[Congressional Record Volume 164, Number 158 (Tuesday, September 25, 2018)]
[House]
[Pages H8878-H8880]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                     HACK YOUR STATE DEPARTMENT ACT

  Ms. ROS-LEHTINEN. Mr. Speaker, I move to suspend the rules and pass 
the bill (H.R. 5433) to require the Secretary of State to design and 
establish a Vulnerability Disclosure Process (VDP) to improve 
Department of State cybersecurity and a bug bounty program to identify 
and report vulnerabilities of internet-facing information technology of 
the Department of State, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 5433

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Hack Your State Department 
     Act''.

     SEC. 2. DEFINITIONS.

       In this Act:
       (1) Bug bounty program.--The term ``bug bounty program'' 
     means a program under which an approved individual, 
     organization, or company is temporarily authorized to 
     identify and report vulnerabilities of internet-facing 
     information technology of the Department in exchange for 
     compensation.
       (2) Department.--The term ``Department'' means the 
     Department of State.
       (3) Information technology.--The term ``information 
     technology'' has the meaning given such term in section 11101 
     of title 40, United States Code.
       (4) Secretary.--The term ``Secretary'' means the Secretary 
     of State.

     SEC. 3. DEPARTMENT OF STATE VULNERABILITY DISCLOSURE PROCESS.

       (a) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Secretary shall design, 
     establish, and make publicly known a Vulnerability Disclosure 
     Process (VDP) to improve Department cybersecurity by--
       (1) providing security researchers with clear guidelines 
     for--
       (A) conducting vulnerability discovery activities directed 
     at Department information technology; and
       (B) submitting discovered security vulnerabilities to the 
     Department; and
       (2) creating Department procedures and infrastructure to 
     receive and fix discovered vulnerabilities.
       (b) Requirements.--In establishing the VDP pursuant to 
     paragraph (1), the Secretary shall--
       (1) identify which Department information technology should 
     be included in the process;
       (2) determine whether the process should differentiate 
     among and specify the types of security vulnerabilities that 
     may be targeted;
       (3) provide a readily available means of reporting 
     discovered security vulnerabilities and the form in which 
     such vulnerabilities should be reported;
       (4) identify which Department offices and positions will be 
     responsible for receiving, prioritizing, and addressing 
     security vulnerability disclosure reports;
       (5) consult with the Attorney General regarding how to 
     ensure that approved individuals, organizations, and 
     companies that comply with the requirements of the process 
     are protected from prosecution under section 1030 of title 
     18, United States Code, and similar provisions of law for 
     specific activities authorized under the process;
       (6) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 
     Vulnerability Disclosure Program, ``Hack the Pentagon'', and 
     subsequent Department of Defense bug bounty programs;
       (7) engage qualified interested persons, including 
     nongovernmental sector representatives, about the structure 
     of the process as constructive and to the extent practicable; 
     and
       (8) award a contract to an entity, as necessary, to manage 
     the process and implement the remediation of discovered 
     security vulnerabilities.
       (c) Annual Reports.--Not later than 180 days after the 
     establishment of the VDP under subsection (a) and annually 
     thereafter for the next six years, the Secretary of State 
     shall submit to the Committee on Foreign Affairs of the House 
     of Representatives and the Committee on Foreign Relations of 
     the Senate a report on the following with respect to the VDP:
       (1) The number and severity, in accordance with the 
     National Vulnerabilities Database of the National Institute 
     of Standards and Technology, of security vulnerabilities 
     reported.
       (2) The number of previously unidentified security 
     vulnerabilities remediated as a result.
       (3) The current number of outstanding previously 
     unidentified security vulnerabilities and Department of State 
     remediation plans.
       (4) The average length of time between the reporting of 
     security vulnerabilities and remediation of such 
     vulnerabilities.
       (5) An estimate of the total cost savings of discovering 
     and addressing security vulnerabilities submitted through the 
     VDP.
       (6) The resources, surge staffing, roles, and 
     responsibilities within the Department used to implement the 
     VDP and complete security vulnerability remediation.
       (7) Any other information the Secretary determines 
     relevant.

     SEC. 4. DEPARTMENT OF STATE BUG BOUNTY PILOT PROGRAM.

       (a) Establishment of Pilot Program.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Secretary shall establish a 
     bug bounty pilot program to minimize security vulnerabilities 
     of internet-facing information technology of the Department.
       (2) Requirements.--In establishing the pilot program 
     described in paragraph (1), the Secretary shall--
       (A) provide compensation for reports of previously 
     unidentified security vulnerabilities within the websites, 
     applications, and other internet-facing information 
     technology of the Department that are accessible to the 
     public;
       (B) award a contract to an entity, as necessary, to manage 
     such pilot program and for executing the remediation of 
     security vulnerabilities identified pursuant to subparagraph 
     (A);
       (C) identify which Department information technology should 
     be included in such pilot program;
       (D) consult with the Attorney General on how to ensure that 
     approved individuals, organizations, or companies that comply 
     with the requirements of such pilot program are protected 
     from prosecution under section 1030 of title 18, United 
     States Code, and similar provisions of law for specific 
     activities authorized under such pilot program;
       (E) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 ``Hack 
     the Pentagon'' pilot program and subsequent Department of 
     Defense bug bounty programs;
       (F) develop a process by which an approved individual, 
     organization, or company can register with the entity 
     referred to in subparagraph (B), submit to a background check 
     as determined by the Department, and receive a determination 
     as to eligibility for participation in such pilot program;
       (G) engage qualified interested persons, including 
     nongovernmental sector representatives, about the structure 
     of such pilot program as constructive and to the extent 
     practicable; and
       (H) consult with relevant United States Government 
     officials to ensure that such pilot program compliments 
     persistent network and vulnerability scans of the Department 
     of State's internet-accessible systems, such as the scans 
     conducted pursuant to Binding Operational Directive BOD-15-
     01.
       (3) Duration.--The pilot program established under 
     paragraph (1) should be short-term in duration and not last 
     longer than one year.
       (b) Report.--Not later than 180 days after the date on 
     which the bug bounty pilot program under subsection (a) is 
     completed, the Secretary shall submit to the Committee on 
     Foreign Relations of the Senate and the Committee on Foreign 
     Affairs of the House of Representatives a report on such 
     pilot program, including information relating to--
       (1) the number of approved individuals, organizations, or 
     companies involved in such pilot program, broken down by the 
     number of approved individuals, organizations, or companies 
     that--
       (A) registered;
       (B) were approved;
       (C) submitted security vulnerabilities; and
       (D) received compensation;
       (2) the number and severity, in accordance with the 
     National Vulnerabilities Database of the National Institute 
     of Standards and

[[Page H8879]]

     Technology, of security vulnerabilities reported as part of 
     such pilot program;
       (3) the number of previously unidentified security 
     vulnerabilities remediated as a result of such pilot program;
       (4) the current number of outstanding previously 
     unidentified security vulnerabilities and Department 
     remediation plans;
       (5) the average length of time between the reporting of 
     security vulnerabilities and remediation of such 
     vulnerabilities;
       (6) the types of compensation provided under such pilot 
     program; and
       (7) the lessons learned from such pilot program.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
Florida (Ms. Ros-Lehtinen) and the gentleman from New York (Mr. Engel) 
each will control 20 minutes.
  The Chair recognizes the gentlewoman from Florida.


                             General Leave

  Ms. ROS-LEHTINEN. Mr. Speaker, I ask unanimous consent that all 
Members may have 5 legislative days to revise and extend their remarks 
and to include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from Florida?
  There was no objection.
  Ms. ROS-LEHTINEN. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, a massive breach of the State Department's unclassified 
computer network in 2014 exposed grave weaknesses in its information 
technology systems. And in the years since that attack, problems have 
continued to mount.
  The Department's cybersecurity response program received a D rating, 
the lowest of any agency, on its Federal Information Security 
Management Act report card in 2017. And just this month, the Department 
revealed that it recently suffered a breach of its unclassified email 
system, which exposed the personal information of some of its 
employees.
  Mr. Speaker, more must be done to ensure cost-effective solutions to 
the Department's information technology security challenges.
  The Hack Your State Department Act, authored by my Foreign Affairs 
Committee colleagues Ted Lieu and Ted Yoho, will help address 
cybersecurity gaps at the Department. This bill will crowdsource 
solutions and offer a layered approach to information technology 
security, consistent with the 2017 Report to the President on Federal 
IT Modernization.
  This bill achieves this in two ways:
  First, the bill establishes a vulnerability disclosure process to 
give security researchers clear guidelines for discovering and 
reporting cybersecurity vulnerabilities. This is considered a best 
practice in the private sector and, frankly, should be done in all 
government agencies.
  Second, this bill would establish a bounty pilot program at the 
Department to reward ethical hackers for discovering and reporting 
vulnerabilities. Numerous private-sector companies and the Department 
of Defense have used programs like this to improve their cyber defenses 
at minimal cost.
  The Department said that its Hack the Pentagon program ``demonstrated 
the power of engaging the hacker community to help address 
cybersecurity challenges of the Department of Defense.''
  In its first pilot, hackers identified over 130 unique 
vulnerabilities, exceeding the Defense Department's expectations so 
much that it announced plans to expand the program to all of its more 
than 700 websites.
  Both the vulnerability disclosure process and the bounty pilot 
program are designed to complement persistent network scans currently 
done by the Department of Homeland Security and other cybersecurity 
activities undertaken by the Department of State.
  As a national security Department, the State Department must do more 
to secure its networks. The Hack Your State Department Act is a small 
but important step to bring cost-effective solutions commonly used in 
the private sector to bear in support of this goal.
  Mr. Speaker, I reserve the balance of my time.
  Mr. ENGEL. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I rise in support of this measure.
  Mr. Speaker, I thank Representative Lieu of southern California, a 
very valued member of the Committee on Foreign Affairs, for his hard 
work on this bill.
  It is important, Mr. Speaker, that we modernize our agencies across 
government to better deal with 21st century challenges.
  The State Department is under constant threat of cyberattacks from 
foreign actors bent on stealing our secrets, disrupting our foreign 
policy, and undermining our security.
  Just 8 days ago, it was reported that the State Department's email 
system was breached. This time, whoever was behind the attack got ahold 
of private information about State Department personnel. Who knows what 
they will get their hands on next time.
  Mr. Lieu's bill will help shore up the State Department against this 
sort of intrusion. First of all, it requires the Secretary of State to 
get out ahead of this problem. Instead of waiting for the next attack 
to happen, this bill would mandate a plan for researchers to actively 
seek out and report vulnerabilities.
  Secondly, this bill launches a new initiative, a so-called bug bounty 
program. This seeks to tap the expertise of everyday Americans by 
rewarding citizens who uncover and report security risks in the 
Department's computer system. It will also allow security researchers 
and friendly hackers to find the cracks in the system so that the 
Department can patch them.
  This effort is modeled after a very successful program at the Defense 
Department, which got off the ground in 2016. Since then, 1,400 people 
have registered to participate, and they have found roughly 140 
vulnerabilities.
  Our Federal agencies should learn from one another. It is just common 
sense to put this tested practice to work at the State Department and 
elsewhere.
  Mr. Speaker, I commend Mr. Lieu. I am glad to support this bill, and 
I reserve the balance of my time.
  Ms. ROS-LEHTINEN. Mr. Speaker, I reserve the balance of my time.
  Mr. ENGEL. Mr. Speaker, it is my pleasure to yield 5 minutes to the 
gentleman from California (Mr. Ted Lieu), the author of the bill.
  Mr. TED LIEU of California. Mr. Speaker, I thank Representative Engel 
for yielding.
  Mr. Speaker, I rise today in support of my legislation, H.R. 5433, 
the Hack Your State Department Act, that I co-authored with my friend, 
Ted Yoho of Florida.

  Over the years, the State Department has faced mounting cybersecurity 
threats from both criminal enterprises and state-sponsored hackers. In 
2014, for instance, the Department was infiltrated by Russian hackers 
and had to temporarily shut down its email system.
  Just last week, the State Department suffered another cybersecurity 
breach that exposed the personal information of a number of its 
employees.
  As an agency with a critical national security role, we must do more 
to protect the State Department's cybersecurity. If there is any doubt 
that diplomatic cables cannot be sent to Washington securely or if 
sensitive diplomatic subjects are revealed, it jeopardizes the whole 
operation.
  As a recovering computer science major, I recognize that there are 
proven tools at our disposal to improve cybersecurity that the 
Department has yet to adopt. One such tool is to enlist the help of 
America's top security researchers to find weaknesses in our 
cybersecurity. This legislation will bring that tool to the State 
Department after it has been proven successful in both the private 
sector, as well as at the Pentagon.
  My legislation will do two things. The first step of this bill is to 
establish what is called a vulnerability disclosure process, which sets 
clear rules of the road so that, when people outside the Department 
discover vulnerabilities on Department systems, they can report it in a 
safe, secure, and legal manner with the confidence that the Department 
will actually fix the problems.

                              {time}  2245

  We cannot afford to allow vulnerabilities discovered in the wild 
remain known to hackers but unknown to the Department. This should be 
an easy fix.
  The second step is to actually pay vetted white-hat hackers to find 
vulnerabilities. The Department of Defense proved the success of their 
bug

[[Page H8880]]

bounty program back in 2016. Over a 24-day period, the Pentagon learned 
of and fixed over 138 vulnerabilities in its systems.
  A 2017 report to the President on Federal IT modernization stated: 
``Agencies must take a layered approach to penetration testing. . . . 
At a bare minimum, agencies should establish vulnerability disclosure 
policies. . . . Agencies should also identify programs that are 
appropriate to place under public bug bounty programs such as those run 
by the Department of Defense or GSA.''
  Today, with H.R. 5433, the House of Representatives is taking these 
recommendations to heart and helping to improve cybersecurity at the 
Department of State.
  Mr. Speaker, I would like to thank Representative Yoho for partnering 
with me on this important legislation. I would like to thank Chairman 
Royce, Ranking Member Engel, and their staff for moving this bill 
through our committee.
  Ms. ROS-LEHTINEN. I continue to reserve the balance of my time, Mr. 
Speaker.
  Mr. ENGEL. Mr. Speaker, I am prepared to close.
  In closing, I want to again thank Mr. Lieu and Chairman Royce.
  It seems to me, Mr. Speaker, that we have been caught flatfooted 
before a range of new threats, including cyber attacks. Our agencies 
have not done enough to root out vulnerabilities, and, frankly, 
Congress hasn't done enough either to make sure our agencies across the 
government have the tools they need to tackle these challenges.
  I hope going forward we will be able to take a comprehensive look at 
cyber threats and make sure the State Department, and all our 
departments and agencies, are up to the task.
  For now, this bill is a good step in the right direction. It 
replicates an approach that has worked well over the last few years.
  Mr. Speaker, I urge all Members to support it, and I yield back the 
balance of my time.
  Ms. ROS-LEHTINEN. Mr. Speaker, I yield myself such time as I may 
consume.
  Mr. Speaker, in closing, I would like to thank my colleagues--Ted 
Lieu, a hardworking member of our Foreign Affairs Committee, and Ted 
Yoho, chairman of the Subcommittee on Asia and the Pacific--for 
crafting this bipartisan legislation.
  By unleashing the expertise of patriotic hackers, this bill will help 
the State Department identify and patch vulnerabilities on its computer 
systems.
  The Hack Your State Department Act takes an innovative approach to 
improving network security at a Department that is in such desperate 
need of new solutions and improved capabilities.
  Mr. Speaker, I urge passage of this bipartisan bill, and I yield back 
the balance of my time.
  Ms. JACKSON LEE. Mr. Speaker, I rise today in support of H.R. 5433, 
the ``Hack Your State Department Act''.
  This act would direct the State Department to establish what is known 
in the cybersecurity community as a `bug bounty' program.
  Bug bounty programs, also known as Vulnerability Disclosure Programs, 
are comprehensive efforts by an organization to lay out the method by 
which members of the public may report any security vulnerabilities to 
an entity.
  They also lay out which of their resources are covered by this 
policy, and how any identified vulnerabilities will be addressed.
  At a time when the computer networks of our government are under 
constant attack, and have suffered serious breaches in recent years, we 
must take action to ensure that the information of our citizens and the 
ability of federal agencies to carry out their duties are resilient.
  As a long-time advocate of a government that works efficiently for 
the people, it is clear that current information security practices of 
federal agencies, including the State Department, must evolve to keep 
pace with improved standards and policies.
  Without an honest effort to seek awareness of the security of the 
State Department network, users, and devices, we will continue to be 
increasingly vulnerable.
  To that end, H.R. 5433 recognizes the importance of a dynamic 
approach that will help secure federal networks and data, beginning 
with the State Department, as well as provide improved information on 
vulnerabilities and security practices across the various agencies.
  Without codifying this concrete measure to improve awareness of 
federal network security at the State Department, this important agency 
will remain vulnerable.
  We have seen an unfortunate loss of cybersecurity talent at the State 
Department this year.
  Further, even despite this, the White House has eliminated the 
position of Cybersecurity Coordinator from the National Security 
Council.
  This occurred even after Federal Risk Determination Reports found 
that communication of threat information within agencies is also 
inconsistent, with only 59 percent of agencies reporting a capability 
to share threat information to all employees within an enterprise so 
they have the knowledge necessary to block attacks.
  Federal agencies are not taking advantage of all available 
information such as threat intelligence, incident data, and network 
traffic flow to improve situational awareness regarding systems at risk 
and to prioritize investments.
  For this reason, earlier this Congress, I introduced H.R. 3202, the 
``Cyber Vulnerability Disclosure Reporting Act'', which was passed by 
the full House and is now in the Senate.
  H.R. 3202 requires the Secretary of Homeland Security to submit a 
report on the policies and procedures developed for coordinating cyber 
vulnerability disclosures.
  The report will include an annex with information on instances in 
which cyber security vulnerability disclosure policies and procedures 
were used to disclose details on identified weaknesses in computing 
systems that or digital devices at risk.
  The report will provide information on the degree to which the 
information provided by DHS was used by industry and other 
stakeholders.
  I would also like to recognize the University of Houston, which has 
been recognized by the Department of Homeland Security and the National 
Security Agency as a Center of Academic Excellence for the programs in 
cybersecurity and cyber defense.
  In closing, Mr. Speaker, I urge all members to join me in voting to 
pass H.R. 5433, the ``Hack Your State Department Act''.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from Florida (Ms. Ros-Lehtinen) that the House suspend the 
rules and pass the bill, H.R. 5433, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________