[Congressional Record Volume 164, Number 158 (Tuesday, September 25, 2018)]
[House]
[Pages H8746-H8748]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




              PUBLIC-PRIVATE CYBERSECURITY COOPERATION ACT

  Mr. McCAUL. Mr. Speaker, I move to suspend the rules and pass the 
bill (H.R. 6735) to direct the Secretary of Homeland Security to 
establish a vulnerability disclosure policy for Department of Homeland 
Security internet websites, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 6735

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Public-Private Cybersecurity 
     Cooperation Act''.

     SEC. 2. DEPARTMENT OF HOMELAND SECURITY DISCLOSURE OF 
                   SECURITY VULNERABILITIES.

       (a) Vulnerability Disclosure Policy.--The Secretary of 
     Homeland Security shall establish a policy applicable to 
     individuals, organizations, and companies that report 
     security vulnerabilities on appropriate information systems 
     of Department of Homeland Security. Such policy shall include 
     each of the following:

[[Page H8747]]

       (1) The appropriate information systems of the Department 
     that individuals, organizations, and companies may use to 
     discover and report security vulnerabilities on appropriate 
     information systems.
       (2) The conditions and criteria under which individuals, 
     organizations, and companies may operate to discover and 
     report security vulnerabilities.
       (3) How individuals, organizations, and companies may 
     disclose to the Department security vulnerabilities 
     discovered on appropriate information systems of the 
     Department.
       (4) The ways in which the Department may communicate with 
     individuals, organizations, and companies that report 
     security vulnerabilities.
       (5) The process the Department shall use for public 
     disclosure of reported security vulnerabilities.
       (b) Remediation Process.--The Secretary of Homeland 
     Security shall develop a process for the Department of 
     Homeland Security to address the mitigation or remediation of 
     the security vulnerabilities reported through the policy 
     developed in subsection (a).
       (c) Consultation.--In developing the security vulnerability 
     disclosure policy under subsection (a), the Secretary of 
     Homeland Security shall consult with each of the following:
       (1) The Attorney General regarding how to ensure that 
     individuals, organizations, and companies that comply with 
     the requirements of the policy developed under subsection (a) 
     are protected from prosecution under section 1030 of title 
     18, United States Code, civil lawsuits, and similar 
     provisions of law with respect to specific activities 
     authorized under the policy.
       (2) The Secretary of Defense and the Administrator of 
     General Services regarding lessons that may be applied from 
     existing vulnerability disclosure policies.
       (3) Non-governmental security researchers.
       (d) Public Availability.--The Secretary of Homeland 
     Security shall make the policy developed under subsection (a) 
     publicly available.
       (e) Submission to Congress.--
       (1) Disclosure policy and remediation process.--Not later 
     than 90 days after the date of the enactment of this Act, the 
     Secretary of Homeland Security shall submit to Congress a 
     copy of the policy required under subsection (a) and the 
     remediation process required under subsection (b).
       (2) Report and briefing.--
       (A) Report.--Not later than one year after establishing the 
     policy required under subsection (a), the Secretary of 
     Homeland Security shall submit to Congress a report on such 
     policy and the remediation process required under subsection 
     (b).
       (B) Annual briefings.--One year after the date of the 
     submission of the report under subparagraph (A), and annually 
     thereafter for each of the next three years, the Secretary of 
     Homeland Security shall provide to Congress a briefing on the 
     policy required under subsection (a) and the process required 
     under subsection (b).
       (C) Matters for inclusion.--The report required under 
     subparagraph (A) and the briefings required under 
     subparagraph (B) shall include each of the following with 
     respect to the policy required under subsection (a) and the 
     process required under subsection (b) for the period covered 
     by the report or briefing, as the case may be:
       (i) The number of unique security vulnerabilities reported.
       (ii) The number of previously unknown security 
     vulnerabilities mitigated or remediated.
       (iii) The number of unique individuals, organizations, and 
     companies that reported security vulnerabilities.
       (iv) The average length of time between the reporting of 
     security vulnerabilities and mitigation or remediation of 
     such vulnerabilities.
       (f) Definitions.--In this section:
       (1) The term ``security vulnerability'' has the meaning 
     given that term in section 102(17) of the Cybersecurity 
     Information Sharing Act of 2015 (6 U.S.C. 1501(17)), in 
     information technology.
       (2) The term ``information system'' has the meaning given 
     that term by section 3502(12) of title 44, United States 
     Code.
       (3) The term ``appropriate information system'' means an 
     information system that the Secretary of Homeland Security 
     selects for inclusion under the vulnerability disclosure 
     policy required by subsection (a).

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
Texas (Mr. McCaul) and the gentleman from Louisiana (Mr. Richmond) each 
will control 20 minutes.
  The Chair recognizes the gentleman from Texas.


                             General Leave

  Mr. McCAUL. Mr. Speaker, I ask unanimous consent that all Members 
have 5 legislative days within which to revise and extend their remarks 
and include any extraneous materials on the bill under consideration.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from Texas?
  There was no objection.
  Mr. McCAUL. Mr. Speaker, I yield myself as much time as I may 
consume.
  Mr. Speaker, I rise today in support of the Public-Private 
Cybersecurity Cooperation Act.
  Strengthening our cybersecurity must be a top national priority. 
International hackers and nation-states are waging a war against us in 
cyberspace.
  These threats are aimed at our economic, political, and national 
security institutions.
  Between 2011 and 2013, Iranian hackers attacked dozens of American 
banks and even tried to shut down a dam in New York.
  In 2014, Chinese hackers stole over 22.5 million security clearances, 
including my own, from the Office of Personnel Management.
  In 2016, Russia meddled in our presidential election.
  Because we use computer networks in our personal and professional 
lives, almost everyone is a target.
  With each passing day, cyber threats continue to grow, but the 
government cannot face these threats alone. We need help from the 
private sector.
  Today's legislation will direct the Department of Homeland Security 
Secretary to develop and implement a vulnerability disclosure program 
that will allow threat researchers from the private sectors to identify 
and report cybersecurity flaws found in the Department's information 
systems.
  Currently, there is no legal avenue that allows them to do so. This 
legislation solves that problem.
  Mr. Speaker, I would like to thank Leader McCarthy for his years of 
commitment to innovation and cybersecurity, and for his work on this 
bill in particular.
  He truly understands the nature of this threat and why it is so 
important to have a strong cyber partnership between the public and 
private sectors.
  Mr. Speaker, I believe that this bipartisan legislation will help DHS 
better protect its vital networks, and I urge my colleagues to support 
it.
  Mr. Speaker, I reserve the balance of my time.
  Mr. RICHMOND. Mr. Speaker, I yield myself as much time as I may 
consume.
  Mr. Speaker, I rise in support of H.R. 6735, the Public-Private 
Cybersecurity Cooperation Act.
  Mr. Speaker, protecting our Federal information systems is an 
enormous task.
  As ranking member of the Cybersecurity and Infrastructure Protection 
Subcommittee, I hear more often than I would like about the challenges 
of recruiting and maintaining the Federal cyber workforce. That is true 
even at the Department of Homeland Security.
  As DHS works to address ongoing workforce challenges, we have to 
think creatively and leverage untapped resources of talent.
  Across the country, there are white hat hackers who want to apply 
their considerable cyber skills to report vulnerabilities found on 
government information systems to Federal authorities. But today, these 
ethical hackers cannot research and report bugs on DHS' systems without 
being in violation of the Computer Fraud and Abuse Act.
  In 2016, the Department of Defense piloted Hack the Pentagon, which 
gave white hat hackers 24 days to find unique vulnerabilities in 
certain DOD information systems and report them for a reward.
  The program was so successful, DOD established a permanent 
vulnerability disclosure program to allow ethical hackers to search for 
and report bugs on DOD information systems without violating the law.
  That program has enjoyed similar success to Hack the Pentagon.
  Members of the Homeland Security Committee have been urging DHS to 
establish a vulnerability disclosure program for several years.
  At a hearing with Secretary Nielsen in April, my colleague on the 
Cybersecurity Subcommittee, Mr. Langevin, asked the Secretary whether 
the Department had in place a mechanism for vulnerabilities to be 
reported. Secretary Nielsen testified that the Department had no clear 
process in place to accept information about bugs in DHS information 
systems and agreed to work with the committee to establish one.
  Five months have passed, and the Department is not any closer to 
establishing a vulnerability disclosure program of its own.
  Vulnerability disclosure programs are an emerging industry best 
practice and are recommended by the updated NIST Cybersecurity 
Framework.
  White hat hackers are an enormous pool of talent that the Federal 
Government has largely failed to leverage. DHS can no longer afford to 
leave that kind of talent on the table.

[[Page H8748]]

  H.R. 6735 would push DHS in the right direction by requiring it to 
put in place policies to ensure that civic-minded hackers can research 
and report bugs found on certain information systems without breaking 
the law.
  Before I close, I would like to express my disappointment that S. 
1281, the Hack DHS Act, is not being considered on the floor today.
  S. 1281, which would create a bug bounty pilot program at DHS, was 
approved by voice vote in the committee and is consistent with the 
objectives of H.R. 6735, which I support.

                              {time}  1415

  It is unclear why S. 1281 is not being considered today. I urge House 
leadership to bring S. 1281 to the floor later this fall.
  Mr. Speaker, I urge my colleagues to support H.R. 6735. In the 
current security environment, vulnerability disclosure policies have 
emerged as a critical component of cybersecurity without any 
organization. DHS is the lead Federal Department charged with securing 
government civilian networks.
  DHS should be leading by example, not playing catchup. Today, the 
Department of Defense and the GSA have vulnerability disclosure 
programs in operation. It is time for DHS to join them.
  Mr. Speaker, I urge my colleagues to support H.R. 6735, and I yield 
back the balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield myself the balance of my time.
  Mr. Speaker, I once again urge my colleagues to support this bill. It 
is at a time when there is a lot of partisanship going on. I think it 
is healthy to see a truly bipartisan bill on such an important issue 
regarding our national security.
  I think, as the gentleman from Louisiana pointed out, this is modeled 
after a program that the Department of Defense successfully deployed, 
and I am proud of the record my committee has had on passing, I think, 
close to 110 bills now, and almost all of them are bipartisan.
  Mr. Speaker, I urge my Senate colleagues to at least take up some of 
them and do the same, and I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from Texas (Mr. McCaul) that the House suspend the rules and 
pass the bill, H.R. 6735, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. McCAUL. Mr. Speaker, I object to the vote on the ground that a 
quorum is not present and make the point of order that a quorum is not 
present.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this question will be postponed.
  The point of no quorum is considered withdrawn.

                          ____________________