any major acceptance by 
governments and companies working cooperatively and openly with 
hackers. However, there is still a great fear among many organizations 
that opening a front door for hackers to report security holes will 
cause damage from disruption of operations, intellectual property 
theft, fraud, reputational damage, and data breaches.
    In 2015, 94 percent of the Forbes Global 2000 had no published way 
to report a security hole to them. If you saw something, it was 
difficult to say something. It was even a risk to your freedom, if the 
organization chose to pursue legal action against you under the 
Computer Fraud and Abuse Act (CFAA).
    While the CFAA hasn't materially changed over the past 34 years to 
grant security researchers safe harbor for helping to point out 
security bugs, in July of 2017, the Department of Justice issued ``A 
Framework for a Vulnerability Disclosure Program for Online Systems.'' 
\10\ This guide is meant as a way to help organizations think through 
important scoping issues around protected classes of data and systems 
when creating vulnerability disclosure programs, with or without cash 
incentives or bug bounties.
---------------------------------------------------------------------------
    \10\ https://www.justice.gov/criminal-ccips/page/file/983996/
download
---------------------------------------------------------------------------
    The main premises to help create robust vulnerability disclosure or 
bug bounty programs are straightforward in the DoJ framework, with a 
summary of the key aspects as follows:

  1.  Decide whether sensitive systems and data are in scope for 
        discovery and reporting by external helpful hackers.

  2.  Encourage the use of test accounts whenever possible to avoid the 
        unnecessary compromise of other users' privacy and data without 
        their permission.

  3.  Make it clear that only the minimum necessary proof is required 
        to prove that a vulnerability exists, and that no further 
        access or exploitation past that point is authorized.

  4.  Further define how any deliberately or accidentally accessed 
        private data should be stored and transmitted.

  5.  Specify the manner in which proof of the hack is conveyed, 
        perhaps using a screen capture to avoid further transmitting 
        the protected data.

  6.  Decide whether to include the requirement to destroy any copies 
        of data once the report is delivered.

    To protect both well-intentioned researchers from ambiguity and 
accidental overstepping the intended scope, as well as to protect 
consumers whose data may be subject to access, transmission, and 
storage without their consent, it is important to define these 
parameters as clearly as possible. This applies in vulnerability 
disclosure programs as well as bug bounties.
    Finally, as a creator and advisor of some of the major new bug 
bounty programs in the past several years, I want to point out that the 
ecosystem for rewarding bug hunting is skewing the markets toward more 
bug hunters, but not necessarily more bug fixers. This imbalance that 
is being created in these markets may very well shift the ecosystem 
towards rewarding more data theft than bug hunting.
    There is a difference between paying $10,000 for a bug and paying 
$100,000 for a breach. If the legal market for bugs becomes muddied 
with extortion payments that are exponentially higher, we will be 
building the wrong kind of market, and consumers will be the victims 
instead of the beneficiaries of enhanced work with hackers.
    Already, we are facing a global shortage of talent in cyber 
security, and while more legal ways to report bugs is good, the 
creation of an overall defense workforce is necessary, in the United 
States and worldwide.
    ``In 2017, the U.S. employs nearly 780,000 people in cybersecurity 
positions, with approximately 350,000 current cybersecurity openings. . 
.''
    ``With more than 200,000 open cybersecurity jobs in 2015 in the 
U.S. alone and the number of threat surfaces exponentially increasing, 
there's a growing skills gap between the bad actors and the good guys. 
One way to close the gap is through automation, but we also need to 
train developers, at the very earliest stage of their education, to 
bake security into all new code. It's not good enough to tack 
cybersecurity on as an afterthought anymore. This is especially true as 
more smart devices become Internet accessible and therefore potential 
avenues for threats.''
    According to a 2016 study, ``none of the top 10 U.S. computer 
science programs required a cybersecurity course for graduation, and 3 
of the top 10 university programs don't even offer an elective course 
in cybersecurity.'' \11\
---------------------------------------------------------------------------
    \11\ https://www.cloudpassage.com/company/press-releases/
cloudpassage-study-finds-u-s-universities-failing-cybersecurity-
education/
---------------------------------------------------------------------------
    Much like in Star Wars, The Force for finding vulnerabilities has a 
dark side as well as a light side, but they are two sides of the same 
coin, representing indistinguishable skill sets. We are creating more 
of an imbalance in The Force, weighted against defenders.
    As a visiting scholar with MIT Sloan School helping to study the 
vulnerability economy and exploit markets, I helped clarify the 
differences in the offense and defense markets for bugs. The offense 
market is characterized by nation states and criminals buying bugs and 
exploits at high prices to keep them from being fixed as long as 
possible to prolong their use in attacks.
    The defense market is typically paying lower amounts than the 
offense market, but doesn't traditionally require the bug hunter to 
stay silent about their find, once it is fixed, providing the finder 
with recognition and further opportunities for their career in other 
ways.
    The defense market for bugs cannot compete directly with the 
offense market on price.
    Very quickly, we would run out of willing software developers and 
testers, and the markets are already taking that direction in the way 
that bug bounties are being used today. Bug bounty hunters worldwide 
are on average able to make more than being a software developer in 
many countries. Perverse incentives include overpaying for bugs on the 
defense market, as well as the rewarding of data theft with much higher 
prices than an honest bug hunter would get for adhering to the rules.
    The entire defensive bug hunting ecosystem has a responsibility to 
help uphold the law & guide the creation of programs that will not 
breach ethical or legal standards. We have a responsibility to the 
current and next generation of hackers to demonstrate best practices in 
bug bounties as well as the broader vulnerability disclosure picture.
    ``Focusing on the labor market opens new productive avenues for 
conversation and future research: It suggests linkages between research 
on vulnerability markets and a larger body of work rooted in the 
tradition of economic sociology. These efforts consider markets not 
only or, at times, not even primarily--as engines of efficient resource 
allocation, but move to address pressing descriptive questions related 
to the contingent and historical specificity of the construction of 
markets. Markets are not inevitable. They are always actively 
created.'' \12\
---------------------------------------------------------------------------
    \12\ Ryan Ellis, Keman Huang, Michael Siegel, Katie Moussouris, and 
James Houghton. ``Fixing a Hole: The Labor Market for Bugs.'' New 
Solutions for Cybersecurity. Howard Shrobe, David L. Shrier, and Alex 
Pentland, eds. Cambridge: MIT Press. In Press. ISBN: 9780262535373 
https://mitpress.mit.edu/books/new-solutions-cybersecurity
---------------------------------------------------------------------------
    If Congress were to act to help clarify the role of defensive 
security research, and encourage the growth of the defense market for 
bugs, as well as the United States labor workforce in cybersecurity 
defender roles, I would ask that:

  1.  Funding for increased education in security be set for all grades 
        (K-12), to begin finding early security talent and recruiting 
        for defense

  2.  Setting forth requirements that all college majors in computer 
        science understand secure coding and organizational cyber risk 
        management

  3.  Fewer ``Hack the x'' bills be introduced without proper 
        assessment of sustainable defensive capabilities in each 
        government agency considering launching a bug bounty.

    Again, I'd like to thank you for the opportunity of testifying 
today. I welcome your questions and comments.

    Senator Moran. Thank you for your testimony.
    Mr. Brookman.

STATEMENT OF JUSTIN BROOKMAN, DIRECTOR. PRIVACY AND TECHNOLOGY 
                    POLICY, CONSUMERS UNION

    Mr. Brookman. Chairman Moran, Members of the Subcommittee, 
thank you very much for the opportunity to testify here today.
    I am here today on behalf of Consumers Union, the advocacy 
division of Consumer Reports. We are the world's largest 
independent testing organization and we use our ratings content 
and advocacy to create a fair, safer, and healthier world.
    Let me start out by saying the Consumers Union is a strong 
proponent of bug bounty programs. We believe they play a 
crucial role in a data security ecosystem that has failed 
consumers far too often.
    The 2016 Uber incident, however, highlights the practices 
are still developing in this area and we don't always have 
clear expectations about how these programs should work.
    While bug bounty programs are one useful tool in 
maintaining reasonable security, they are not a magic bullet. 
Ultimately, in order to fix the poor state of modern security, 
incentives need to change and that is why we urge Congress to 
update consumer protection laws to establish reasonable data 
security requirements and to hold companies accountable for bad 
practices, and this premise that poor data security practices 
are widespread is, I hope, not controversial.
    We've seen a never-ending torrent of major data breaches 
punctuated by the exposure of a 145 million social security 
numbers in last year's Equifax breach. We are connecting more 
and more smart devices to the internet but they're not always 
developed with security in mind. Many never get security 
updates or even have the ability to get updated.
    Bug bounty programs represent an innovative approach to 
data security by leveraging a diverse third-party ecosystem to 
identify vulnerabilities before they can be taken advantage of 
by malicious actors.
    Last year, Consumer Reports released a document that we 
called The Digital Standard. It's an open-sourced collaboration 
designed to articulate best practices in privacy and security 
and related values, such as repairability and interoperability, 
and in this document, we specifically identify having a bug 
bounty program as an indicator of good security practices at 
the company.
    Moreover, we identified a commitment not to pursue legal 
action against security researchers as another indicator of 
good security practices, the rationale being that this provides 
a strong disincentive certainly for outsiders to try to improve 
any particular company's practices but also to security 
research more generally.
    The 2016 Uber incident raises challenging questions about 
how best to manage bug bounty programs. While I think Uber had 
a duty to notify its driver's license numbers had been 
compromised, the case highlights the potential tension between 
breach notification laws and bug bounty programs and raises 
other questions.
    When should discovery of vulnerability by a third party 
trigger breach notification to consumers? How can researchers 
test for bugs without ever touching consumer data? When, if 
ever, should bounties be negotiable?
    And we certainly have concerns about the use of non-
disclosure agreements to prohibit discussion of vulnerability, 
even after it had been remediated.
    These are just some of the important questions raised by 
the case and I applaud the Committee for holding this hearing 
to explore these and other issues.
    Bug bounty programs should and will continue to play an 
important role in improving data security but they're just one 
piece. Fundamentally, companies need to have a legal 
responsibility to use reasonable security to protect personal 
information and that is why Congress needs to act to update 
legal protections for consumers to reflect the extremely real 
threat posed by poor data security.
    There are a few things I think Congress can do. One, 
empower the Federal Trade Commission. The FTC has a long 
bipartisan history of responding to constantly changing array 
of threats on behalf of the American people, but they're 
understaffed and they typically can't get penalties from 
wrongdoers when they break the law. That should change.
    Second, Congress should pass legislation requiring 
companies to use reasonable data security. The FTC has 
interpreted its Section 5 authority to require reasonable 
security but they have been challenged in court and it's 
difficult, if not impossible, to attribute instances of harm to 
individual data breaches. We should have rules requiring 
reasonable security.
    And, last, don't block the states from protecting their own 
citizens. Some level of preemption may be appropriate in a bill 
but states have to be allowed to pass protections for what a 
Federal bill doesn't cover. The states have been leaders on 
data security, passing the first breach notification laws, 
starting in 2002, and they have kept updating those laws over 
time so they don't just cover financial information, they cover 
other sensitive categories, like health data and e-mail and 
photo storage accounts. States need to be empowered to step in 
and protect their citizens when Federal protections are 
missing.
    Thank you very much for inviting me to discuss these 
important issues. I look forward to answering any questions I 
can.
    [The prepared statement of Mr. Brookman follows:]

Prepared Statement of Justin Brookman, Director, Privacy and Technology 
                        Policy, Consumers Union
    On behalf of Consumers Union, I want to thank you for the 
opportunity to testify today. We appreciate the leadership of Chairman 
Moran and Ranking Member Blumenthal in holding today's hearing to 
explore the still-developing field of bug bounty programs, and how they 
can best be implemented to promote data security for American 
consumers.
    I appear here today on behalf of Consumers Union, the advocacy 
division of Consumer Reports, an independent, nonprofit organization 
that works side by side with consumers to create a fairer, safer, and 
healthier world.\1\
---------------------------------------------------------------------------
    \1\ As the world's largest independent product-testing 
organization, Consumer Reports uses its more than 50 labs, auto test 
center, and survey research center to rate thousands of products and 
services annually. Founded in 1936, Consumer Reports has over 7 million 
subscribers to its magazine, website, and other publications.
---------------------------------------------------------------------------
    Consumers Union is a strong proponent of bug bounty programs, and 
believes that they play a crucial role in a data security ecosystem 
that has failed consumers far too often. Used properly, bug bounty 
programs enable companies to learn of breaches and vulnerabilities, in 
service to the larger goals of protecting consumer data and alerting 
consumers to threats as warranted and/or required by law. In the case 
of the 2016 Uber security incident, we believe the company should have 
disclosed the event earlier, not only because a hacker had accessed 
sensitive data, but because it appears credentials to that data had 
been publicly accessible for some time. This incident illustrates the 
continuing need for Congress to pass legislation providing stronger 
incentives for companies to deploy reasonable safeguards for personal 
data.
I. The Poor State of Modern Data Security and the Importance of Bug 
        Bounty Programs
    As this Committee well knows, the story of data security in recent 
years is not a pretty one. Massive data breaches have become 
commonplace, as companies accumulate vast troves of valuable consumer 
data but frequently fail to put adequate systems in place to protect 
it. The Target data breach of 2013 compromised the information of an 
estimated 110 million people,
    including the payment card information of about 40 million 
consumers.\2\ Hackers obtained the data of about 80 million people in 
the Anthem data breach of 2015.\3\ And last year, criminals took 
advantage of well-known vulnerabilities in software used by Equifax to 
access the Social Security numbers of over 145 million people.\4\ 
Targeted companies often have the opportunity to head off a breach but 
neglect to take action. For example, the software vulnerabilities that 
made Equifax a ripe target for attackers had been public for months, 
but Equifax failed to address them before the breach.\5\
---------------------------------------------------------------------------
    \2\ Rachel Abrams, Target to Pay $18.5 Million to 47 States in 
Security Breach Settlement, N.Y. Times, (May 23, 2017), https://
www.nytimes.com/2017/05/23/business/target-security-breach-
settlement.html.
    \3\ Brendan Pierson, Anthem to Pay Record $115 Million to Settle 
U.S. Lawsuits over Data Breach, Reuters (Jun. 23, 2017), https://
www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay-
record-115-million-to-settle-u-s-lawsuits-over-data-breach-
idUSKBN19E2ML.
    \4\ Equifax Announces Cybersecurity Firm Has Concluded Forensic 
Investigation of Cybersecurity Incident, Equifax.com (Oct. 2, 2017), 
https://www.equifaxsecurity2017.com/2017/10/02/equifax-announces-
cybersecurity-firm-concluded-forensic-investigation-cybersecurity-
incident/.
    \5\ Lily Hay Newman, Equifax Officially Has No Excuse, Wired (Sep. 
14, 2017), https://www.wired.com/story/equifax-breach-no-excuse/.
---------------------------------------------------------------------------
    Bug bounty programs represent a novel and innovative approach to 
identifying vulnerabilities before they can be taken advantage of by 
malicious actors. These programs incentivize a diverse third-party 
ecosystem to probe systems for potential failures. They also provide an 
alternative to sale of exploits on the black market where they can 
fetch several hundred thousand dollars--or more.\6\ By offering to pay 
for information directly, companies can offer white- and grey-hat 
hackers a legal way to monetize their skills, with a far better outcome 
for companies and consumers. The rapid rise of these programs is 
evidence of their success. In 2016, Google paid out over $3 million 
under its bug bounty program for vulnerabilities in products such as 
Android and Chrome.\7\ Last year it partnered with HackerOne to expand 
the program to cover popular third-party apps in its Google Play 
Store.\8\
---------------------------------------------------------------------------
    \6\ Kif Leswig, Here's what Apple thinks about the black market for 
$1 million iPhone hacks, Business Insider, (Jul. 4, 2016), http://
www.businessinsider.com/apple-addresses-black-market-for-software-
vulnerabilities-2016-6
    \7\ Taylor Hatmaker, Google's bug bounty program pays out $3 
million, mostly for Android and Chrome exploits, Techcrunch, (Jan. 31, 
2017), https://techcrunch.com/2017/01/31/googles-bug-bounty-2016/.
    \8\ Liam Tung, Android Security: Google will pay $1000 for holes in 
these top apps, ZDnet, (Oct. 20, 2017), http://www.zdnet.com/article/
android-security-google-will-pay-1000-for-holes-in-these-top-apps/.
---------------------------------------------------------------------------
    Consumers Union strongly supports the development of bug bounty 
programs, not just by large tech companies, but for any company that 
stores sensitive consumer data that could lead to identity theft, harm, 
or embarrassment if exposed. In fact, bug bounty programs are 
identified as an indicator of good data security in the Digital 
Standard--an open source effort led by Consumer Reports to articulate 
best practices for privacy, security, ownership, and governance in an 
increasingly connected world.\9\ We launched the Digital Standard with 
our partners Ranking Digital Rights, Disconnect, and the Cyber 
Independent Testing Lab in March of last year as part of a strategic 
shift to start evaluating products for these values as part of our core 
reviews and ratings service.\10\ In addition to highlighting the value 
of bug bounty programs, the Digital Standard defines as best practices 
``disclos[ing] the time-frame in which it will review reports of 
vulnerabilities'' and--notable for this hearing--``commit[ting] not to 
pursue legal action against security researchers.'' \11\
---------------------------------------------------------------------------
    \9\ The Digital Standard, https://www.thedigitalstandard.org/.
    \10\ Consumer Reports to Begin Evaluating Products, Services for 
Privacy and Data Security, Consumer Reports, (Mar. 6, 2017), https://
www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-
products-services-for-privacy-and-data-security/
    \11\ The Digital Standard, Data Security, Vulnerability disclosure 
program, https://www
.thedigitalstandard.org/the-standard.
---------------------------------------------------------------------------
II. ``John Doughs'' and the Uber Bug Bounty Program
    Although open source software development has always depended on 
external support to identify errors and weaknesses in code, formal bug 
bounty programs within major technology companies are still a 
relatively new phenomenon. As such, it is understandable that 
expectations, norms, and best practices are still developing in this 
area.
    In 2016, a hacker calling himself ``John Doughs'' e-mailed Uber's 
chief security officer Joe Sullivan that he had discovered a ``major 
vulnerability'' in Uber's systems.\12\ In subsequent conversations with 
the hacker, Uber discovered that company engineers had posted 
credentials to Uber's servers on the code management portal GitHub, and 
that Doughs had used the credentials to access information about Uber's 
57 million user and driver accounts, including sensitive data such as 
driver's license numbers. Although Uber told Doughs that its maximum 
bug bounty payout was $10,000, the hacker insisted that he expected 
``six digits'' for his information. Eventually, Uber decided to pay 
Doughs $100,000, and required him to agree to delete the compromised 
data.
---------------------------------------------------------------------------
    \12\ Nicole Perlroth and Mike Isaac, Inside Uber's $100,000 Payment 
to a Hacker, and the Fallout, N.Y. Times, (Jan. 12, 2018), https://
www.nytimes.com/2018/01/12/technology/uber-hacker-payment-100000.html.
---------------------------------------------------------------------------
    In general, we believe it is counterproductive to report 
participants in bug bounty programs to law enforcement absent a strong 
indication of malicious intent. We are not convinced there is anything 
wrong per se with a hacker asking for more money than is originally 
offered for information on a vulnerability. A hacker may reasonably 
believe that the value of the information and the time invested in 
uncovering it merit a higher payment. In the past, others have 
criticized Uber's bug bounty program for failing to provide reasonable 
payments for identifying exploitable holes in their code.\13\ At some 
point, a request for more money may convey an implicit--or explicit--
threat to sell the exploit or compromised data elsewhere if the demands 
are not met. However, from the publicly reported facts, it is not clear 
that that happened in this case. In any event, Uber had invited persons 
such as Doughs to look for precisely the type of vulnerabilities that 
he eventually found. If security researchers have to worry that looking 
for bugs in code will lead to criminal referral, the efficacy of bug 
bounty programs will dramatically decrease.
---------------------------------------------------------------------------
    \13\ Gregory Perry, How I Got Paid $0 From the Uber Security Bug 
Bounty, Medium, (Dec. 24, 2017), https://medium.com/bread-and-circuses/
how-i-got-paid-0-from-the-uber-security-bug-bounty-aa9646aa103f
---------------------------------------------------------------------------
    Nevertheless, Uber had an ethical--and legal--obligation to be more 
forthcoming with its users after it was made aware of its security 
lapse. Forty-eight states--as well as the District of Columbia, Puerto 
Rico, Guam, and the U.S. Virgin Islands have laws mandating disclosure 
to consumers when their personal information is jeopardized in a 
security breach.\14\ Drivers' license information--which was 
compromised in this incident--is typically included within such laws. 
While breach notification triggers vary significantly among the states, 
it seems quite likely that at least some state laws mandated disclosure 
to Uber drivers about the incident. For example, California law 
requires breach notification when ``unencrypted personal information 
was, or is reasonably believed to have been, acquired by an 
unauthorized person.'' While many other states only require 
notification upon a determination that no harm was likely to have 
occurred, it is not clear how Uber could have reasonably come to this 
conclusion. Even if Uber felt it could trust that John Doughs had not 
sold or copied the data, Uber knew that credentials to its servers had 
been publicly accessible in Github and could have been used by others 
to access sensitive personal information.\15\ Uber is in constant 
communication with its drivers and could easily have told them about 
the potential exposure of their information; instead they decided to 
say nothing.
---------------------------------------------------------------------------
    \14\ Security Breach Notification Laws, National Conference of 
State Legislatures, (Apr. 12, 2017), http://www.ncsl.org/research/
telecommunications-and-information-technology/security-breach-
notification-laws.aspx.
    \15\ Jeremy Kahn, Uber Hack Shows Vulnerability of Software Code-
Sharing Services, Bloomberg, (Nov. 22, 2017), https://
www.bloomberg.com/news/articles/2017-11-22/uber-hack-shows-
vulnerability-of-software-code-sharing-services. This was not the first 
time Uber credentials posted to GitHub led to a data security incident; 
in 2014, credentials posted in a publicly available GitHub repository 
compromised the data of 50,000 users. Id.
---------------------------------------------------------------------------
    State data breach notification laws were first passed starting in 
2002, and were clearly not written with bug bounty programs in mind. 
Notification laws and bug bounty programs both play an important role 
in protecting consumers, but there is a potential conflict between the 
two that needs to be reconciled. Indeed, notifying consumers of 
breaches created by ethical hacking pursuant to bug bounty programs 
could unnecessarily alarm consumers without providing any clear 
benefit.\16\ Lawmakers seeking to update these protections must be 
extremely careful to balance the security benefits provided by external 
hacking with the right of consumers to know when their information is 
truly at risk, perhaps by developing general standards to govern the 
legitimate use of these programs. In any event, Uber was not entitled 
to simply decide not to follow consumer protection (and other) laws it 
believed to be onerous or unnecessary. Uber previously took over six 
months to announce a different data breach in 2015, making the delay in 
announcing the 2016 breach all the more difficult to justify.\17\ 
Further, if in fact a condition of the payment to Doughs was that he 
could not disclose the incident--even after the vulnerability had been 
remedied so no one could exploit it--then the lack of transparency from 
Uber is still more concerning.\18\
---------------------------------------------------------------------------
    \16\ Similarly, security researchers have called for modifications 
to the Wassenaar anti-proliferation agreement to allow for cross-border 
communications about security vulnerabilities and the effective 
management of bug bounty programs. See James Sanders, How the Wassenaar 
Arrangement threatens responsible vulnerability disclosures, 
TechRepublic, (Jul. 7, 2015), https://www.techrepublic.com/article/how-
the-wassenaar-arrangement-threatens-responsible-security-vulnerability-
disclosures/.
    \17\ Dave Lewis, Uber Suffers Data Breach Affecting 50,000, Forbes, 
(Feb. 28, 2015), https://www.forbes.com/sites/davelewis/2015/02/28/
uber-suffers-data-breach-affecting-50000/#5e59102c2db1.
    \18\ Mike Isaac, Katie Brenner, and Sheera Frankel, Uber Hid 2016 
Data Breach, Paying Hackers to Delete Stolen Data, N.Y. Times, (Nov. 
21, 2017), https://www.nytimes.com/2017/11/21/technology/uber-
hack.html. Even today, Uber and HackerOne, despite publishing 
statistics about the bug bounty program, appear to be omitting 
inclusion of this incident. The bounty program's webpage states that 
its top bounties range between $4,400 and $20,000, despite reports that 
John Doughs was paid over $100,000 for information about this security 
vulnerability. See Uber: Bug Bounty Program, Uber, https://
hackerone.com/uber. This is despite the site denoting ``AWS credential 
exposure resulting in access to driver documents'' as an example of in-
scope vulnerability class examples--precisely the vulnerability exposed 
by Doughs.
---------------------------------------------------------------------------
III. New Laws are Needed to Provide for Better Security Incentives
    Bug bounty programs should continue to play an important role in 
safeguarding consumers personal information. And Consumer Reports is 
committed to providing more information to the marketplace about which 
companies perform best under the Digital Standard, including which 
companies have the best security practices.
    However, due to a misalignment of incentives, most companies today 
do not adequately invest in cybersecurity. Many breaches are not 
detected or publicly disclosed. The likelihood of law enforcement under 
the current regulatory scheme is low. The potential profits from using 
consumer data far outweigh any penalties that can be assessed for 
violations, incentivizing carelessness and misuse. And companies that 
experience a data breach bear only a portion of the cost--much of that 
instead is laid on consumers. As such, we need a much stronger data 
security law in the United States.
    Americans lost an estimated $16 billion to identity theft in 2016, 
up almost $1 billion from the year prior.\19\ Department of Justice 
data reveals that about 7 percent of Americans over the age of 16 
experienced identity theft in 2014.\20\ About 9 percent spent a month 
or more repairing their accounts or credit histories.\21\ Tax identity 
theft--when identity thieves use compromised social security numbers to 
file taxes and collect the refund--is a significant concern as well. In 
Fiscal Year 2016, the Internal Revenue Service discovered fraudulent 
returns filed for nearly 1 million people, totaling $6.5 billion.\22\ 
And because consumers often cannot reliably attribute these losses to 
particular companies, those companies typically can't be held 
responsible in court for consumers' losses.
---------------------------------------------------------------------------
    \19\ Identity Fraud Hits Record High with 15.4 Million U.S. Victims 
in 2016, Up 16 Percent According to New Javelin Strategy & Research 
Study, Javelin (Feb. 1, 2017), https://www.javelinstrategy.com/press-
release/identity-fraudhits-record-high-154-million-us-victims-2016-16-
percent-according-new.
    \20\ U.S. Dep't of Justice, Victims of Identity Theft, 2014 1 (Sep. 
2015), https://www.bjs.gov/content/pub/pdf/vit14.pdf.
    \21\ Id. at 10.
    \22\ Written Testimony of John A. Koskinen Before the Senate 
Finance Committee on the 2017 Filing Season and IRS Operations, 
Internal Revenue Serv. (Apr. 6, 2017), https://www
.irs.gov/newsroom/writtentestimony-of-john-a-koskinen-before-the-
senate-finance-committee-on-the-2017-filing-season-and-irs-
operationsapril-6-2017.
---------------------------------------------------------------------------
    Congress needs to act to update consumer protections to reflect the 
extremely real threats poses to consumers by poor security practices.
    First, lawmakers should give the Federal Trade Commission (FTC) 
\23\ stronger resources and tools to protect consumers. The FTC has a 
long, bipartisan history of responding to an ever-changing array of 
threats on behalf of the American people. However, the agency does not 
have sufficient resources to police the marketplace as it should, and 
there are gaps in its authority to address privacy and data security 
lapses in various sectors. For example, it currently lacks the 
authority to take action against nonprofit entities and ``common 
carriers.'' \24\ Moreover, when it does bring a case against a bad 
actor, it typically lacks the authority to obtain civil penalties to 
deter potential wrongdoers from similar behavior. As such, deceptive or 
unfair business practices can be rationalized by companies as a (fairly 
low) cost of doing business.
---------------------------------------------------------------------------
    \23\ From August 2015 to August 2017, I served as Policy Director 
of the FTC's Office of Technology, Research, and Investigation.
    \24\ Oral Statement of Commissioner Terrell McSweeny before the 
House Judiciary Committee, (Nov. 21, 2017), https://www.ftc.gov/system/
files/documents/public_statements/1268963/
mcsweeny_oral_testimony_to_us_house_of_representatives_committee_on_the_
judiciary_11-1-17_.pdf.
---------------------------------------------------------------------------
    Second, Congress should pass legislation requiring companies that 
have access to sensitive personal information to use reasonable 
security to safeguard it. Despite the FTC's long-standing use of the 
FTC Act to address data security lapses, some companies continue to 
challenge it.\25\ The FTC to date has brought over 60 cases challenging 
shoddy data security practices, but given the uncertainties in 
application, challenges in attributing harm to specific incidents, and 
the lack of penalties, the market has yet to internalize the risks 
posed to consumers by potential data breaches.
---------------------------------------------------------------------------
    \25\ E.g., Mallory Locklear, FTC lawsuit over D-Link's lax router 
security just took a big hit, Engadget, (Sep. 21, 2017), https://
www.engadget.com/2017/09/21/ftc-lawsuit-d-link-lax-router-security-
took-hit/.
---------------------------------------------------------------------------
    Finally, while the vast majority of American citizens are protected 
by state data breach notification laws today, a Federal standard has 
the potential to strengthen these requirements and impose stronger 
penalties. However, the goal of any Federal breach notification law 
must be to strengthen consumer protections, not weaken the already 
inadequate incentives in place today. As a result, any such bill should 
include the resources and stronger authority for the FTC discussed 
above. Further, it must not broadly preempt state breach and security 
laws that cover information outside the scope of a Federal law.
    Indeed, states must be allowed and encouraged to continue to 
innovate to protect their citizens. States have been the leaders in 
passing and revising data breach notification legislation over the 
years. At first, these laws primarily covered financial information 
such as Social Security numbers and credit card account numbers. 
However, over time, several states have extended these laws to cover 
new categories of information that, if compromised, pose risks to 
consumers. For instance, some states have extended breach notification 
protections to e-mail and photo storage accounts, recognizing that 
those databases contain incredibly personal information, and could be 
leveraged for new types of damaging identity theft.\26\ States must be 
allowed to iterate over time to protect their citizens from new and 
emerging security threats.
---------------------------------------------------------------------------
    \26\ E.g., Delaware Amends Its Data Breach Notification Law, Mayer 
Brown, (Aug. 29, 2017), https://www.mayerbrown.com/delaware-amends-its-
data-breach-notification-law-08-29-2017/.
---------------------------------------------------------------------------
Conclusion
    Thank you again for the opportunity to testify here today about the 
challenges of implementing bug bounty programs to best safeguard 
personal information. We believe that these programs play a vital role 
in uncovering vulnerabilities in code before they can be exploited by 
malicious actors. However, in order to incentivize companies to deploy 
these and other data protection safeguards, Congress must update 
consumer protection laws for the modern age to account for the 
unprecedented threats to our personal data. I look forward to answering 
the Committee's questions.

    Senator Moran. Thank you very much. Thank you all.
    Let me start with some questions and I don't know whether 
we'll have time for a second round or not. So if we can have 
relatively brief answers, I'll try to have relatively brief 
questions.
    First of all, for you, Mr. Flynn, what's the justification 
that there apparently was no, in the view of Uber, legal or 
other obligation to notify the victims of the hack?
    Mr. Flynn. Senator, there's no justification for that. We 
should have notified our customers at the time when this did 
occur and it was a mistake not to do so.
    Senator Moran. So Uber does not take the position that the 
law is unclear?
    Mr. Flynn. I do believe that the patchwork laws that are 
per state are a challenge for all companies and defenders to 
contend with. I do believe that is the case, but in this case, 
I think the real issue was that we didn't have all the right 
people in the room making that evaluation and making the right 
decision and making right by our customers.
    Senator Moran. Thank you for that honest answer.
    Perhaps this is Mr. Mickos or Ms. Moussouris. Excuse me.
    Ms. Moussouris. Like a dinosaur, Moussouris.
    Senator Moran. Moussouris. Thank you. That's very helpful. 
I'll be sitting here thinking if I get it right what dinosaur 
was that.
    So what determines the price for which a hacker is paid for 
the return of the information? Is that a negotiated item and 
what are the factors that are determined, in this case a 
$100,000 being apparently appropriate?
    Mr. Mickos. Mr. Chairman, by now the world has paid tens of 
thousands of bounties. So there starts to be a typical pricing 
for any sort of vulnerability. So you can compare to other 
companies and you can set your bounties in accordance with 
common practices.
    But the bounty decision is always a decision for the 
company who's receiving the vulnerability and the main 
influencing factor is the severity of the vulnerability, i.e., 
how bad would it be if indeed a criminal abused the 
vulnerability, and that is why in my opening statement I said 
the average over all these bounties is only about $500 per 
vulnerability, but the highest bounties offered are $250,000. 
So it's mathematically a question of a power law distributed 
set where there are very few extremely valuable vulnerabilities 
that will catch a very high price all the way up today to 
$250,000 whereas the majority of the regular day-to-day bug 
bounty program operates in the range of hundreds or thousands 
of dollars.
    Senator Moran. What's the obligation to report the payment 
or the breach to law enforcement and once a bounty is paid, is 
that obligation changed? Is that part of the agreement?
    Mr. Mickos. Mr. Chairman, the business, the bug bounty 
program is a preventative service and it is not the function of 
incident response.
    Senator Moran. So in the case of your client, Uber, did you 
work for them? You were performing services for them prior to 
the incident of 2016?
    Mr. Mickos. Uber became a customer of HackerOne in 2015 and 
they operate their Bug Bounty Program on our platform, yes.
    Senator Moran. And so you did not determine a vulnerability 
prior to the realization that there was a problem in 2016?
    Mr. Mickos. The way we deal with it, the vulnerability gets 
reported through our platform. We do not see the contents of 
the report. It goes to the customer and the customer takes 
action and may come back to HackerOne and say this was a valid 
vulnerability report, please pay the following bounty to this 
hacker, and that is how we deal with any of these bounties when 
they come from any of our customers.
    Senator Moran. What are the other techniques, besides bug 
bounties? I said it in my opening statement, but I think you 
indicated, Ms.----
    Ms. Moussouris. Moussouris.
    Senator Moran.--Moussouris--thank you so much for the 
reminder. Defensive hack ecosystem. So we've been focused on 
bug bounties, but there apparently are other techniques that we 
ought to be aware of?
    Ms. Moussouris. Yes, of course. If I could answer your 
previous question about bounty price?
    Senator Moran. Please.
    Ms. Moussouris. That is actually something that is very 
important in terms of the defense market.
    There is a defense market for bugs and exploits and there 
is an offense market for bugs and exploits and they're 
characterized not just in price. There's a huge price 
differential, but they're characterized differently when it 
comes to what their objective is.
    So the offense market for bugs is buying bugs and exploits 
that are fairly reliable and much higher priced in order to 
keep them secret and usable for attack purposes. They could be 
bought for regular law enforcement or used by nation states. 
They could be bought by criminal organizations.
    Defensive bounty prices, which regular bug bounties are a 
part of the defensive market, there is a logical ceiling above 
which those defensive market prices cannot exceed. You cannot 
compete directly with the offense market.
    The reason for that is you will create a perverse set of 
incentives where you might, you know, essentially incent some 
developers inside of an organization to collude with a member 
of the outside to write bugs into the code. You may create an 
environment where it's much more lucrative to spend your time 
hunting for bugs than it is to develop fixes or even develop 
new code.
    So we're already seeing a skew in the market right now 
where the way that the bug bounties are being used and applied, 
where it is actually much more lucrative. I think HackerOne 
just released a report talking about how much more lucrative it 
is to be a bug bounty hunter than it is to be a developer and 
that's including in the United States.
    So we do have to be mindful of this market that we're 
creating here and make sure that we're not over-skewing and 
over-rewarding the pointing out of flaws without creation of an 
ability to catch these bugs and deal with them appropriately 
and building that workforce.
    So back to your----
    Senator Moran. Excuse me one moment.
    Ms. Moussouris. Yes.
    Senator Moran. So I want to make sure I understand 
something because this is at least useful to me. It's not a 
question of whether you pay the consequences of the breach 
versus the amount of money that the bounty would be.
    It seems to me that when Mr. Mickos says the maximum is 
$250,000, that's the compensation for finding the problem. It's 
not a competition between how much money I'm going to pay to 
find the problem after there has already been a problem because 
the consequences of the hack will be much more expensive than 
the $250,000 maximum that Mr. Mickos--do I understand something 
here?
    Ms. Moussouris. Well, it is hard to estimate the overall 
cost of a breach. It's hard to estimate it to the company 
involved, to the users whose data may be compromised, and to 
other, you know, affected and related systems.
    So there should not actually be a direct correlation 
between the resulting potential harm and a defensive market 
price. It is much more of a token of appreciation, even if it 
is a six-figure payout, and I created Microsoft's 
Vulnerability, you know, Bug Bounty Program at $100,000 but it 
was for a technique. That is something that's sufficiently rare 
that it wasn't creating these perverse incentives where, you 
know, people could quit working at Microsoft, stop working on 
platform mitigations, and instead go off and, you know, supply 
these.
    Whereas the damage that, you know, potential new 
exploitation technique could cause in the ecosystem is 
certainly much more multiple millions of dollars. It is the 
idea of setting these incentives at an appropriate level where 
you are drawing out interest and creativity of the hacker 
community to work with you, but not setting them so high for 
something that is not sufficiently rare enough that you're not 
creating this much more lucrative business.
    And in the case of these breaches, what I'm concerned about 
as, you know, a concerned member of the defensive economy here 
is that why would a hacker turn in a bug and follow the rules 
for $10,000 when the term ``bug bounty'' has been muddied to 
include downloading 57 million records and getting paid a 
$100,000 for that data theft?
    I think that is a line that we should be very, very clear 
that bounties should not be negotiable in that way. You had 
asked that question. Should they be negotiable? I think not. 
They are about setting what you think is a reasonable price, 
such that you're below that, you know, perverse incentive mark 
of inciting some bad actors and some bad activities and really 
setting an example for the hackers of today and the hackers of 
tomorrow to participate in the defensive economy for bugs in 
the right way.
    Senator Moran. Thank you very much.
    Senator Blumenthal.
    Senator Blumenthal. Thank you, Senator Moran.
    I think this distinction is pretty simple and I think you 
make it in your testimony, Ms. Moussouris, when you say that we 
need to make clear that only ``the minimum necessary proof is 
required to prove that a vulnerability exists and that no 
further access or exploitation passed that point is 
authorized.''
    And actually, Mr. Flynn, you make it pretty clear, too, 
when you say in your testimony, ``in my view, the key 
distinction regarding this incident is that the intruders not 
only found a weakness, they also exploited the vulnerability in 
a malicious fashion to access and download the data.''
    It's the difference between a security consultant who says 
about your home, you have this vulnerability to forced entry 
and the criminal who says you have this vulnerability to forced 
entry and I have your child, pay me a $100,000. That's ransom. 
It's a crime.
    And so concealing it, in my view, is in effect aiding and 
abetting that crime. I don't know what you want to call it, but 
wouldn't you agree with me that the net effect was to cover up 
or seek to cover up a crime?
    Mr. Flynn. Mr. Blumenthal, thank you for those points.
    I agree that this was not consistent with the way in which 
our Bug Bounty Program normally operates and it's important to 
understand that this is not the way that we're going to do 
these things moving forward.
    You know, I think that, as you point out, sir, the fact 
that this was a multistep malicious intrusion, a downloading of 
data, and an extortion and ransom demands, means that this 
wasn't consistent with that or the way that that program 
normally operates.
    Senator Blumenthal. And any such criminal conduct needs to 
be reported immediately to authorities.
    Mr. Flynn. Yes, sir, exactly.
    Senator Blumenthal. And to consumers, ordinary people, 
whose lives may be put at risk as a result.
    Mr. Flynn. I agree with you on both counts, sir. I think we 
made a misstep in not reporting to consumers and I think we 
made a misstep in not reporting to law enforcement and those 
are both things that we have corrected and will correct going 
forward.
    Senator Blumenthal. Would you agree with me, actually with 
the Electronic Privacy Information Center that ``bug bounties 
need to be non-negotiable and clearly defined in company 
policy. Otherwise, companies are letting user data be held as 
ransom.''
    Mr. Flynn. I do believe it's important to understand the 
boundaries between our Bug Bounty Program and a case like this 
which had those features that you had pointed out, the 
extortion and ransom demands and so forth.
    Senator Blumenthal. Extortion and ransom demands but also 
when you say you're going to run a bug bounty program, if you 
say we're going to negotiate with you when you have access to 
our information or when you have the information, it exposes 
you in effect to extortion and ransom demands, correct?
    Mr. Flynn. Yes, sir, and what I would recommend, after 
learning a lot of lessons from this experience personally, is 
that I would recommend all companies that are running and 
operating bug bounty programs to ensure that they have a 
process and procedure in place for when and if this type of 
occasion does occur because I think it's something that we 
hadn't contemplated at the time and we made some missteps along 
the way as a consequence.
    Senator Blumenthal. Does Uber have that procedure in place 
now?
    Mr. Flynn. So we have changed a number of aspects of our 
approach. One of the things that we didn't do well here is that 
we didn't include enough of the right legal representatives to 
determine if this was a data breach notification requirement. 
So we've done one thing, which is brought everybody into the 
room. I think we've done another thing where we've made sure 
that we----
    Senator Blumenthal. Let me just because my time is running 
out----
    Mr. Flynn. Oh, sorry.
    Senator Blumenthal.--ask you, do you have clear limits, 
parameters, for non-negotiable and clearly defined policy on 
how much you will pay?
    Mr. Flynn. Yes, as part of new leadership coming in, we are 
in the process of reviewing and updating our policy regarding 
that right now.
    Senator Blumenthal. So you don't have them now but you're--
--
    Mr. Flynn. It's something we are working on and we've also 
brought in Matt Olsen, the former General Counsel of the 
National Security Agency, to help guide us, as well.
    Senator Blumenthal. Mr. Mickos, does HackerOne have those 
kinds of policies in place?
    Mr. Mickos. We do.
    Senator Blumenthal. Clear brackets or parameters?
    Mr. Mickos. Senator, we do have policies. We do not engage 
in extortion payouts. That's against our policies. It's not the 
business we are in.
    Senator Blumenthal. My time has expired. In deference to 
the other members of the Committee, I'm going to stay within 
the limit. I'm hoping that maybe we'll have another round.
    I would--while I'm remembering to do it, I have three 
documents I'd like to submit for the record. A written 
statement by Kathleen McGee, Chief of the Bureau of Internet 
and Technology for the New York State Office of Attorney 
General. Her statement highlights the important role of State 
Attorneys General in protecting consumers and enforcing data 
security protections.
    The second is the letter, dated February 5, 2018, from 
Representatives Schakowsky and Lujan, and the third is the 
letter, also dated February 5, from the Electronic Privacy 
Information Center.
    Senator Moran. Without objection, they'll be entered.
    [The information referred to follows:]

Prepared Statement of Kathleen McGee, Chief of the Bureau of Internet & 
       Technology, New York State Office of the Attorney General
    Chairman Moran, Ranking Member Blumenthal, and other distinguished 
Members of the Subcommittee:

    My name is Kathleen McGee, and I am the Chief of the Bureau of 
Internet & Technology at the New York State Office of the Attorney 
General, Eric T. Schneiderman. The Bureau of Internet & Technology is 
responsible for protecting New Yorkers from existing as well as new and 
developing online threats.
    I am pleased to present this prepared testimony concerning data 
breaches, which continue to victimize consumers with greater and 
greater frequency, from small local businesses to giants like Target, 
Anthem, Yahoo, Equifax, and Uber.
    In late November 2014, the New York Attorney General's Office 
opened an investigation into Uber's collection, maintenance and 
disclosure of riders' personal information amidst reports that Uber 
executives had access to riders' locations and that Uber displayed this 
information in an aerial view, known internally as ``God View.'' 
Separately, Uber notified our office that, as early as September 2014, 
it had experienced a data breach where Uber driver names and driver's 
license numbers were accessed by an unauthorized third party.
    In a settlement resolving those allegations, Uber agreed, among 
other things, to:

   Maintain and store GPS-based location information in a 
        password-protected environment, and encrypt the information 
        when in transit.

   Limit access to geo-location information to designated 
        employees with a legitimate business purpose, and enforce this 
        limitation through technical access controls, and a formal 
        authorization and approval process;

   Designate one or more employees to coordinate and supervise 
        its privacy and security program;

   Conduct annual employee training to inform employees who are 
        responsible for handling private information about Uber's data 
        security practices;

   Adopt protective technologies for the storage, access, and 
        transfer of private information, and credentials related to its 
        access, including the adoption of multi-factor authentication, 
        or similarly protective access control methodologies;

   Conduct regular assessments of the effectiveness of Uber's 
        internal controls and procedures related to the securing of 
        private information and geo-location information and the 
        implementation of updates to such controls based on those 
        assessments; and

   Maintain a separate section in its consumer-facing privacy 
        policy describing its policies regarding location information 
        collected from riders.

    Despite those commitments, reports surfaced late last year that 
Uber experienced yet another data breach affecting 57 million riders 
and drivers. Worse yet, Uber reportedly kept the data breach secret for 
more than a year after paying a $100,000 ransom.
    These deeply concerning reports led the New York Attorney General's 
Office to open an investigation into this breach and Uber's associated 
conduct. While I cannot share details from ongoing investigations, I 
can say we are getting to the bottom of this Uber breach, and that we 
take very seriously drivers' and riders' right to the protection of 
sensitive information they entrust to Uber.
    States have a central role in protecting consumers and their data. 
The New York Attorney General's Office and other State Attorneys 
General offices have been policing data breaches for nearly two 
decades. In fact, State Attorneys General frequently work 
cooperatively, in collaboration with each other and relevant Federal 
agencies, to protect consumers in this area.
    Indeed, the states have led the way on data protection for 
consumers. When the Internet was still relatively new to consumers, 
states responded with data protection and data breach laws to protect 
their residents. And as the technology has evolved over the years, 
state law has evolved with it.
    Back in 2002, when the Internet was younger and e-commerce was 
beginning to take off, California enacted the first data breach 
notification law. It proved to be a tremendous success for consumer 
protection, and New York and other states soon followed. Today, 48 
states, the District of Columbia, and U.S. territories all have data 
breach notification laws. That is the sort of innovation at the state 
level that our Federal system, at its best, promotes.
    The states have already adapted those laws as technology and 
consumers' use of it changed, and as new threats emerged. For example, 
as e-mail and other online accounts became an increasing part of 
consumers' daily lives--to make appointments, send confidential 
documents, and discuss work and personal affairs--account credentials 
became the ``keys to the castle'' for consumers' data.
    As a result, states amended their laws to add username-and-password 
combinations as a trigger for breach notification--a key state law 
innovation. This is just one of many examples. As companies 
increasingly used fingerprints to unlock devices, state laws began 
covering biometric data.
    But it is better to prevent breaches before they happen. And states 
have been equally innovative on this point: enacting legislation 
requiring companies to implement adequate data security, and updating 
such laws as technology evolves. And states have a second tool: 
consumer protection laws, which State Attorneys General use to police 
misrepresentations about data security--as with other consumer 
products, it can be unlawful for a company to make misrepresentations 
about data security to consumers.
    The New York Attorney General's office, recognizing the importance 
of this issue for consumers and the need to update New York's law, has 
proposed legislation to update New York's data security and breach 
notification laws. And, the New York Department of Financial Services--
a separate state agency with jurisdiction over New York's banking and 
insurance sectors--also has innovated in this area, implementing 
important data security regulations to protect consumers' financial 
data.
    In light of this background, I would like to make a few key points.
    First, it would be a big mistake for Congress to preempt states' 
ability to legislate and innovate in this area. The law must be able to 
keep pace with the ever-increasing rate of change in technology. States 
have proven the ability to act quickly in that regard--from both 
legislative and enforcement perspectives. In contrast, bills have been 
proposed in Congress for many years but, for one reason or another, 
enactment has proven elusive. Even if a Federal law were enacted, it 
could prove difficult to amend and would fall far behind new 
technologies that will inevitably continue to emerge. Thus, even a 
Federal law providing the most stringent protections based on current 
state requirements will leave consumers more and more vulnerable over 
time.
    Second, when it comes to enforcement, states occupy a leading role 
today and must continue to do so.
    Our office has issued data breach reports in recent years that show 
an alarming increase in data breaches. Indeed, in 2016 we received 
1,300 data breach notices--up 60 percent from the year before. This 
Committee is likely aware of the megabreaches, such as the Target 
breach involving 40 million credit card numbers and the Anthem breach 
involving over 78 million records including Social Security Numbers. In 
those instances, New York and other states used a well-established 
process to coordinate enforcement efforts against companies that 
violated consumer trust with inadequate data security. As a result, the 
states obtained not just data security reforms through injunctive 
relief but also large civil penalty recoveries that are essential to 
deterring other companies from violating consumer trust through lax 
security practices.
    Less well-known, yet equally important, are the enforcement actions 
our office takes in response to smaller breaches that occur by the 
hundreds each year in New York and other states. One recent case 
illustrates the point. A small company outside Buffalo, New York 
misconfigured a web server, which led to the disclosure of 500 
employment applications with Social Security Numbers in Google search 
results. Our office found out through a tip, contacted the company 
immediately, and got the applications removed from search results 
within days.
    Even if a Federal agency were provided with the most comprehensive 
data security law and the considerable resources needed for serious 
enforcement, it is unlikely that a Federal agency would be as 
responsive as our office and our sister State Attorneys General to 
breaches involving local businesses and relatively small numbers of 
local consumers. These breaches may be smaller than a Target or an 
Equifax or an Uber--but the victims are no less in need of law 
enforcement protection. Smaller breaches like these are the rule, not 
the exception.
    Further, with years of first-hand experience policing data security 
in our state, we know how to distinguish between breaches that a 
company should have prevented with better security versus breaches that 
could not have been avoided despite the company's reasonable security 
practices. By virtue of this experience, and our knowledge of 
conditions within our local communities and industries, we can avoid 
both underenforcement that would leave consumers unduly vulnerable and 
overenforcement that would create undue burdens on local businesses.
    For all of these reasons, I respectfully urge this body to ensure 
that any legislation it considers meets the following requirements, 
which are vital to protecting states' innovative role in consumer data 
protection:

   Any new Federal requirements should not preempt state law, 
        but instead should expressly set a floor--not a ceiling--on 
        data security standards and protocols in the event of breaches. 
        States must be able to innovate in the areas of data security 
        and breach notification and pass stronger and more up-to-date 
        laws than the Federal standard.

   As with several other Federal consumer protection laws, any 
        Federal requirements must be enforceable by State Attorneys 
        General in addition to a Federal agency, and any Federal 
        penalties or other monetary relief must be recoverable by the 
        states as well.

   To the extent any preemption language is included, beyond 
        the floor/ceiling issue discussed above, the language must be 
        drawn carefully to avoid unintended severe consequences. Some 
        preemption language can be so broad that it might be 
        interpreted to set aside state laws concerning personal privacy 
        or computer crimes, and that would be a serious problem for 
        constituents.

    These or similar provisions for joint Federal and state enforcement 
authority are already included in other Federal laws and have proven 
successful. For example, the New York Attorney General's office has 
coordinated with the FTC on several investigations into violations of 
the Federal Children's Online Privacy Protection Act, or COPPA, to stop 
invasive tracking on major child-focused websites.
    The vast majority of State Attorneys General have similarly called 
on Congress to avoid preempting state action on data security, as 
recently as 2015, when a broad bipartisan group of 45 State Attorneys 
General joined in asking Congress to oppose then-pending data security 
bills with harmful preemption provisions.
    Our office continues to enforce data security protections on behalf 
of New Yorkers and to work with New York's state lawmakers to 
continually update those protections. We appreciate your Committee's 
efforts to complement those efforts at the Federal level while ensuring 
that work at the state will continue successfully.
                                 ______
                                 
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]                               
                                 ______
                                 
                      Electronic Privacy Information Center
                                   Washington, DC, February 5, 2018

Senator John Thune, Chairman,
Senator Bill Nelson, Ranking Member,
U.S. Senate Committee on Commerce, Science, and Transportation,Russell 
            Senate Office Building, Room 253
    Washington, DC 20002
    Dear Chairman Thune and Ranking Member Nelson:
    We write to you regarding the upcoming hearing on ``Data Security 
and Bug Bounty Programs: Lessons Learned from the Uber Breach and 
Security Researchers.'' \1\ The Electronic Privacy Information Center 
(``EPIC'') supports initiatives, including payments to outside computer 
security experts, that prompt companies to fix vulnerabilities as this 
makes user data
---------------------------------------------------------------------------
    \1\ Data Security and Bug Bounty Programs: Lessons Learned from the 
Uber Breach and Security Researchers, 115th Cong. (Feb. 6, 2018), S. 
Comm. on Commerce, Science, & Transportation, https://
www.commerce.senate.gov/public/index.cfm/hearings?ID=73871FA8-29AD-
4ED5-ABB8-C86B4BE4E0A3.
---------------------------------------------------------------------------
    more secure. But Uber disguised a blackmail payment as a bug bounty 
payment and waited over a year to disclose the breach of personal data 
to authorities and to consumers. Bug bounty programs do not excuse non-
compliance with data breach notification laws.
    EPIC is a public interest research center established in 1994 to 
focus public attention on emerging privacy and civil liberties issues 
in the information age. EPIC is a leading consumer privacy advocate and 
has played a key role in developing the authority of the Federal Trade 
Commission (``FTC'') to safeguard the privacy rights of consumers.\2\ 
EPIC's complaint \3\ concerning Google Buzz provided the basis for the 
FTC investigation and subsequent settlement, and the Commission's 
settlement with Facebook also followed from a complaint filed by EPIC 
and a coalition of consumer privacy organizations.\4\
---------------------------------------------------------------------------
    \2\ See, e.g., Letter from EPIC Exec. Dir. Marc Rotenberg to FTC 
Comm'r Christine Varney (Dec. 14, 1995) (urging the FTC to investigate 
the misuse of personal information by the direct marketing industry), 
http://epic.org/privacy/internet/ftc/ftc_letter.html.
    \3\ In re Google Buzz (2011), https://epic.org/privacy/ftc/
googlebuzz/.
    \4\ In re Facebook, Inc. (2011),  https://epic.org/privacy/
inrefacebook/.
---------------------------------------------------------------------------
    Uber's privacy and security practices have been of particular 
concern to EPIC. EPIC filed a complaint \5\ with the FTC in 2015 
regarding Uber's egregious misuse of personal data. That complaint led 
to an FTC settlement \6\ with Uber in August 2017. In 2015, EPIC also 
proposed a privacy law for Uber and other ride-sharing companies.\7\
---------------------------------------------------------------------------
    \5\ EPIC Complaint to the FTC, In the Matter of Uber Technologies, 
Inc. (June 22, 2015), https://epic.org/privacy/internet/ftc/uber/
Complaint.pdf.
    \6\ Agreement Containing Consent Order FILE NO. 1523054, In the 
Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/
documents/cases/1523054_uber_technologies
_agreement.pdf.
    \7\ Marc Rotenberg and Julia Horwitz, Privacy Rules for Uber, 
HuffPost (Feb. 11, 2015), https://www.huffingtonpost.com/julia-horwitz/
privacy-rules-for-uber_b_6304824.html.
---------------------------------------------------------------------------
    It is important for this Committee not to lump in Uber's actions 
with legitimate payments to computer security experts. Bug bounty 
programs are used in both the public and private sectors to identify 
vulnerabilities. Blurring the line between bug bounties and breaches 
hurts white hat hackers who want to disclose vulnerabilities in an 
ethical way. Joe Sullivan, Uber's chief security officer (who has since 
been fired), denied that the 2016 incident was a breach and said the 
company had treated it as an authorized vulnerability disclosure.\8\ 
But e-mails between Uber and the hacker reveal more complicated 
circumstances. After Uber told the hacker that the max payout of their 
bug bounty program was $10,000, he responded that he expected at least 
$100,000 and then threatened the company.\9\
---------------------------------------------------------------------------
    \8\ Nicole Perlroth and Mike Isaac, Inside Uber's $100,000 Payment 
to a Hacker, and the Fallout, N.Y. Times (Jan. 12, 2018), https://
www.nytimes.com/2018/01/12/technology/uber-hacker-payment-
100000.html?_r=0.
    \9\ Id. (One e-mail read: ``Yes we expect at least 100,000$ I am 
sure you understand what this could've turned out to be if it was to 
get in the wrong hands, I mean you guys had private keys, private data 
stored, backups of everything, config files etc. . . . This would've 
heart [sic] the company a lot more than you think.'')
---------------------------------------------------------------------------
    Bug bounties need to be non-negotiable and clearly defined in 
company policy, otherwise companies are letting user data be held as 
ransom. $100,000 could have been an appropriate bounty for Uber to pay. 
Last month Google paid a security researcher $112,500 for an Android 
bug \10\ and Apple offers up to $200,000 for iOS and iCloud bugs.\11\ 
But the communications between Uber and the hacker make the $100,000 
payment look more like extortion than a payment for services.
---------------------------------------------------------------------------
    \10\ Charlie Osborne, Google awards researcher over $110,000 for 
Android exploit chain, ZDNet (Jan. 18, 2018), http://www.zdnet.com/
article/google-awards-researcher-over-110000-for-android-exploit-chain/
    \11\ Andrew Cunningham, Starting this fall, Apple will pay up to 
$200,000 for iOS and iCloud bugs, ArsTechnica (Aug. 4, 2016), https://
arstechnica.com/gadgets/2016/08/starting-this-fall-apple-will-pay-up-
to-200000-for-ios-and-icloud-bugs/.
---------------------------------------------------------------------------
    More critically, bug bounty programs do not exempt companies from 
data breach notification laws. Even though Uber obtained assurances 
that the downloaded data had been destroyed,\12\ it was still required 
under state laws to notify users and authorities of the data breach. 
Once Uber was aware that user data had been compromised, it had a legal 
obligation to notify those affected by the breach. Waiting over a year 
to disclose is a clear violation of state data breach notification 
laws, most of which require a company to notify affected users within 
30 or 45 days.\13\
---------------------------------------------------------------------------
    \12\ Dara Khosrowshahi, 2016 Data Security Incident (Nov. 21, 
2017), https://www.uber.com/newsroom/2016-data-incident/.
    \13\ National Conference of State Legislatures, Security Breach 
Notification Laws (Apr. 12, 2017), http://www.ncsl.org/research/
telecommunications-and-information-technology/security-breach-
notification-laws.aspx.
---------------------------------------------------------------------------
    The legal avenues for security researchers and white hat hackers to 
disclose vulnerabilities need to be more clearly defined. Most 
companies--94 percent of the Forbes Global 2000 to be exact--do not 
have a published vulnerability disclosure policy and because of this 
nearly one in four hackers have not reported a vulnerability that they 
found.\14\ This hurts users, whose information may be stolen through a 
vulnerability that went unpatched because it was never reported.
---------------------------------------------------------------------------
    \14\ HackerOne, The 2018 Hacker Report (Jan. 17, 2018), https://
www.hackerone.com/blog/2018-Hacker-Report.
---------------------------------------------------------------------------
    The 2016 Uber breach also highlights the need for reform of the 
Computer Fraud and Abuse Act (``CFAA'').\15\ Due to the CFAA, companies 
are able to give white hat hackers little assurance that they will not 
seek civil or criminal penalties if they assist the company. The law 
blurs the line between ethical and unethical hacking, leaving companies 
and hackers in legal limbo. Former Secretary of the Army, Eric Fanning, 
said ``what Hack the Pentagon validated is that there are large numbers 
of technologists and innovators who want to make a contribution to our 
nation's security, but lack a legal avenue to do so.'' \16\ Last year, 
the Department of Justice created A Framework for a Vulnerability 
Disclosure Program for Online Systems, but following this framework 
only ``substantially reducing the likelihood that such described 
activities will result in a civil or criminal violation of law under 
the Computer Fraud and Abuse Act.'' \17\ If we want white hat hackers 
to help companies and government identify vulnerabilities, we need to 
be able to give them more legal protection than they have now.
---------------------------------------------------------------------------
    \15\ See Testimony of Marc Rotenberg, Computer Virus Legislation 
Before the Subcomm. on Criminal Justice of the House Comm. on the 
Judiciary, 101st Cong., 1st Sess. 25 (November 8, 1989) reprinted in 
Marc Rotenberg, ``Computer Virus Legislation,'' Computers & Society, 
vol. 20, no. 1 (March 1990).
    \16\ HackerOne, Hack the Pentagon, https://www.hackerone.com/
resources/hack-the-pentagon.
    \17\ DOJ Cybersecurity Unit, A Framework for a Vulnerability 
Disclosure Program for Online Systems (July 2017), https://
www.justice.gov/criminal-ccips/page/file/983996/download.
---------------------------------------------------------------------------
    We ask that this letter be entered into the hearing record. We look 
forward to working with the Committee to help strengthen security 
practices that protect users.
            Sincerely,
                                            Marc Rotenberg,
                                                         President,
                                                                  EPIC.
                                          Christine Bannan,
                              Administrative Law and Policy Fellow,
                                                                  EPIC.

    Senator Blumenthal. Thanks, Mr. Chairman.
    Senator Moran. Senator Cortez-Masto.

           STATEMENT OF HON. CATHERINE CORTEZ MASTO, 
                    U.S. SENATOR FROM NEVADA

    Senator Cortez-Masto. Thank you, and thank you for this 
hearing. It is so appreciated. It's obviously fascinating but 
so needed.
    Let me start, Mr. Flynn, with you because I'm trying to 
understand this.
    So in November 2016, when you identified that data breach, 
at that time, were you engaging also in separate defensive bug 
bounty programs to help you identify security breaches?
    Mr. Flynn. Yes.
    Senator Cortez-Masto. And had HackerOne been on payroll 
already then?
    Mr. Flynn. That's correct, Senator. We had started that 
program in 2015, I believe.
    Senator Cortez-Masto. And the breach that actually 
occurred, was it somebody that was invited in as a defensive 
type of bug bounty or is this a criminal element that found a 
breach and exploited it to get money from you?
    Mr. Flynn. My understanding is these people came in not 
knowing about bug bounty programs from the get-go and it was 
our attempt to try to get them to use the program as it was 
intended.
    Senator Cortez-Masto. So it was a criminal element coming 
in to exploit and get money from you and you were trying to put 
them into a defensive bug bounty program to put them on the 
right track?
    Mr. Flynn. It's not atypical, Senator.
    Senator Cortez-Masto. To the panel, is that a normal 
process that occurs that there are some criminal elements out 
there, they identify a breach, they're there to exploit a 
company, but now we have this whole new world of bug bounty and 
we're going to try to put them on the right path here to help 
us or is it you're trying to manage somehow how much you 
literally have to pay out? Can I open that up? I'm just 
curious. This is all new to me.
    Mr. Flynn. I'm happy to answer, if you like.
    Senator Cortez-Masto. OK. Go ahead.
    Mr. Flynn. In my experience at least, it's not atypical to 
have people that come in with a report of a problem--a security 
issue--not knowing how bug bounty programs operate and not 
being familiar with the nature of the programs.
    I've seen this a number of times in my career and in many 
cases, we can steer those people into the program and behaving 
in accordance with the program's requirements.
    Senator Cortez-Masto. Don't you have concerns that they're 
a criminal element? You're going to go out after them and hold 
them accountable because if they do it to you, they're going to 
do it to somebody else?
    Mr. Flynn. Well, it's not clear that they were a criminal 
element in the beginning of the exercise until we were able to 
know more about who they were and what they were after.
    Senator Cortez-Masto. OK. And I think I'm with Senator 
Blumenthal. I'm a former Attorney General. To me, that's a 
criminal element and you want to uncover who they are and hold 
them accountable and not try to somehow put some parameters 
around them that legitimizes them, I guess, is my concern.
    Second, I'm curious about this conversation about how we 
have this perverse incentive and the whole idea of pricing.
    Who defines that? Is it the company that actually defines 
that pricing cap? How does that work?
    Ms. Moussouris. Well, you know, typically the organization 
paying will determine what price it's willing to pay. However, 
you know, we've seen a lot of failures to understand behavioral 
economics in this environment. This is not the highest bidder 
wins type of scenario.
    Senator Cortez-Masto. Right.
    Ms. Moussouris. It is also not a replacement for your in-
house labor costs to actually find and prevent these 
vulnerabilities in the first place and so when people are 
trying to pay for, you know, the work that it took to find 
vulnerability, they're missing the point. They might be able to 
actually better invest that money in more in-house resources to 
find and prevent those issues from being vulnerabilities in the 
first place.
    The prices for vulnerabilities themselves, I think, right 
now, there is definitely an uptick in the pricing for various 
bug bounty programs. As I said earlier, that logical ceiling 
has to hold below a perverse incentive level.
    Senator Cortez-Masto. So let me ask this, and I guess we're 
all trying to understand whether there needs to be Federal 
regulation or how we address this issue so that we are putting 
the security protocols in place and working with vendors or 
people out there to help us identify it but not legitimizing a 
criminal element, I guess, is my concern here.
    And so besides the pricing piece of this, I also understand 
there--I think two of you, Mr. Brookman and Mr. Mickos, you 
talked about that the Computer Fraud and Abuse Act, which was 
enacted in 1984, needs to be reformed.
    Is that a venue where we can take a look at addressing all 
of these concerns we're hearing today, as well?
    Ms. Moussouris. Absolutely. I think that, you know, 
providing safe harbor for researchers in the Computer Fraud and 
Abuse Act would go very far toward encouraging legitimate 
helpful hackers for coming forward because right now, it is a 
gray area, and especially if the scope of a program is not 
clear, they will not necessarily know whether they've 
overstepped and they might be afraid to come forward.
    So we want to encourage that. We want to provide safe 
harbor for them in the form of reforms to the Computer Fraud 
and Abuse Act because the actual act of discovering 
vulnerabilities for defense and discovering them for 
exploitation purposes, those are technically indistinguishable 
acts.
    Senator Cortez-Masto. Right.
    Ms. Moussouris. So providing that safe harbor is going to 
be important.
    Senator Cortez-Masto. OK. And I know my time is up, but 
this is a fascinating topic. So I appreciate it.
    Mr. Brookman, I didn't know if you had a comment quickly on 
any of this.
    Mr. Brookman. Yes. I would not encourage Congress to try to 
micromanage the bug bounty process. I did not testify about to 
see if they would reform, though I certainly am sympathetic to 
a lot of the issues you talked about.
    But as I stated in my oral testimony, I think the most 
important thing you can do is shift the incentives to the 
companies that do bear the costs of data security incidents, 
you know, whereas we're seeing, you know, companies, like 
Equifax, will have a stock hit and then like, you know, a year 
later, they're back to where they were. They're not bearing the 
cost of that identity theft.
    You know, some companies who are hit a lot do have good 
robust programs but you see that a lot of the top companies, I 
think, you know, systematically in the industry, you don't see 
enough of this. So the incentives need to change.
    Senator Cortez-Masto. Thank you. Thank you very much.
    Senator Moran. We're going to have a second round. Let me 
start by asking this question.
    When, if ever, is it appropriate to disclose a cyber 
security vulnerability to the public before it's fixed?
    Ms. Moussouris. So having run Microsoft Vulnerability 
Research, which was an organization within the Microsoft 
Security Response Center, designed to notify other parties of 
either vulnerabilities we found ourselves internally that 
affected third party software, and it was also a coordination 
arm that would coordinate among multiple parties, so think of 
the, you know, multiparty coordination involved with Heart 
Bleed or with the Meltdown Inspector incidents.
    There are times when a vulnerability in question affects so 
many different organizations that you may do the best you can 
to coordinate the activities of creating patches all up and 
down the supply chain but you will inevitably have to leave 
some out of the embargoed disclosure, the staged disclosure of 
these vulnerabilities, which means in the end, you will be 
doing the best you can to prepare as many organizations as 
possible, but you will end up disclosing a vulnerability before 
everyone has had a chance to either create patches or apply 
some of the patches that you've created.
    So that is one example of a legitimate circumstance where 
you would disclose ahead of a patch. Another is simply that 
there is exploitation going in the wild, a patch isn't ready, 
and you need to disclose to warn users and administrators to be 
able to mitigate and protect themselves.
    Senator Moran. Before anyone else responds, let me turn to 
Senator Blumenthal, who has to return to Armed Services.
    Senator Blumenthal.
    Senator Blumenthal. I have a classified Armed Services 
briefing or hearing that I have to return to, but I just want 
to highlight one of the comments I made at the beginning.
    Without casting aspersions personally on anybody here, I 
hope that you would agree that stronger legislative tools have 
to be given to the Federal Trade Commission. I hope that you 
will work with me on the Data Breach Accountability and 
Enforcement Act of 2017 which the Ranking Member and I have co-
sponsored.
    The FTC needs tools to adequately protect consumers and to 
prevent future damaging breaches. So that's a final request. I 
hope that you are sympathetic to it and that you will support 
efforts to move forward with those kinds of tools.
    Thank you, Mr. Chairman, and I apologize that I'm going to 
have to take off.
    Senator Moran. Thank you very much, Senator Blumenthal.
    Let me ask this question to Mr. Flynn. The Justice 
Department published a set of guidelines aimed at helping 
companies run bug bounty programs within the law. These 
guidelines included a suggestion that any firm inviting hackers 
into their systems consider imposing restrictions on a hacker 
``accessing, copying, transferring, storing, using, and 
retaining'' sensitive data.
    As of last Friday, February 1, Uber had not added such a 
clause to their Bug Bounty Program listed on the HackerOne 
website.
    Does it have plans to add a similar clause to its policy? 
If this type of clause had been included in Uber's program, how 
would a bounty request in the 2016 breach have been treated?
    Mr. Flynn. So let me first say I think it's a great point. 
We are going through that process right now of looking at our 
clauses exactly as you describe. I'm not a lawyer, so I can't 
really speak to the details of the clause itself, but I think 
it's a great suggestion, and I think I'm going to take it back 
and have a discussion about it with my team.
    And then you had another question at the end there, if I 
recall.
    Senator Moran. I just wondered how different it would have 
been in 2016 if that clause had been a matter of practice?
    Mr. Flynn. I think the answer I would imagine is, you know, 
essentially this was not a typical bug bounty situation, as I 
described, and I would say that, you know, I think there was a 
real attempt to try to get this individual to participate in 
the program, but ultimately this person was, you know, offering 
extortionist demands and so I think, you know, looking back on 
it and learning what I've learned now, I think the better 
approach would be to have a separate process once you determine 
that it's outside of the scope of the program itself and engage 
that process at that time.
    Senator Moran. Thank you very much.
    Mr. Flynn. Yes, you're welcome.
    Senator Moran. Senator Blunt.

                 STATEMENT OF HON. ROY BLUNT, 
                   U.S. SENATOR FROM MISSOURI

    Senator Blunt. So, Mr. Flynn, when Uber has somebody get 
inside their system, did I understand that that would be their 
records on where every driver drove and every rider rode and 
maybe their entire rider history? Is that the kind of thing you 
would see if you got into your system?
    Mr. Flynn. So in this case, Senator, this was a backup of a 
very specific database stored outside of our systems and the 
data that was stored there did not include the elements you 
described. It included--it had a number of records for--I think 
it was, you know, 25 million different users, but of----
    Senator Blunt. Would it have had the payment records for 
those users?
    Mr. Flynn. It had credit--sorry. Excuse me. It had--sorry. 
Let me just look here. It had the drivers' license numbers for 
600,000 of our drivers included in that data store.
    Senator Blunt. What else did it have, besides that?
    Mr. Flynn. It had--for new e-mail users, it had the names, 
e-mail addresses, and phone numbers of those users. For some of 
the users, it had Salton and Hash passwords. It didn't include 
some of the things you described, trip location history, credit 
card information, bank account numbers, plain text passwords, 
social security numbers, or birth dates. Those were not 
included in the data.
    Senator Blunt. And what have you done since then to secure 
that data in a better way?
    Mr. Flynn. Well, within 24 hours of learning about this 
incident back in 2016, we took a number of important steps: the 
first of which was, you know,--so just describing the attack 
briefly, the attacker got into an external GitHub repository, 
which had some of our source code, by using a password of one 
of the users that was in the system.
    We rotated all the passwords. We implemented multi-
factorial authentication on the system. The attacker also took 
advantage of finding keys in the code base that was stored in 
that infrastructure. We rotated all the keys and actually put 
them in a secure storage system, as well, and, finally, the 
keys that the attacker was able to glean from that code 
repository was then able, in turn, to be used against our 
Amazon S3 external infrastructure.
    We also rotated the keys, put them in a secure storage 
location, and we put IP-based restrictions on those keys so 
that they couldn't be used to access that data going forward.
    Senator Blunt. For those of you who worked to find flaws in 
the system or protect a system, what kind of lessons would be 
learned there from the ability to get to that information?
    Mr. Mickos, is that what you do?
    Mr. Mickos. Yes, Senator Blunt, we are a platform that 
connects the hackers to the companies. We do not look for 
vulnerabilities ourselves or fix them, if that was your 
question.
    Senator Blunt. Yes. So you do not do that. Do you provide 
the platform?
    Mr. Mickos. We provide the platform and, if you will, the 
marketplace between the two and we provide a trusted place 
where hackers can trust that they will be well treated by the 
customers, the companies, or government organizations, and they 
in turn can trust that they know who they're dealing with on 
the hacker side. That is our business.
    Senator Blunt. And I'm assuming your name is not Missouri?
    Mr. Mickos. No. My name is Mickos.
    Senator Blunt. No. Yours is Mickos. What is your last name?
    Ms. Moussouris. My last name is pronounced Moussouris or at 
least that's how I've----
    Senator Blunt. I was close.
    Ms. Moussouris.--chose to mispronounce it.
    Senator Blunt. I was pretty close. Half of the people where 
I live call our state Missoura and half call it Missouri and--
--
    Ms. Moussouris. You miss----
    Senator Blunt.--you could easily mistake your name.
    Now what--from your company perspective, what lessons 
should we learn there?
    Ms. Moussouris. Well, my company actually does help 
organizations look at their overall defensive picture and helps 
them figure out the best way to work with the hacker community 
but actually looks at their business goals when it comes to 
security.
    So in terms of the trusted advisorship, when we look at 
their capabilities, we look at whether or not they're actually 
actively investing internally on some operational security 
basics, such as what would have prevented, you know, this type 
of breach where keys and credentials were available.
    There's a lot you can do in terms of low-risk internal 
investments in terms of security, which have been documented 
by, you know, lots of organizations over the past 25 years of 
developing information security best practices.
    So we don't just advise on how to start a bug bounty. It's 
really about looking at the overall picture, looking at where 
your investments are, and determining is it actually a place 
where you can invest further on your internal staff, further in 
terms of operational security, and then prepare the mechanisms 
such that you can receive vulnerability reports from the 
outside, whether it's from a hacker or from one of your 
suppliers.
    I mean, this really could be from anywhere. It could even 
be from the Federal Government letting you know that you have a 
vulnerability. So it's building capacity.
    Senator Blunt. And, Mr. Brookman, is there a growing 
concern about how much information is out there and how many 
people seem to be able to get their hands on it?
    Mr. Brookman. Yes, certainly. I mean, as I testified, data 
breaches are commonplace for people. Companies don't have 
sufficient incentives. I mean, we've seen in so many of these 
hacks and there are things that maybe, you know, it's easy to 
play Monday morning quarterback, but things that were easily 
remediable.
    In this case, hard coding AWS of credentials in GitHub is 
an incredibly common practice, one that Uber had been caught 
doing before. It was a private account but still generally 
considered not to be best practice.
    Equifax case, updating the website to address the publicly 
known vulnerability. Even the companies that are trying to do 
it right get it wrong and there's just not enough incentive for 
companies to try to get it right.
    Senator Blunt. Thank you, Chairman.
    Senator Moran. Thank you, Senator Blunt.
    Senator Cortez-Masto.
    Senator Cortez-Masto. Thank you. I have one final question.
    Small businesses, you know, in Nevada, there are probably 
almost 240,000 of them. The conversation I have with them all 
the time is their cyber security and they just don't have the 
resources to really address this issue and are oftentimes 
victims.
    Any thoughts on what can be done to help our small 
businesses and give them the tools they need to protect their 
cyber security? And I would just open it up to whoever. Mr. 
Mickos, Ms. Moussouris.
    Mr. Mickos. Yes, Senator Cortez-Masto.
    Senator Cortez-Masto. Yes, please.
    Mr. Mickos. As I said in my opening statement, we believe, 
as DOJ and others, that a vulnerability disclosure program is 
useful for anybody. This is what then Secretary of Defense Ash 
Carter said. ``If you see something, say something,'' meaning 
every company with software that contains valuable consumer 
data, they need to have an ability to receive input from the 
outside world because there's so much good intent among 
security researchers and hackers on the outside.
    And I would recommend you to read this report, the 2018 
Hacker Report where we go through the hackers and what 
motivates and how they work.
    So back to your small businesses, if they will have a way 
of receiving vulnerability reports and taking action, they will 
all successively get more and more secure.
    Now to be a little bit more specific, many of them, of 
course, don't have IT staff. They are working with a third-
party provider where they run their website or mobile 
application. That provider has a very important responsibility 
in doing the same.
    Senator Cortez-Masto. OK. Thank you.
    Ms. Moussouris. So I would say that, first and foremost, 
the small businesses need to run some of these freely available 
tools on their own infrastructure before they invite external 
parties in to do so.
    Doing so first is just part of their own preventative 
mechanisms. That will give them a decent picture before they 
operationalize what I very strongly support, which is having 
vulnerability disclosure programs, but you need to be able to 
take care of the bugs you already know about yourself first.
    The fact of the matter is, it's not just small businesses 
that have a problem dealing with vulnerabilities they already 
know about. There's been a doubling in the common 
vulnerabilities and enumeration where the CDE count, the 
overall bug count, that have been reported.
    There was a doubling last year of reported vulnerabilities. 
There is a bug fatigue that is plaguing organizations and 
governments all over the world and it is not just small 
businesses.
    So we have an operational problem and I think that 
preventative measures and looking internally first, growing 
those capabilities, and then looking to outside help is the way 
to go.
    Senator Cortez-Masto. Thank you.
    Mr. Brookman. I just had a couple thoughts. This is 
fantastic question. I mean, when you look at, you know, 
companies, like Uber, who have invest in the best and the 
brightest, even they have problems.
    I think a few words of advice. One, practice data 
minimization. I mean don't connect stuff you don't need to be 
connected. Don't collect data you don't need, get rid of all 
data. A general recognition to try to update everything. I 
mean, you rely on vendors, non-updated software is one of the 
biggest problems in this space.
    The FTC has some really good resources on this with their 
Start with Security series, which I know you contributed to. 
It's really fantastic guidance for small businesses in this 
area, so I would point people to that.
    Senator Cortez-Masto. Thank you. Thank you very much. I 
appreciate the panel and the discussion today.
    Senator Moran. Senator, thank you very much.
    Let me ask a final question and then we'll conclude this 
hearing.
    You're all aware likely that 48 states have different data 
security breach notification laws. This patchwork creates a 
different standard, depending on where you are, and many 
companies, as we know, operate outside of a state and they 
contract with people who are in different places to do their 
security work.
    Anyone have any thoughts about Federal preemption 
legislative solution in regard to notification so that there's 
greater clarity and certainty for a company in their 
obligations?
    Mr. Flynn. Senator, if you might, if you don't mind, as a 
defender and having dedicated my life to protecting customer 
data and implementing security engineering defense, I would say 
that it is something I would very much support personally 
because I do believe it's very hard for companies to contend 
with this patchwork of notification regulations throughout the 
United States.
    So, Senator, a short statement, but I believe very much 
that this is the right approach and I'd love to work with you 
on it, if I can.
    Senator Moran. Thank you.
    Mr. Mickos. Mr. Chairman, as I said in my opening 
statement, we're in support of this. I would love to work with 
you on the details of such legislation.
    Senator Moran. Thank you.
    Mr. Brookman. I would say I have significant reservations 
about that. I mean, if the approach of a Federal bill is just 
to make it simpler to have a data breach incident, then that, 
you know, decreases an incentive and decreases their costs and 
I think could lead to actually a worse security environment.
    I would encourage any statute to allow states to actually 
pass new bills, especially for information that's not covered.
    In my opening statement, I mentioned e-mail accounts, photo 
storage accounts, not originally in data breach notification 
bills, but over time people have recognized, well, there's some 
really sensitive stuff in there. If my iCloud gets hacked, I 
should be told about it. I would not want to see a Federal bill 
say, OK, here are the 18 elements that you need to be notified 
for and then prevent the states from over time changing that.
    I mean, we can discuss other ways to update it over time, 
give the FTC the ability to nullify the definitions, but I'd be 
very nervous about freezing that in time with Federal 
legislation.
    Ms. Moussouris. And I would say that, you know, I look 
forward to helping to contribute to make sure that any kind of 
legislation that normalizes data breach laws takes into account 
that we don't want to create an environment where organizations 
are incentivized not to know and not to detect, to avoid data 
breach laws.
    We don't want to swing the pendulum backwards and so I look 
forward to working with you as this goes forward to not create 
some of those unintended consequences of over-legislation.
    Senator Moran. We welcome all of you on working with us, 
but especially intending to avoid unintended consequences.
    Is there any witness who would like to add anything to the 
record before I close it out? Anyone have something they'd like 
to make certain is said before we conclude the hearing?
    [No response.]
    Senator Moran. Thank you very much.
    Then the hearing record will remain open for two weeks. 
During this time, Senators are asked to submit any questions 
for the record. Upon receipt, the witnesses are requested to 
submit their written answers to the Committee as soon as 
possible.
    This concludes our hearing today, and I'm very grateful to 
our witnesses.
    We are adjourned.
    [Whereupon, at 4:10 p.m., the hearing was adjourned.]

                            A P P E N D I X

    Response to Written Questions Submitted by Hon. Jerry Moran to 
                               John Flynn
    Question 1. What separates a good faith researcher from a malicious 
actor? What's to stop a criminal from posing as a researcher? How can 
companies or vendors tell the difference?
    Answer. A good faith researcher investigates and discloses 
vulnerabilities in an ethical manner consistent with the prescribed 
terms of the bug bounty program. Good faith researchers are generally 
cooperative throughout the bounty process and willing to abide by the 
program's rules. Although it may not always be apparent what someone's 
intentions are or whether a criminal actor is posing as a white hat 
researcher, certain conduct should raise a red flag. Anyone who in bad 
faith strays beyond the bounds of the bug bounty program by engaging in 
behavior such as maliciously compromising user data, making threats, or 
making extortionate demands should not be considered a good faith 
researcher.

    Question 2. What is the role of bug bounty programs when faced with 
extortion attempts?
    Answer. Bug bounty programs are designed for good faith 
researchers, not extortionists.

    Question 3. As you have acknowledged, the hackers involved in the 
2016 breach of your company did obtain data of your users. As it 
relates to Uber's specific bug bounty program, how often is data 
actually obtained by the hacker that is disclosing a vulnerability to 
your company? Was the sheer number of exposed and obtained records in 
the 2016 case unusual compared to other vulnerability disclosure cases 
your company had witnessed through the bug bounty program?
    Answer. Most often researchers will use test accounts or access 
their own data when researching vulnerabilities. If the researcher 
comes in contact with user data while acting in good faith, the access 
should be limited to the minimum amount needed to identify and report 
the vulnerability. We agree that the 2016 incident was unusual compared 
to other vulnerability disclosure cases witnessed by Uber in terms of 
sheer number of records.

    Question 4. HackerOne's 2018 Hacker Report and a 2016 study 
conducted by the National Telecommunications and Information 
Administration (NTIA) both indicated that profit is a relatively 
limited motivation among hackers participating in coordinated 
vulnerability disclosure programs. Given the panel's experience with 
professionals in this field, could you please further describe the 
predominant motivators.
    Answer. Historically, before there were bounty programs, 
researchers would report vulnerabilities as a way to build their 
reputation in the security community and among their peers. Even today 
this is the biggest motivator and can open doors for researchers, such 
as being offered jobs to work for the companies whose vulnerabilities 
they uncovered.

    Question 5. Would you agree that it is absolutely critical for 
companies to administer any vulnerability disclosure program 
responsibly based on sound principles (such as those included in DOJ's 
2017 guidelines) as it has obvious impacts on industrywide use of these 
types of programs that are proven to protect consumers?
    Answer. Yes. Bug bounty programs are critical for many large 
companies to detect security issues, and the programs should be 
designed and managed responsibly so that they can continue to be an 
important security tool. The DOJ's 2017 framework is a good starting 
point. It is not prescriptive, but rather outlines a process that 
companies considering bug bounty programs can follow to clearly define 
for researchers what the company considers to be authorized 
vulnerability disclosure and discovery conduct.

    Question 6. Did Uber have a predetermined maximum bounty amount for 
its bug bounty program? If so, what was the maximum amount?
    Answer. Uber's Bug Bounty program at HackerOne has a published 
maximum payment of $10,000, see https://hackerone.com/uber, but the 
actual amount of any payment under the program is up to Uber in its 
sole discretion, see https://www.uber.com/legal/other/
bugbountyprogramterms/ (``Bounty payouts, if any, will be determined by 
Uber in its sole discretion.'').

    Question 7. Mr. Mickos's testimony stated that the Computer Fraud 
and Abuse Act is in need of modernization to prevent liability of 
hackers acting in good faith in identifying vulnerabilities to protect 
consumers. Do you have any specific recommendations related to 
modernizing the law?
    Answer. Other panel participants are closer to these issues, but we 
at Uber understand that those speaking on behalf of good faith security 
researchers would like to see more clarity that when conduct complies 
with the terms of a bug bounty program, it is not ``unauthorized'' 
access under the Computer Fraud and Abuse Act.

    Question 8. Following an inquiry that I sent along with Chairman 
Thune and our colleagues from Senate Finance Committee, Uber responded 
with a letter on December 11, 2017, describing the 2016 breach and the 
ensuing actions taken by the company. The letter described the payment 
of $100,000 to the two individual hackers responsible for the breach 
and stated, ``It thereafter engaged in further communications with the 
two individuals using their real identities, including having them sign 
assurances that the data was destroyed.'' For the sake of clarity, was 
the $100,000 paid to the two individuals prior to their real identities 
being known?
    Answer. As I explained in my written testimony, I was not part of 
the ``attribution'' team--the team that determined the two individuals' 
real identities. I was aware that the process of paying them was part 
of the process of determining their identities, but I am not sure if 
their identities were confirmed prior to or after the moment the 
payment was made.

    Question 9. Please describe to the greatest extent possible the 
``assurances'' that were made to Uber's ``attribution team'' that the 
stolen data had been eliminated. Were signed documents the sole source 
of assurance?
    Answer. It is my understanding that the attribution team obtained 
various sources of information about the destruction of the data, in 
addition to the signed documents and in person meetings.

    Question 10. Please describe the measures Uber has taken to confirm 
these assurances and monitor the affected accounts for additional fraud 
protection.
    Answer. We have seen no evidence of fraud or misuse tied to this 
incident. That being said, we have identified the 57 million affected 
accounts in our systems, and have tagged them for a heightened level of 
fraud protection. Specifically, we have created new fraud ``rules'' 
that will surface any unusual activity on the accounts going forward. 
Uber already looks at many signals like location or device ID, in 
addition to e-mail address and password, to authorize logins to Uber 
user accounts. Additionally, we automatically send users a second 
factor authentication request such an SMS or e-mail if we detect a 
high-risk login attempt.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Brian Schatz to 
                               John Flynn
    Question 1. Uber has argued repeatedly that it is a tech platform, 
rather than a transportation company. By using this characterization, 
the company is able to avoid certain local and Federal regulations that 
protect consumer safety and worker rights. But last year, Uber made a 
deal to purchase and deploy 24,000 autonomous vehicles from Volvo. Is 
Uber a transportation company or a tech platform company? For 
cybersecurity, whose rules and standards does Uber follow at the 
Federal level?
    Answer. Uber is a technology company and not a transportation 
company. It is a technology company that strives to make a difference 
in the lives of people in the real world, starting--for now--with 
improving how transportation resources are utilized by matching drivers 
with riders (the Uber app), shippers with haulers (Uber Freight), and 
consumers with restaurants and restaurants with delivery partners (Uber 
Eats). Uber's technology creates and standardizes markets that 
efficiently connect otherwise unmatched supply and demand, but Uber 
itself is not a participant in the market.
    At the Federal level, the Federal Trade Commission regulates data 
security for consumer-facing technology services through Section 5 of 
the FTC Act. In addition, some specific aspects of Uber's services are 
subject to applicable sector-specific laws, such as HIPAA.

    Question 2. In your written testimony, you state that Uber is 
``working to make transparency and honesty core values of [the] 
company.'' What specifically has Uber done to increase transparency and 
make honesty part of its core values?
    Answer. Uber has taken several steps to ensure that transparency 
and honesty are core values of the company. First, Uber created a 
robust Integrity Helpline for its employees to report concerns. Second, 
Uber has also embraced all of the recommendations presented to it by 
former U.S. Attorney General Eric Holder regarding improving Uber's 
workplace culture. Third, it is devoting resources to improve and 
expand its Compliance team. Fourth, it has installed additional safety 
features for riders and drivers in its app. Finally, Uber now gives 
victims pursuing individual sex assault or sex harassment claims the 
choice to litigate their claims in court or arbitration.
    Uber is not perfect, but it is deeply committed to being better and 
to doing the right thing, and it will continue to engage in the self-
reflection and change that are essential to getting where it wants to 
go as a company.

    Question 3. What percentage of Uber's annual revenue and workforce 
are dedicated to minimizing the risk of future data breaches outside of 
a bug bounty program? What were those percentages before the 2016 data 
breach?
    Answer. Uber has long devoted substantial resources to minimizing 
the risk of data breaches, separate and apart from its bug bounty 
program. Some of these other efforts were noted in Uber CISO John 
Flynn's written testimony to the Subcommittee, which explained at page 
2 that bug bounty programs are just one part of a comprehensive data 
security program. Uber's internal work efforts to minimize the risk of 
data breaches is, in many respects, part and parcel of other aspects of 
quality code development since minimizing vulnerabilities is a 
component of writing high-quality code, and it is also a part of 
broader security efforts relating to all aspects of security including 
physical security as well as data security. As a result, it is 
difficult to quantify the percentage of Uber's annual revenue and 
workforce ``dedicated to minimizing the risk of future data breaches 
outside of a bug bounty program,'' and that is not a metric that Uber 
keeps in the ordinary course.

    Question 4. Other than the 2016 data breach, how many other 
incidents has Uber experienced where cyber intruders extorted the 
company?
    Answer. The team at the company that handles cybersecurity threats 
is not aware of any other incidents in which a cyber intruder extorted 
the company.

    Question 5. What exactly did Uber get in exchange for paying the 
extortionists $100,000 through HackerOne? Did Uber confirm that the 
data was deleted? How did Uber make this confirmation?
    Answer. Uber paid the outside actors $100,000 in exchange for their 
agreement to delete the data they had downloaded and their written and 
oral assurances that they had destroyed and would not use or 
disseminate that data. The process of making the payment also helped to 
determine the real identities of the outside actors, which enabled Uber 
to engage in further communications with them regarding technical 
details of how they had deleted the data. Uber has seen no evidence 
that the data downloaded by the outside actors has been disseminated or 
used, or any evidence of fraud or misuse tied to this incident, since 
the incident occurred over a year ago.

    Question 6. What policy changes has Uber enacted in response to the 
2016 data breach?
    Answer. Uber has taken several steps in response to the 2016 data 
breach. At the time of the incident, Uber determined the means of 
access, shut down the credential used by the outside actors, and took 
other steps intended to confirm that the outside actors had destroyed 
and would not use or further disseminate Uber's data. Uber also imposed 
technical security measures designed to prevent a similar incident from 
occurring in the future, as described on page 6 of Uber CISO John 
Flynn's written testimony to the Subcommittee; these technical 
improvements are now a part of Uber's baseline security posture. 
Additionally, Uber has made a number of policy changes since the 
incident including the following:

   Uber adopted specific written policies to establish baseline 
        security measures that are required for use of Amazon Web 
        Services and S3.

   Uber revised its Bug Bounty program terms, specifically to 
        provide more detailed information about what type of conduct is 
        not good faith conduct and what the limits are on accessing 
        user data.

   Uber is revising its incident response plans.

    Question 7. Does Uber have an internal whistleblower program? How 
is it managed?
    Answer. Uber's Integrity Helpline is available to all employees for 
reporting concerns. Employees may report their concerns to the Helpline 
via website or telephone in their language of choice. The Integrity 
Helpline is hosted by an independent third-party to ensure the 
anonymity of the reporter, if desired by the reporter, and is 
maintained by Uber's Global Compliance team. Upon filing a report, the 
reporting employee will be provided with an access code to use so that 
she or he can contact the Integrity Helpline to track her or his 
report. Once a report is filed, it is sent to the relevant Uber team 
for review and investigation, and appropriate action will be taken for 
substantiated reports.

    Question 8. In March 2015, Vice News reported that stolen Uber 
accounts were being sold on the dark web for $1, although Uber claimed 
that there was no data breach at the time. To Uber's knowledge, how was 
this account data stolen? How many data breaches have been occurred at 
the company? Does Uber keep an estimate of how many stolen accounts are 
sold on the dark web? What is the current estimate? How many complaints 
does Uber get from customers per month about stolen accounts?
    Answer. As indicated in the original Vice article that we believe 
is referenced by the question (https://motherboard.vice.com/en_us/
article/z4mk7j/stolen-uber-customer-accounts-are-for-sale-on-the-dark-
web-for-1), Uber found no indications that it suffered a data breach. 
Indeed, the article itself merely claimed that it found Uber account 
login information available for sale, but acknowledged that while 
``[t]hese logins may indicated that Uber's security was hacked or 
compromised somehow . . . [i]t also might mean that these customers 
were breached individually by other means, and their Uber credentials 
harvested and put up for sale.'' (Emphasis added).
    Given that Uber found no evidence of a data breach that could have 
led to the login information for these accounts being stolen, it has no 
non-speculative information about how the information was obtained. As 
one possibility, when people choose to use the same or very similar 
login credentials for multiple online or app accounts, or simply use 
easy-to-guess passwords, third parties can sometimes determine those 
credentials. These types of ``account takeovers'' are a common problem 
across all online services, Uber as well as others. Uber addresses the 
issue as described in the response to the next question, below.

    Question 9. How does Uber address stolen accounts? Please walk 
through the experience that a typical customer would go through when he 
or she notices suspicious account activity. How does a customer resolve 
issues with a stolen account if the thief has changed the e-mail 
address or phone number associated with the account? How effective is 
Uber at resolving customers' complaints about stolen accounts.
    Answer. Uber takes reports of fraud very seriously, regardless of 
their root cause. In the United States, when Uber detects a suspicious 
login to an account, even if the user has not notified Uber of 
concerns, Uber sends a second-factor authentication request to the user 
to help stop and prevent the incorrect person from accessing the 
account. When a rider notifies Uber about suspicions that his or her 
account has been stolen or taken over, Uber's customer support 
representatives: (1) will look for signs that the account has been 
compromised, (2) secure the account by rotating the user password and 
forcing two-factor authentication, (3) restore the account (i.e., 
reverse any changes made to the user's e-mail, phone number, etc.), (4) 
refund the affected rides, and (5) advise the user about the risks of 
password re-use. The process for drivers is similar, except drivers 
must verify that their payment information is correct before Uber 
unlocks their account.

    Question 10. Uber recently signed onto the Shared Mobility 
Principles for Livable Cities--one of these principles is in support of 
open data. But, citing user privacy issues, Uber has not always been 
successful in sharing data with local planning officials. User privacy 
is important, but so is sharing data with cities. How exactly will Uber 
now prioritize meaningful data sharing with state and local 
governments? Where is the sweet spot between user privacy and providing 
data to city planners and other government officials?
    Answer. Uber is committed to building replicable models for sharing 
insights with city planners and other government officials. Last year, 
we launched Uber Movement, a free and public website using Uber's data 
to help cities address some of the challenges they face day to day. We 
engaged with city leaders, urban planners and civic community 
stakeholders around the world to validate our assumptions to develop 
and design Movement. Right now, Movement is optimized to look at macro 
trends in a city to accommodate specific urban use cases--traffic 
analysis and demand modeling and also understanding the impacts of 
different infrastructure investments and changes to the built 
environment--road closures, bridge closures, etc.
    Additionally, we're working with the non-profit SharedStreets to 
create new methods for public-private collaboration and data sharing 
that respect the need for rider and driver privacy as well as the 
competitive landscape of the industry. We're starting with a pilot in 
Washington, D.C., and are working with the District Department of 
Transportation, Department of For Hire Vehicles, and SharedStreets to 
share data on curb usage across multiple modes of transportation. 
Better understanding curb utilization can help cities around the world 
prepare for a future where more and more of us are accessing 
transportation through a combination of shared modes, rather than 
relying on our own vehicles. We're looking forward to building on what 
we learn from working with DC to support data partnerships in other 
cities using SharedStreets data standards.
    Earlier this year, we also announced the Cincinnati Mobility Lab, a 
first-of-its kind multi-year partnership with the City of Cincinnati to 
explore different mobility issues. Through this partnership, we're 
sharing insights that look at how to improve the problem of curb 
congestion, to commuting challenges, to working to develop a strategy 
for the future of the City's public transit service--one that is 
seamlessly integrated with other ways of getting around the City.

    Question 11. Uber often touts the potential for transportation 
network companies to complement public transit by providing the last-
mile service. Does Uber currently provide those services to riders with 
small children who require car seats or does it require customers to 
provide appropriate safety equipment? Does Uber currently provide those 
services to riders with a disability or limited mobility? Does Uber 
currently provide those services to older adults or persons with 
limited technology proficiency? What accommodations does the company 
make for those groups? Does Uber levy additional charges on those 
riders?
    Answer. Riders and drivers using the Uber app are expected to 
follow local laws when it comes to transporting infants and small 
children. In certain locations, for an additional fee, people who ride 
on the Uber app can request a vehicle equipped with a car seat. The 
seat is forward-facing and for children who are at least 12 months old, 
22 lbs, and 31 inches tall. Additional details about the car seat 
offering can be found here. People who ride also have the option to 
bring their own seats for installation in Uber. However, it is up to 
the person driving to accept the trip and they may cancel the trip if 
they so choose.
    Uber works hard to understand the needs of elderly riders and 
riders with disabilities. For example, the uberASSIST option in the 
Uber app is designed to network riders who would like a helping hand 
with drivers who have chosen to obtain training from a third-party 
organization on how to provide additional assistance. In addition, we 
developed the Uber Central dashboard to allow senior centers and other 
organizations to call rides for senior riders who may not have access 
to a smartphone. Finally, the ``Request for a Guest'' feature allows 
Uber users to seamlessly request a ride for their loved ones right from 
the Uber app. The senior receives a text message with the vehicle 
information and the driver's phone number so they can communicate 
directly with them.
    Additionally, the Uber app is compatible with various accessibility 
technologies, including VoiceOver, TalkBack, and wireless braille 
(depending on hardware and operating system) that can help provide a 
safe and reliable transportation option for the blind and low-vision 
community. In addition, by providing visible and vibrating alerts as 
well as GPS navigation, Uber has provided economic opportunities for 
drivers who are deaf and hard of hearing. Both the Uber Rider and 
Driver apps are monitored and tested regularly by internal resources 
and by a third-party provider of Accessibility testing and monitoring. 
You can read more about our Accessibility efforts on our website here: 
https://accessibility.uber.com/.
    All driver-partners are expected to accommodate riders using 
walkers, canes, folding wheelchairs, service animals, or other 
assistive devices to the maximum extent possible. Where available, 
UberWAV lets riders who use non-folding, motorized wheelchairs to 
connect with drivers in wheelchair accessible vehicles that are 
equipped with ramps or lifts.

    Question 12. When providing the last-mile service, how does Uber 
ensure that cars are available in all areas of a city at all times? How 
does Uber provide access to riders with limited or no access to the 
Uber app?
    Answer. By design, our app aims to make efficient and reliable 
transportation a possibility for everyone, everywhere. Our technology 
automatically and efficiently matches riders' requests with nearby 
drivers, and real time dynamic pricing ensures that the supply of cars 
can meet the demand from passengers. As Uber has grown, more people in 
more parts of cities have been able to push a button and get a ride. 
Over time, wait times have decreased significantly across more parts of 
cities, including parts that other means of transportation cannot 
reach. In Los Angeles, a metro area that covers 100 square miles, the 
average ride is less than 10 minutes away, and in New York's outer-
boroughs, riders are just as likely to get picked up as if they were in 
downtown Manhattan. In fact, a majority of our trips in New York now 
start outside Manhattan and 52 percent don't start or end in the 
central business district.
    As mentioned in our response to Question 11, the Uber Central 
dashboard allows organizations, like senior centers or transit 
agencies, to call rides for riders who may not have access to a 
smartphone. Additionally, the ``Request for a Guest'' feature allows 
Uber users to seamlessly request a ride for their loved ones right from 
the Uber app. The senior receives a text message with the vehicle 
information and the driver's phone number so they can communicate 
directly with them.

    Question 13. Uber recently signed onto a letter with the Service 
Employees International Union supporting portable benefits. What 
benefits is Uber planning provide to its drivers? Will they be offered 
nationwide?
    Answer. Uber's joint letter with the SEIU and Civic Venture 
Partners is about working together on the creation of a portable 
benefits system in Washington state. We are working with our partners, 
the business community and labor to make progress on this important 
policy goal with a view to determining policy and regulatory frameworks 
over the course of 2018 and developing legislation for introduction in 
2019. We would be eager to provide your staff updates as this effort 
progresses.
    While we continue our work in Washington state, we are working to 
provide additional benefits to our drivers nationwide. For example, we 
believe that at a basic level everyone should have the option to 
protect themselves and their loved ones against rare and unforeseen 
work accidents that prevent them from earning a living. That is why 
Uber, with Aon, now enables drivers to access a driver injury 
protection program for a few cents per mile directly through the Uber 
app. This product provides Uber driver-partners the option to obtain 
coverage for medical expenses, disability payments and a survivors 
benefit resulting from a covered accident. Drivers who elect to enroll 
are protected for injuries while online, en route and on-trip in 
connection with the Uber app; however the premium of a few cents per 
mile is calculated and charged only for miles travelled while on-trip.
    While the Driver Injury Protection insurance offered to Uber's 
driver-partners is first-of-its-kind, it is the latest example of 
benefits designed primarily for independent workers. In the US, Uber's 
partnership with Betterment enables drivers to contribute to their 
retirement savings, while 150,000 drivers have been able to navigate 
the healthcare market through Stride Health.
    Drivers can also file their taxes and claim returns through our 
partnerships with Stride, TurboTax and H&R Block, cash out their 
earnings instantly with Instant Pay, and receive discounts on fuel and 
other operational expenses.

    Question 14. Uber has repeatedly admitted to underpaying its 
drivers. What oversight has Uber put in place to ensure that this does 
not happen again?
    Answer. We have made an effort to regain drivers' trust by owning 
up to our mistakes and improving the driver experience from end-to-end. 
In particular, we have made many improvements for drivers designed to 
make their earnings easier to understand and access, including:

   Easier to understand rates--Drivers see the exact rates they 
        earn for every minute and every mile they drive. Previously, 
        drivers needed to deduct Uber's service fee from their rates to 
        determine their earnings. Now, no math is required. Drivers 
        will always know exactly what they'll earn.

   Clearer in-app earnings pages--In response to driver 
        requests for more clarity in our earnings calculations, we have 
        updated our trip receipts. Drivers now see a clear breakdown of 
        how their trip earnings were calculated, as well as additional 
        fare details, including what the rider paid and Uber's service 
        fee.

   Faster fare receipts--Drivers tell us seeing what they earn 
        in real-time is important. We have committed to a goal of 
        having earnings details available in the app within 15 seconds 
        after a trip ends.

   Cash out more earnings, anytime--With InstantPay, drivers 
        are able to cash out their earnings (including promotions) 
        instantly up to five times a day. We've made promotions 
        available for immediate cash out through Instant Pay.

    Additionally, we have defined new policies and controls designed to 
help ensure drivers earn what they are owed for every trip. We also 
have a dedicated, cross-functional oversight group tasked with 
reviewing and approving all pricing and service fee changes.

    Question 15. Uber has committed to changing its workplace culture 
to address discrimination and sexual harassment concerns. What policy 
changes have been enacted for full-time, permanent employees of Uber? 
What policy changes have been enacted for drivers of Uber?
    Answer. Uber is not immune from the global epidemic of sexual 
violence, which affects nearly one in three women worldwide, and we 
want to be a big part of the solution. That's why we've committed to 
making important changes. Over the last year, we've met with 80+ 
women's groups and have been working closely with advocates and experts 
from sexual assault organizations to listen and incorporate feedback 
about how we can make a difference.
    Experts tell us that one of the best ways to prevent sexual 
harassment incidents is through education and awareness. That's why 
we've committed $5 million to support prevention initiatives, and have 
been partnering with leading organizations in this space to educate our 
employees, riders and drivers with important information on this topic.
    We recently made important changes to give victims of sexual 
assault and sexual harassment more choices, ensure they have the option 
to share their story, and raise the bar on transparency:

   First, Uber no longer requires mandatory arbitration for 
        individual claims of sexual assault or sexual harassment by 
        Uber riders, drivers or employees. We believe the survivor 
        should choose their venue of redress for their individual 
        claims, whether that's in court or arbitration.

   Second, survivors now have the option to settle their claims 
        with Uber without a confidentiality provision that prevents 
        them from speaking about the facts of the sexual assault or 
        sexual harassment they suffered. The decision to talk about 
        what happened should rest with the survivor, not Uber, and 
        supporting that choice will help end the culture of silence 
        that surrounds sexual violence.

   Third, we committed to publishing a safety transparency 
        report that will include data on sexual assaults and other 
        incidents that occur on the Uber platform. We are the first 
        ridesharing company in the world to make this commitment.

    In addition, we believe that sexual assault awareness should 
permeate every level in our company. That's why we have begun educating 
employees--starting with our executive leadership team, who receive 
training on sexual assault and sexual harassment prevention hosted by 
experts from the National Alliance to End Sexual Violence and the 
National Network to End Domestic Violence, and we'll continue to do 
more. We have a robust HR team and systems equipped to handle and 
manage a myriad of employee matters, and we have an anonymous hotline 
where anyone can bring their workplace issues. Our Employee Relations 
team, solely dedicated to investigating and addressing employee issues, 
has been strengthened. We've also taken the following steps to improve 
our culture: performance review system, compensation review, manager 
trainings, Executive Education, $3M diversity fund, improved hiring 
practices to promote diversity & inclusion. Additionally, we 
implemented a comprehensive equal pay analysis and have ensured 
aggregate pay equity between women and men, and between all racial 
groups.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Jerry Moran to 
                            Marten G. Mickos
    Question 1. What separates a good faith researcher from a malicious 
actor? What's to stop a criminal from posing as a researcher? How can 
companies or vendors tell the difference?
    Answer. Intent is what separates a good faith security researcher 
from a malicious actor. Researchers that are reporting vulnerabilities 
through lawful channels are doing so with the intent that the 
vulnerability report be delivered to the owner of the system for the 
bug to be resolved.
    Vulnerability disclosure and bug bounty programs are so designed 
that they provide no particular benefit or special access to the 
participants. On the contrary, the programs generate additional work 
for the participant while collecting various pieces of information 
about them. For these reasons, a malicious actor has something to lose 
and nothing to gain in such a program. It is more rational for the 
malicious actor to engage in their unauthorized activity outside of the 
program.
    Like in most professional endeavors, it is at least in theory 
possible for a criminal to pose as a legitimate participant. But given 
that there are no benefits but only obligations in a program, this 
would not be rational behavior. The only way to receive a benefit from 
a vulnerability disclosure or bug bounty program is by reporting a 
valid vulnerability to the owner of the system. When that happens, a 
vulnerability can be removed and rendered unusable by criminals.
    Criminals, for the above mentioned reasons, do not wait for 
vulnerability disclosure or bug bounty programs to start, and they 
obtain no benefit from joining such programs if they exist. Criminals 
engage in their unauthorized activity at any time and outside any 
formal program.
    When researchers bring security vulnerabilities to the attention of 
companies and organizations, they should assume good faith until proven 
otherwise.
    The question of whether an entity operating a program can tell the 
difference between a well-intended researcher and a criminal becomes 
philosophical or even irrelevant. Outside of the program, any criminal 
activity is possible and often likely. Inside the program, only good 
and non-criminal deeds are rewarded.
    The above text describes the general case. Additionally, there can 
be a special case of a bug bounty program in which the program-
operating entity indeed does offer special access or benefits to the 
participants. For instance, a company may provide test accounts or 
other credentials to participating researchers so that they may venture 
deeper into the computer system in their hunt for vulnerabilities to 
report and be rewarded for. In such programs, the participating 
researchers go through additional vetting and screening. The exact 
nature of the screening depends on the company's or organization's 
preferences and may include verification of identity and tax ID, 
verification of home address, criminal background check, and so on. 
With these additional screening requirements, the operator of the bug 
bounty program guards itself against malicious actors gaining access to 
the program in question.
    For an overview of the motivations of ethical hackers and for 
personal profiles of a number of them, we recommend reading the 2018 
Hacker Report that is available from HackerOne, Inc., on our website 
www.hackerone.com and by contacting us by e-mail at [email protected].

    Question 2. What is the role of bug bounty programs when faced with 
extortion attempts?
    Answer. Extortion has absolutely no role in bug bounty programs.
    Whenever a situation develops that may indicate an extortion 
attempt, HackerOne advises the sponsor of the program (its customer) to 
notify and work with law enforcement for guidance and instructions. It 
is always the entity with the bug bounty (or vulnerability 
coordination) program that determines whether conduct by a hacker or 
hackers is authorized or unauthorized. Bug bounty platform providers 
such as HackerOne act as a preventative service.
    There are situations where immature researchers may ask for a 
bounty in an impolite or even threatening way. Often, such situations 
can be de-escalated with the help of mediation and diplomacy. Hackers 
do commonly suggest or ask for specific bounty amounts from the vendor.
    The size of the bounty is largely determined by the severity of the 
vulnerability, and severity can be properly assessed only by the 
customer. So the finder is in a position of no control at all over the 
payment outcome. To balance this, they often make suggestions, requests 
and claims for specific bounties in the hope that the customer will be 
open to suggestions. As many hackers are young and all of them are 
impatient, the language of such requests may not seem proper to someone 
not familiar with the trade, even though the hacker has the best of 
intentions.

    Question 3. According to your testimony, the diversity and scale of 
the hacker community allows the ``hacker-powered security'' model to 
identify vulnerabilities that automated scanners and permanent 
penetration testing teams will not. Can you please further explain this 
sentiment? Are there any metrics or numbers that are able to cite to 
quantify the effectiveness of the model over other approaches?
    Answer. Customers on HackerOne have resolved more than 65,000 
unique security vulnerabilities to date by working with the hacker 
community. A good portion of these customers have reported back to 
HackerOne that they are finding vulnerabilities that they could not 
otherwise detect with scanners or penetration testing (also called 
pentesting). The strongest metric in support of hacker-powered security 
is the fact that even after deploying scanners and pentests there are 
innumerable security vulnerabilities that bug bounty and vulnerability 
disclosure programs identify.
    There are a number of reasons for this. A key reason is that 
scanners and penetration testing are limited in scope whereas hacker-
powered security is broad and diverse.
    A scanner has been programmed by engineers to detect specific 
previously known vulnerability types, but it is limited in its ability 
to modify its search or ``think outside the box.'' Though useful, 
scanners cannot find what humans can. Penetration tests are conducted 
by humans and therefore represent more intellectual variety and 
creativity than scanners. But they cannot measure up against a broad 
and creative collection of external researchers. Penetration tests 
follow pre-defined guidelines and are designed to test for a specific 
set of vulnerabilities. Often, customers are more eager to get a clean 
report than to find all possible vulnerabilities.
    In both the case of scanners and of penetration testing, the 
customer is paying a fixed price for effort. But in the case of hacker-
powered security, the customer pays for result. Hackers do not get paid 
unless they find something of value to the customer. This leads the 
hackers to try harder and think more creatively, and that in turn leads 
to superior results.

    Question 4. Your testimony described vulnerability disclosure 
programs with the motto of ``If you see something, say something,'' and 
further elaborates how the outside hacker will be invited to disclose 
the vulnerability to the system's owner. During the disclosure process, 
is it a common practice for the hacker to actually take exposed data in 
order to demonstrate proof of vulnerability to the company? If so, is 
there a standard type or amount of data that these [sic] is needed for 
the hacker to demonstrate authenticity?
    Answer. The amount of evidence that it is prudent to collect when 
discovering a security vulnerability is a topic of great interest to 
the security community. On the one hand, the hacker is bound and 
committed by the program rules not to cause harm or obtain any data 
that is not needed for the work. On the other hand, there are 
situations where perhaps the only way of demonstrating that a breach 
could be possible is to actually exfiltrate some data.
    Entities that operate bug bounty programs declare on their program 
page the rules for the hackers. Typically, they will prohibit data 
exfiltration, as this example from a prominent bug bounty program 
shows: ``Findings not eligible for bounty: . . . Internal pivoting, 
scanning, exploiting, or exfiltrating data from internal [company name] 
systems.''
    It should be noted that a hacker may not initially know what is 
inside a data file found. In order to determine the nature of the file, 
the hacker may have to open it, which for practical purposes may mean 
downloading it, which amounts to exfiltration. If the contents are 
irrelevant, then no harm was done. If the file contains pointers to 
other data sources, or perhaps credentials to another system, then this 
is valuable information for resolving the security problem. But if the 
contents turn out to be customer or personal information, then the 
hacker must immediately erase any such copies of the file and refrain 
from opening it or using it again. The determination of whether it is 
permissible to open the file or not can be made only after the file has 
been opened.

    Question 5. HackerOne's 2018 Hacker Report and a 2016 study 
conducted by the National Telecommunications and Information 
Administration (NTIA) both indicated that profit is a relatively 
limited motivation among hackers participating in coordinated 
vulnerability disclosure programs. Given the panel's experience with 
professionals in this field, could you please further describe the 
predominant motivators?
    Answer. In the course of its business, HackerOne has enabled tens 
of thousands of hackers to find and help fix over 65,000 security 
vulnerabilities. The motivations behind the hackers' work are as 
diverse as the group. In the hacker surveys we have conducted, we 
consistently see hackers operating under multiple motivations.
    Financial rewards are essential and important, but they are far 
from the only motivation. The presence and success of numerous 
vulnerability disclosure programs (i.e., programs that pay no financial 
rewards) serve as a clear indicator that there are plenty of hackers 
ready to hunt for security vulnerabilities for other than pecuniary 
reasons. For instance, in the various programs by the Department of 
Defense, about 3,000 vulnerabilities have been reported into the 
vulnerability disclosure program and 600 within the bug bounty 
programs.
    Many hackers hack for the intellectual challenge. They want to 
learn more and they are eager to know that they have the skill to find 
a hole in the armor of a famous company or government entity. Being 
thanked or acknowledged by a prestigious vulnerability disclosure 
program is a great motivation.
    Often, hackers hack in order to find like-minded people and be able 
to collaborate with them. It is a reward in itself to be able to 
interact with someone with unusual skill or intellect.
    Others hack for the pragmatic reason of advancing their careers. 
The list of vulnerabilities found that each hacker has on their 
individual HackerOne page serves as evidence of their skills. It helps 
them gain entry to colleges and universities or to land a security job 
at a company or other organization.
    For many, there is an altruistic motive in hacking. They want to 
make the world a more secure place. They want to contribute to society. 
They have a sense of duty and feel that if they know how to detect 
vulnerabilities, it is their mandate to report them to the owners of 
the various systems.

    Question 6. Would you agree that it is absolutely critical for 
companies to administer any vulnerability disclosure program 
responsibly based on sound principles (such as those included in DOJ's 
2017 guidelines) as it has obvious impacts on industry-wide use of 
these types of programs that are proven to protect consumers?
    Answer. Yes, HackerOne applauded the U.S. Department of Justice for 
its 2017 guidelines for vulnerability disclosure programs (VDP). The 
DoJ's guidance reflects best-practices across the industry and is a 
critical document for any organization. Indeed, in many ways, HackerOne 
is dedicated to facilitating the responsible implementation of VDPs 
across the broad spectrum of vulnerable entities in line with the DoJ's 
guidance.

    Question 7. Given the unique national security aspects of working 
with DOD, I am interested to hear more about HackerOne's involvement in 
the vulnerability disclosure programs aiding our Armed Services, 
starting with the ``Hack the Pentagon'' program and followed by the 
``Hack the Army'' and ``Hack the Air Force 1.0 and 2.0.''
    Answer. The Department of Defense's Defense Digital Services 
pioneered the first ever Federal bug bounty challenge, ``Hack the 
Pentagon,'' in 2016. The DoD is continuing to do so by engaging with 
the global hacker community through its ongoing vulnerability 
disclosure policy.
    Since the Hack the Pentagon program launched in 2016, over 3,600 
vulnerabilities have been resolved in government systems through the 
bug bounty and vulnerability disclosure challenges on HackerOne. 
Working with the ethical hacker community supplements the useful work 
the DoD's internal security teams are already doing.
Hack the Army
    The Hack the Army Bug Bounty program ran from Wednesday, November 
30, 2016 to Wednesday, December 21, 2016. Hackers reported more than 
118 valid unique security issues.
    Through this program, the Army was able to tap into the reservoir 
of diverse hackers on HackerOne, many of whom would otherwise not work 
with the Army, augment the work the Army red teams are already doing to 
help secure their systems and networks, and increase the security of 
mission critical systems and networks that house information critical 
to military recruiting.
    The Army chose as its target digital assets that might have been 
used as a stepping stone for reaching personally identifying 
information about Army recruits--colloquially referred to as ``the 
crown jewels.'' Ensuring this data was secure was a high priority for 
DoD because of the sensitivity of the information for America's 
potential war fighters.
    The most significant vulnerability found was due to a series of 
chained vulnerabilities. A researcher could move from a public-facing 
website, goarmy.com, and get to an internal DoD website that requires 
special credentials to access. The researchers got there through an 
open proxy, meaning the routing was not shut down the way it should 
have been. The researcher, without even knowing it, was able to get to 
this internal network because there was a vulnerability with the proxy 
and with the actual system. On its own, neither vulnerability is 
particularly interesting. Paired together, they become critical.
    Automated testing tools are not capable of such leaps of logic. It 
requires a highly skilled and creative researcher (or team of 
researchers) to chain together a number of independent flaws in order 
to create a path to the critical inside of the system.
    The Army remediation team that owns and operates the websites, as 
well as the Army Cyber Protection Brigade, acted quickly. Once the 
report was submitted, they were able to block any further attacks, and 
ensure there was no way to exploit this chain of vulnerabilities.
Hack the Air Force
    The Hack the Air Force Bug Bounty program ran from May 30, 2017 to 
June 23, 2017, with nearly 300 individual hackers participating in the 
bug bounty challenge. More than 50 hackers earned bounties for 
reporting more than 207 valid unique security vulnerabilities, the 
first of which was reported in less than a minute from the start of the 
program.
    Some of the vulnerability reports received an initial response time 
of less than a minute by the Air Force security teams. The average time 
to resolution during the challenge was 4 days. What this means is that 
the Air Force's security team was extremely fast at processing reports, 
verifying them and resolving bugs, making the systems more secure 
faster.
Hack the Air Force 2.0
    On December 9, 2017, the first day of the challenge, 24 hackers met 
in New York City and participated in a live hacking event--the first 
ever to include Federal government participation on-site. DoD and U.S. 
Air Force personnel worked alongside the vetted and pre-selected 
hackers to simultaneously report security flaws and remediate them in 
real-time. Together, they collaborated to find 55 of the 106 total 
vulnerabilities during this nine-hour hacking event.
    Twenty-seven trusted hackers successfully participated in the Hack 
the Air Force bug bounty challenge--reporting 106 valid vulnerabilities 
and earning a total of $103,883. Hackers from the U.S., Canada, United 
Kingdom, Sweden, Netherlands, Belgium and Latvia participated in the 
challenge. In this event, the highest single bounty of any Federal 
program--$12,500--was awarded.

    Question 8. More specifically, were there lessons learned from the 
earlier programs that your company addressed and implemented in the 
more recent programs?
    Answer. Working with its DoD counterparts, HackerOne and the 
security research community continue to improve its programs. We 
regularly revise and improve our internal process descriptions and our 
external program guidelines in order to reduce the risk of failure in a 
program and to increase the overall productivity and effectiveness of 
hacker-powered security. We also continually learn more about the 
digital assets of our customers so that we can provide better advice on 
which assets to include in a program, and at what phase of the program.
    As our customers develop a thorough expertise in operating a bug 
bounty program, we may recommend events where hackers and the security 
team of the customer are brought together for a live hacking event. We 
did so during ``Hack the Air Force 2.0'' and the results exceeded 
expectations.
    Hack the Air Force targeted operationally significant websites and 
online services. The goal of the program was to explore new approaches 
to its security, and to adopt the best practices used by the most 
successful and secure software companies in the world. The preliminary 
results indicate nearly doubling the results of the first Hack the 
Pentagon program a year earlier.
    With every DoD bug bounty the pool of invited participants has 
grown, with the intent of opening it wider to continue to include all 
qualified participants. By now, every person on HackerOne is legally 
permitted to participate in the DoD's vulnerability disclosure program 
(VDP). To date, the DoD's VDP has resolved more than 3,000 security 
vulnerabilities.

    Question 9. How did your company account for the specific 
capabilities and functions of the different services your company 
worked with?
    Answer. The key to success in a bug bounty or vulnerability 
disclosure program lies in diversity of approach and specificity of 
skill among the hackers. That is why HackerOne has established the 
world's largest community of security researchers, also known as white 
hat hackers. By having an enormous pool to draw from, we ensure that 
for each particular program there is a large enough group of hackers 
with the particular skills needed. We record and keep track of skill 
profiles in our hacker database. When a new program launches, we can 
find the hackers most likely to have the required skills.
    As new customers launch programs on HackerOne, a useful cross-
pollination of skills often happens. The new customer typically brings 
along hackers with deep skills in their particular digital asset. These 
hackers can then find other programs with similar profiles. And from 
those other programs, existing hackers may engage in the new program. 
In this way, over time, individual hacker skills are strengthened, and 
the overall skill profiles in the HackerOne community become more 
complete.
    Additionally, both HackerOne and its clients may arrange for 
additional education, training and briefing of hackers in specific 
areas of technology. The more information there is available, the 
sharper the skills and the better the results of bug bounty programs.
    Arguably the best source of learning for ethical hackers is the 
Hacktivity feed () where vulnerability reports are being published by 
various companies and government agencies for others to learn from once 
the vulnerability has been fixed and removed.

    Question 10. Please explain the utility of a combined pool of 
Federal employee and outside participants.
    Answer. The success of cyber security is measured not by how many 
good events there are but by how many bad events can be avoided. The 
best results are achieved by multiple layers of security. Even if one 
layer occasionally fails, there is another layer that will catch the 
deviation from the norm.
    Cyber security starts with the design of the digital system. This 
is the first layer of security. Later in the software lifecycle comes 
quality assurance, which also removes weaknesses. When a digital asset 
is ready for production use, it still needs testing and validation. 
This is where internal and external bug hunting teams come into the 
picture. Internal teams of employees have the benefit of inside 
knowledge of the system. External teams of hackers have the benefit of 
lack of bias. These and other, more technical, layers of security are 
needed for the best outcome.
    A theme we heard over and over again while working with the DoD is 
that military and civilian personnel need hands-on training whenever 
possible. This keeps their skills sharp and allows them opportunities 
to see unique tactics from a highly skilled researcher community. 
Allowing employees to participate in bug bounty programs provides 
realistic training experiences in a controlled environment, at a low 
cost.

    Question 11. Your testimony states that $250,000 is the current 
maximum bounty listed across all programs that the company administers 
for its clients. Are the maximum bounty amounts pre-determined in 
agreements with your client companies?
    Answer. On HackerOne's platform, it is the customer that sets the 
bounty criteria, often based on a recommendation from HackerOne. 
HackerOne maintains a set of recommended bounty amounts that we derive 
from historical bounty payment data, adjusting for size and ambition 
level of the program in question. The bounty amount is typically a 
function of the severity of the vulnerability and the value of the 
digital asset in which the vulnerability was found.
    The client company has the full right to deviate from their own 
criteria and pay out higher bounties than advertised. As a matter of 
fact, many programs do not publish or advertise any maximum bounty.
    In addition to bounties, customers can choose to pay individual 
bonuses to hackers. For instance, if a hacker has prepared an unusually 
well-researched and well-written vulnerability report to the customer, 
the entity may choose to reward the hacker with a bonus on top of the 
bounty. The bonus amounts are typically small. In 2017, less than 5 
percent of all hacker rewards were bonuses.

    Question 12. Your testimony stated that the Computer Fraud and 
Abuse Act is in need of modernization to prevent liability of hackers 
acting in good faith in identifying vulnerabilities to protect 
consumers. Do you have any specific recommendations related to 
modernizing the law?
    Answer. Current law, particularly the Computer Fraud and Abuse Act 
(CFAA), does a disservice to the Internet and its citizens. Congress 
should amend it to reflect the modern-day needs of the country's 
cybersecurity community, including the value and necessity of voluntary 
disclosure programs.
    The CFAA fails to define the terms ``without authorization'' or 
``exceeding authorized access,'' which are key elements of the law. 
This broad undefined language has resulted in the CFAA being called one 
of the most controversial, confusing, and inconsistently interpreted 
laws in the country. We suggest that the law should clarify ``without 
authorization'' and distinguish between bad intent on the one hand, and 
good intent or innocent lack of intent on the other.
    While intended as a criminal law preventing malicious hacking, a 
1994 amendment to the bill allows for civil actions. We suggest that 
the CFAA focus on criminal liability rather than civil liability. Much 
of the chilling effect created by the law originates from its broad 
interpretation in civil cases, where the burden of proof is reduced.
    HackerOne also suggests that violations of contractual obligations, 
such as a website's terms of service, must not form a basis for 
criminal charges. Further, it should be clarified in the law that if 
access to data is already authorized, gaining that access in a novel or 
automated way is not a crime (i.e., changing IP addresses, MAC 
addresses, or browser User Agent headers). Finally, minor violations of 
the CFAA should be punishable with minor penalties, ensuring the 
punishment fits the violation.
    HackerOne urges Congress to modernize the CFAA and related laws to 
reflect the necessity to fight cybercrime with modern-day tools and 
processes, including particularly voluntary disclosure programs.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Brian Schatz to 
                            Marten G. Mickos
    Question 1. I have been working to make the process of software 
vulnerability disclosures more transparent and accountable. As part of 
this effort, Senators Gardner, Johnson, Klobuchar, and I introduced the 
PATCH Act. Do you support the PATCH Act?
    Answer. We believe in the general and overarching principles of 
finding, fixing and disclosing security vulnerabilities. We as a e 
society should make every effort to detect security vulnerabilities and 
have them corrected by the owner of the system before the vulnerability 
can be exploited by criminals or other adversaries. Once the 
responsible owner of a system has remediated the vulnerability, or 
after a reasonable time of being advised of the existence of a 
vulnerability, it is in society's best interest to make this 
information publicly known. In our increasingly connected world, it is 
rare that critical lessons learned from a vulnerability are limited to 
a single organization. We also acknowledge that the government from 
time to time will have valid and specific reasons of a national 
security character not to report or disclose a known security 
vulnerability. Such withholding of vulnerability information from the 
owner of the system in question should be allowed temporarily only when 
required to address a specific and significant nation security threat. 
To the degree the PATCH Act validates and enforces these principles, we 
support the act.

    Question 2. HackerOne's code of conduct clearly forbids extortion 
or blackmail. Yet, after the 2016 incident, Uber still remains a client 
of HackerOne and is listed on its platform. Was Uber's payoff to its 
extortionists not a violation of HackerOne's code of conduct? Was their 
account suspended or penalized in any manner?
    Answer. Based on our observations and investigations, Uber is not 
and has not been in violation of HackerOne's terms and conditions or 
code of conduct for customers. HackerOne did not suspend or penalize 
Uber's customer account in any manner.
                                 ______
                                 
    Response to Written Question Submitted by Hon. Amy Klobuchar to 
                            Katie Moussouris
    Question. If we are going to increase the size and expertise of our 
cybersecurity workforce it is essential that we commit to expanding 
educational opportunities for American students. That's why I 
introduced the bipartisan Innovate America Act with Senator John 
Hoeven. Provisions from this bill became law as part of the Every 
Student Succeeds Act. They will improve students' access to STEM 
education by allowing states to award funding to create or enhance a 
STEM-focused specialty school or a STEM program within a school. 
Minnesota has received $4 million of these grants and will be making 
awards soon.
    Ms. Moussouris, how significant is the current skills gap in the 
cybersecurity workforce?
    Answer. No Response Provided.
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Brian Schatz to 
                            Katie Moussouris
    Question 1. There are serious questions about the disclosure 
timeline and process of the ``Spectre'' and ``Meltdown'' flaws. Do you 
believe that the right entities were involved in the research and 
disclosure process leading up to public notification? How could this be 
improved?
    Answer. No Response Provided.

    Question 2. What should be the threshold for disclosing 
vulnerabilities to the U.S. government? As the cyber threat model 
evolves, how and when should this threshold change?
    Answer. No Response Provided.

    Question 3. I have been working to make the process of software 
vulnerability disclosures more transparent and accountable. As part of 
this effort, Senators Gardner, Johnson, Klobuchar, and I introduced the 
PATCH Act. Do you support the PATCH Act?
    Answer. No Response Provided.
                                 ______
                                 
   Response to Written Questions Submitted by Hon. Amy Klobuchar to 
                            Justin Brookman
    Question 1. I introduced the Seniors Fraud Prevention Act with 
Senator Susan Collins, the Chair of the Senate Committee on Aging, to 
help the Federal Trade Commission (FTC) more effectively combat senior 
fraud. When personal information has been compromised online, identity 
theft and other fraud can follow consumers for years. My bill would 
help fight scams designed to strip seniors of their assets by helping 
educate seniors about fraud schemes and improving monitoring and 
response to fraud complaints. This bill was passed by the Commerce 
Committee last year and I am happy to say it passed the Senate in 
August.
    Mr. Brookman, what additional resources or authority at the FTC 
would be helpful in protecting consumers' personal information?
    Answer. There are a number of important steps that I believe 
Congress should undertake to improve the FTC's ability to protect 
consumer privacy. These include:

   Enact statutory privacy protections. The United States is 
        outlier in that it is one of the few nations that does not 
        provide legal protections for most personal data. Instead, only 
        a few isolated pockets of information (such as medical history, 
        data about children, and video rental records) are protected--
        and even some of those protections are being rolled back.\1\ In 
        lieu of dedicated privacy authority, the Federal Trade 
        Commission has leveraged existing consumer protection law to 
        challenge some privacy violations, but its legal authority is 
        extremely constrained. Most of the FTC's privacy cases have 
        been brought under its deception authority, meaning that the 
        FTC can only act if a company proactively deceives a consumer 
        about its data practices. Absent affirmative transparency and 
        choice obligations, many companies evade this liability by 
        offering only vague and inscrutable information about its 
        practices in privacy policies that consumers rarely read. The 
        FTC has more recently brought privacy cases under its 
        unfairness authority, but such cases require a showing of 
        ``substantial injury''--and what constitutes a substantial 
        privacy injury is a legal uncertainty.\2\ Congress could 
        dramatically improve privacy protections and consumers' rights 
        by enacting privacy legislation modeled on the Fair Information 
        Practice Principles;\3\ Consumers Union would be more than 
        happy to collaborate with your office and other interested 
        members of Congress in crafting what such legislation would 
        look like.
---------------------------------------------------------------------------
    \1\ See, e.g., Kimberly Kindy, How Congress dismantled Federal 
Internet privacy rules, Washington Post, May 30, 2017, https://
www.washingtonpost.com/politics/how-congress-dismantled-federal-
internet-privacy-rules/2017/05/29/7ad06e14-2f5b-11e7-8674-
437ddb6e813e_story
.html?utm_term=.11a7cf766dad.
    \2\ The Federal Trade Commission recently hosted a public workshop 
on this topic. See Informational Injury Workshop, Federal Trade 
Commission, Dec. 12, 2017, https://www.ftc.gov/news-events/events-
calendar/2017/12/informational-injury-workshop.
    \3\ Bob Gellman, Fair Information Practice Principles: A Basic 
History, Apr. 10, 2017, https://bobgellman.com/rg-docs/rg-
FIPshistory.pdf.

   Statutory penalties for lawbreaking. The Federal Trade 
        Commission lacks the legal authority to obtain civil penalties 
        in the considerable majority of its cases--instead, it can only 
        obtain injunctive relief and offer restitution to injured 
        consumers (though again, restitution is challenging in the 
        privacy realm where injuries are difficult to quantify). As 
        such, companies are able to treat legal challenges merely as a 
        cost of doing business. The FTC should be able to obtain 
        reasonable civil penalties in order to sufficiently deter 
        wrongdoing, both for violations of a new privacy statute as 
---------------------------------------------------------------------------
        well as its existing Section 5 legal authority.

   Ability to issue clarifying regulations. Unlike many 
        regulatory agencies, the Federal Trade Commission generally 
        lacks the ability to issue regulations under the Administrative 
        Procedure Act. This limitation prohibits the agency from 
        issuing more precise guidance to companies and consumers as to 
        what behavior is prohibited, relying instead on establishing 
        legal norms through litigation and negotiated consent decrees. 
        We urge Congress to provide the FTC with this authority, both 
        for a new privacy statute as well as for Section 5.

   Staffing. The Federal Trade Commission needs more resources 
        to perform its consumer protection mission. Despite the U.S. 
        economy more than doubling in size since 1980, the size of the 
        FTC staff has--to say the least--failed to keep up. Moreover, 
        other agencies are increasingly pushing their own 
        responsibilities to the FTC, especially on privacy--from the 
        Federal Communications Commission\4\ to the National Highway 
        Traffic and Safety Administration.\5\ Further, some FTC critics 
        have called upon the FTC to litigate more its cases--instead of 
        relying upon settlement agreements--in order to create binding 
        and reliable rules (though, as noted above, this could also be 
        accomplished through rulemaking).\6\ However litigating against 
        more well-resourced companies is labor intensive, and the 
        Commission will need considerably more attorneys in place to 
        pursue such as a strategy. In addition to additional legal 
        support, I strongly support funding more technical staff at the 
        FTC in order to competently police online privacy and related 
        issues, both within substantive divisions such as the Division 
        of Privacy and Identity Protection, but also in the Office of 
        Technology Research and Investigation (or OTECH) which supports 
        the entire Consumer Protection Bureau mission.
---------------------------------------------------------------------------
    \4\ Amir Nasr, Trump's Repeal of Internet Privacy Rules Shifts 
Regulatory Powers to FTC, Morning Consult, Apr. 7, 2017, https://
morningconsult.com/2017/04/04/trumps-repeal-internet-privacy-rules-
shifts-regulatory-powers-ftc/.
    \5\ Joe Jerome, NHTSA Automated Vehicles Guidance Punts Privacy to 
the FTC and Congress, Center for Deomcracy & Technology, Sep. 22, 2017, 
https://cdt.org/blog/nhtsa-automated-vehicles-guidance-punts-privacy-
to-the-ftc-and-congress/.
    \6\ Tom Struble, Reforming the Federal Trade Commission Through 
Better Process, R Street, Dec. 2017, http://
2o9ub0417chl2lg6m43em6psi2i.wpengine.netdna-cdn.com/wp-content/uploads
/2017/12/122.pdf.

    Question 2. During your time at the FTC, did you notice any trends 
in how new technology was being used to exploit seniors?
    Answer. In my experience, the Federal Trade Commission takes very 
seriously its obligation to protect all citizens, but especially 
segments of the population that may be vulnerable to particular 
practices. Through its Every Community Initiative, the FTC has tried to 
identify various ways that predators are more likely to target certain 
populations.\7\ A recent FTC Fraud Report found that while senior 
citizens were not more likely to be targeted with fraud generally, they 
were more likely to be targeted by certain scams, such as fraudulent 
prize promotions, timeshare fraud, and fraudulent medical claims.\8\ 
Tech support scams was another such category, where attackers try to 
exploit unfamiliarity with technology to sign consumers up for 
unneeded, high-cost technical assistance--or worse, hold a consumer's 
computer hostage until a ransom has been paid.\9\ The FTC has brought a 
number of tech support scam enforcement actions,\10\ and in 2016 held a 
public workshop on the growing menace of ransomware.\11\ Robocalls are 
another common--and growing--frustration of older Americans, and the 
FTC along with the FCC have taken a variety of actions to try to combat 
their rise.\12\ Consumers Union has also advocated a number of 
additional steps that policymakers should take, including requiring 
phone companies to offer to all consumers comprehensive tools to block 
spoofed and unwanted calls, at no charge, and without delay.\13\
---------------------------------------------------------------------------
    \7\ Every Community, Federal Trade Commission, https://
www.consumer.ftc.gov/features/every-community.
    \8\ Testimony of Lois Greisman before the Senate Special Committee 
on Aging, Stopping Senior Scams: Developments in Financial Fraud 
Affecting Seniors, Feb. 15, 2017, https://www.ftc.gov/system/files/
documents/public_statements/1069573/
p134405_commission_testimony_re_stopping_senior_scams_senate_02152017.pd
f.
    \9\ Id.
    \10\ E.g., Press Release, FTC Obtains Settlements from Operators of 
Tech Support Scams, Federal Trade Commission, Oct. 26, 2017, https://
www.ftc.gov/news-events/press-releases/2017/10/ftc-obtains-settlements-
operators-tech-support-s cams.
    \11\ Fall Technology Series: Ransomware, Federal Trade Commission, 
Sep. 7, 2016, https://www.ftc.gov/news-events/events-calendar/2016/09/
fall-technology-series-ransomware.
    \12\ Robocalls, Federal Trade Commission, https://
www.consumer.ftc.gov/features/feature-0025-robocalls.
    \13\ E.g., Maureen Mahoney, Letter from Consumers Union to Senators 
Bill Nelson et. al, Apr. 5, 2018, g/wp-content/uploads/2018/04/CU-CFA-
Robocalls-S.-134.pdf.
---------------------------------------------------------------------------
                                 ______
                                 
    Response to Written Questions Submitted by Hon. Brian Schatz to 
                            Justin Brookman
    Question 1. There are serious questions about the disclosure 
timeline and process of the ``Spectre'' and ``Meltdown'' flaws. Do you 
believe that the right entities were involved in the research and 
disclosure process leading up to public notification? How could this be 
improved?
    Answer. Given the unprecedented scope of the Spectre and Meltdown 
vulnerabilities and my lack of practical experience in incident 
response, I am hesitant to severely criticize the disclosure timing and 
processes that were used. Multi-party coordination can be 
extraordinarily challenging under less complicated circumstances, and 
there are inevitable and difficult trade-offs between the values of 
concealing information to prevent leaks that could harm consumers with 
sharing information to the diverse parties who will have to address the 
vulnerabilities. I question the assessment that the vulnerabilities 
were not being actively exploited, and how it was used as a rationale 
for not sharing information with US-CERT. Further, I believe that 
several companies' initial public statements understating the scope of 
the problem was counterproductive. It is my hope that the companies 
involved will undertake a rigorous assessment of what worked well and 
what did not in order to learn from this experience, as this will 
certainly not be the last major vulnerability that threatens devices 
and services across the ecosystem.
    While the Spectre/Meltdown incident may provide valuable lessons 
about incident response and coordination, I believe there are 
potentially more important lessons about how security often receives 
insufficient attention during product design. The current legal 
framework does not provide strong enough incentives for companies to 
safeguard against these types of vulnerabilities in the first place. 
Functions such as speculative execution prioritize performance at all 
costs without sufficient weighting of the risks of exploitation. 
Unfortunately, companies do not bear the full costs of security 
vulnerabilities, as it is consumers who end up bearing the burdens of 
identity theft, impaired functionality, and the need to replace 
products. While companies who experience a security breach may face the 
loss of consumer goodwill, in a vulnerability as fundamental as Spectre 
and Meltdown, consumers may not even know which company to blame, given 
that so many products and system layers were affected. In concentrated 
industries with only a handful of providers (or fewer), the 
insufficiency of after-the-fact market pressure is an even greater 
problem.
    Consumers often feel helpless in the wake of incidents such as 
these, unsure of which products are vulnerable, and if so, to what 
types of attacks. While there are some useful guidelines for consumers 
to keep in mind (keep software updated, use tracker blockers to stop 
unnecessary interactions with third-party servers), consumers are 
usually not in the best position to ensure security on their systems. 
Companies should have legal obligations to deploy and maintain 
reasonable security measures, proportionate to the risks borne by both 
by the companies and others. In some cases, this may compromise 
performance, if the security risks outweigh the performance loss. 
However, in many cases, this can be remediated through addressing other 
prevalent anti-consumer inefficiencies, such as device bloatware and 
excessive reliance on third party tracking code.

                                  [all]

                  This page intentionally left blank.
                  This page intentionally left blank.
                  This page intentionally left blank.