[Congressional Record Volume 165, Number 13 (Tuesday, January 22, 2019)]
[House]
[Pages H979-H981]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                     HACK YOUR STATE DEPARTMENT ACT

  Mr. ENGEL. Mr. Speaker, I move to suspend the rules and pass the bill 
(H.R. 328) to require the Secretary of State to design and establish a 
Vulnerability Disclosure Process (VDP) to improve Department of State 
cybersecurity and a bug bounty program to identify and report 
vulnerabilities of internet-facing information technology of the 
Department of State, and for other purposes.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                                H.R. 328

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Hack Your State Department 
     Act''.

     SEC. 2. DEFINITIONS.

       In this Act:
       (1) Bug bounty program.--The term ``bug bounty program'' 
     means a program under which an approved individual, 
     organization, or company is temporarily authorized to 
     identify and report vulnerabilities of internet-facing 
     information technology of the Department in exchange for 
     compensation.
       (2) Department.--The term ``Department'' means the 
     Department of State.
       (3) Information technology.--The term ``information 
     technology'' has the meaning given such term in section 11101 
     of title 40, United States Code.
       (4) Secretary.--The term ``Secretary'' means the Secretary 
     of State.

     SEC. 3. DEPARTMENT OF STATE VULNERABILITY DISCLOSURE PROCESS.

       (a) In General.--Not later than 180 days after the date of 
     the enactment of this Act, the Secretary shall design, 
     establish, and make publicly known a Vulnerability Disclosure 
     Process (VDP) to improve Department cybersecurity by--
       (1) providing security researchers with clear guidelines 
     for--
       (A) conducting vulnerability discovery activities directed 
     at Department information technology; and
       (B) submitting discovered security vulnerabilities to the 
     Department; and
       (2) creating Department procedures and infrastructure to 
     receive and fix discovered vulnerabilities.
       (b) Requirements.--In establishing the VDP pursuant to 
     paragraph (1), the Secretary shall--
       (1) identify which Department information technology should 
     be included in the process;
       (2) determine whether the process should differentiate 
     among and specify the types of security vulnerabilities that 
     may be targeted;
       (3) provide a readily available means of reporting 
     discovered security vulnerabilities and the form in which 
     such vulnerabilities should be reported;
       (4) identify which Department offices and positions will be 
     responsible for receiving, prioritizing, and addressing 
     security vulnerability disclosure reports;
       (5) consult with the Attorney General regarding how to 
     ensure that individuals, organizations, and companies that 
     comply with the requirements of the process are protected 
     from prosecution under section 1030 of title 18, United 
     States Code, and similar provisions of law for specific 
     activities authorized under the process;
       (6) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 
     Vulnerability Disclosure Program, ``Hack the Pentagon'', and 
     subsequent Department of Defense bug bounty programs;
       (7) engage qualified interested persons, including 
     nongovernmental sector representatives, about the structure 
     of the process as constructive and to the extent practicable; 
     and
       (8) award contracts to entities, as necessary, to manage 
     the process and implement the remediation of discovered 
     security vulnerabilities.
       (c) Annual Reports.--Not later than 180 days after the 
     establishment of the VDP under subsection (a) and annually 
     thereafter for the next six years, the Secretary of State 
     shall submit to the Committee on Foreign Affairs of the House 
     of Representatives and the Committee on Foreign Relations of 
     the Senate a report on the VDP, including information 
     relating to the following:
       (1) The number and severity, in accordance with the 
     National Vulnerabilities Database of the National Institute 
     of Standards and Technology, of security vulnerabilities 
     reported.
       (2) The number of previously unidentified security 
     vulnerabilities remediated as a result.
       (3) The current number of outstanding previously 
     unidentified security vulnerabilities and Department of State 
     remediation plans.

[[Page H980]]

       (4) The average length of time between the reporting of 
     security vulnerabilities and remediation of such 
     vulnerabilities.
       (5) The resources, surge staffing, roles, and 
     responsibilities within the Department used to implement the 
     VDP and complete security vulnerability remediation.
       (6) Any other information the Secretary determines 
     relevant.

     SEC. 4. DEPARTMENT OF STATE BUG BOUNTY PILOT PROGRAM.

       (a) Establishment of Pilot Program.--
       (1) In general.--Not later than one year after the date of 
     the enactment of this Act, the Secretary shall establish a 
     bug bounty pilot program to minimize security vulnerabilities 
     of internet-facing information technology of the Department.
       (2) Requirements.--In establishing the pilot program 
     described in paragraph (1), the Secretary shall--
       (A) provide compensation for reports of previously 
     unidentified security vulnerabilities within the websites, 
     applications, and other internet-facing information 
     technology of the Department that are accessible to the 
     public;
       (B) award contracts to entities, as necessary, to manage 
     such pilot program and for executing the remediation of 
     security vulnerabilities identified pursuant to subparagraph 
     (A);
       (C) identify which Department information technology should 
     be included in such pilot program;
       (D) consult with the Attorney General on how to ensure that 
     individuals, organizations, or companies that comply with the 
     requirements of such pilot program are protected from 
     prosecution under section 1030 of title 18, United States 
     Code, and similar provisions of law for specific activities 
     authorized under such pilot program;
       (E) consult with the relevant offices at the Department of 
     Defense that were responsible for launching the 2016 ``Hack 
     the Pentagon'' pilot program and subsequent Department of 
     Defense bug bounty programs;
       (F) develop a process by which an approved individual, 
     organization, or company can register with the entity 
     referred to in subparagraph (B), submit to a background check 
     as determined by the Department, and receive a determination 
     as to eligibility for participation in such pilot program;
       (G) engage qualified interested persons, including 
     nongovernmental sector representatives, about the structure 
     of such pilot program as constructive and to the extent 
     practicable; and
       (H) consult with relevant United States Government 
     officials to ensure that such pilot program complements 
     persistent network and vulnerability scans of the Department 
     of State's internet-accessible systems, such as the scans 
     conducted pursuant to Binding Operational Directive BOD-15-
     01.
       (3) Duration.--The pilot program established under 
     paragraph (1) should be short-term in duration and not last 
     longer than one year.
       (b) Report.--Not later than 180 days after the date on 
     which the bug bounty pilot program under subsection (a) is 
     completed, the Secretary shall submit to the Committee on 
     Foreign Relations of the Senate and the Committee on Foreign 
     Affairs of the House of Representatives a report on such 
     pilot program, including information relating to--
       (1) the number of approved individuals, organizations, or 
     companies involved in such pilot program, broken down by the 
     number of approved individuals, organizations, or companies 
     that--
       (A) registered;
       (B) were approved;
       (C) submitted security vulnerabilities; and
       (D) received compensation;
       (2) the number and severity, in accordance with the 
     National Vulnerabilities Database of the National Institute 
     of Standards and Technology, of security vulnerabilities 
     reported as part of such pilot program;
       (3) the number of previously unidentified security 
     vulnerabilities remediated as a result of such pilot program;
       (4) the current number of outstanding previously 
     unidentified security vulnerabilities and Department 
     remediation plans;
       (5) the average length of time between the reporting of 
     security vulnerabilities and remediation of such 
     vulnerabilities;
       (6) the types of compensation provided under such pilot 
     program; and
       (7) the lessons learned from such pilot program.
  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New 
York (Mr. Engel) and the gentleman from Texas (Mr. McCaul) each will 
control 20 minutes.
  The Chair recognizes the gentleman from New York.


                             General Leave

  Mr. ENGEL. Mr. Speaker, I ask unanimous consent that all Members have 
5 legislative days in which to revise and extend their remarks and 
include extraneous material on H.R. 328, the Hack Your State Department 
Act.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from New York?
  There was no objection.
  Mr. ENGEL. Mr. Speaker, I yield myself such time as I might consume.
  Mr. Speaker, let me start by thanking Representative Lieu, a valued 
member of the Committee on Foreign Affairs, for his hard work on this 
bill and on everything else.
  This important legislation passed the House in the last Congress with 
strong bipartisan support, and I certainly support passing it again.
  Mr. Speaker, it is critical that we modernize our government to 
better deal with 21st century challenges. The State Department is under 
the constant threat of cyberattack from foreign actors bent on stealing 
our secrets, disrupting our foreign policy, and undermining our 
security.
  Mr. Lieu's bill will help shore up the State Department against this 
sort of intrusion.
  First, it requires the Secretary of State to get out ahead of this 
problem. Instead of waiting for the next attack to happen, this bill 
would mandate a plan for researchers to actively seek out and report 
vulnerabilities.
  Secondly, this bill launches a new initiative, the so-called ``bug 
bounty program.'' This seeks to tap the expertise of everyday Americans 
by rewarding citizens who uncover and report security risks in the 
Department's computer system. It will allow security researchers and 
friendly hackers to find the cracks in the system so that the 
Department can patch them.
  This effort is modeled after a successful program at the Defense 
Department, which got off the ground in 2016. Since then, 1,400 people 
have registered to participate, and they have found roughly 140 
vulnerabilities.
  Our Federal agencies should learn from one another. It is just common 
sense to put this tested practice to work at the State Department and 
elsewhere.
  Mr. Speaker, I am very glad to support this bill, and I reserve the 
balance of my time.
  Mr. McCAUL. Mr. Speaker, I yield myself as much time as I may 
consume.
  Mr. Speaker, I rise in support of the Hack Your State Department Act, 
which will help address lingering cybersecurity gaps at the Department 
of State.
  The massive breach of the State Department's unclassified computer 
network in 2014 exposed grave weaknesses.
  In the years since that attack, problems have continued to mount. The 
Department's cybersecurity response program received a ``D'' rating, 
the lowest of any agency, on its Federal Information Security 
Management Act report card in 2017.
  Last September, the Department revealed that it recently suffered a 
breach of its unclassified email system, which exposed the personal 
information of some of its employees.
  The Department needs cost-effective solutions to these IT security 
challenges.
  Today's legislation directs the Secretary of State to develop and 
implement a vulnerability disclosure process that will allow threat 
researchers from the private sector to identify and report 
cybersecurity flaws.
  Currently, there is no legal avenue that allows them to do so. This 
bill fixes that problem.
  The bill will establish a ``bug bounty'' pilot program to reward 
ethical hackers for discovering and reporting vulnerabilities at the 
Department.
  These programs have been used successfully by the Defense Department 
and numerous private companies to improve their cyber defenses at 
minimal cost. In fact, I remember introducing a similar bill for the 
Department of Homeland Security.
  As a national security agency, the State Department must do more to 
secure its networks. The Hack Your State Department Act is a small but 
important step towards cost-effective solutions.
  Mr. Speaker, I want to thank the author, Mr. Lieu, for putting his 
computer science background to work here in the Congress, and he 
understands, I believe, the nature of the threats that we face in the 
cyber realm and the importance of a strong cybersecurity partnership 
between the public and the private sectors.
  Mr. Speaker, I urge support, and I reserve the balance of my time.
  Mr. ENGEL. Mr. Speaker, I yield 4 minutes to the gentleman from 
California (Mr. Ted Lieu), the author of this bill and a very honored 
member of the Foreign Affairs Committee.
  Mr. TED LIEU of California. Mr. Speaker, I thank Ranking Member

[[Page H981]]

McCaul for his support of this legislation and I thank Chairman Engel 
for his leadership of the House Foreign Affairs Committee.
  Mr. Speaker, I rise in support of my legislation, H.R. 328, which 
will strengthen cybersecurity at the State Department. This legislation 
is known as the Hack Your State Department Act. It is introduced with 
my colleague, Ted Yoho of Florida, and has received strong bipartisan 
support, and that is because there is no such thing as Republican 
cybersecurity or Democratic cybersecurity; it is just cybersecurity, 
and we are behind.
  American institutions are under constant attack from criminals, from 
foreign intelligence services, and from everyday hackers. That is why 
last term, I was very honored to have introduced legislation known as 
the Hack DHS Act, along with Senators Maggie Hassan, Rob Portman, 
Kamala Harris, and Congressman Scott Taylor. That legislation was 
signed into law last month.
  This legislation focuses on the State Department. It is something 
that we need to do, because we know that the State Department over the 
years has faced mounting cybersecurity threats from both criminal 
enterprises and state-sponsored hackers.
  In 2014, for instance, the Department was infiltrated by Russian 
hackers and had to temporarily shut down its email system.
  Last year, the State Department suffered another breach of its email 
system, exposing the personal information of a number of its employees.
  As a recovering computer science major, I recognize there are 
improvement tools at our disposal to improve cybersecurity that the 
State Department has not yet adopted, and one such tool is exactly what 
this bill will do.

                              {time}  1730

  This bill does primarily two things. The first is to establish what 
is called a vulnerability disclosure process, which sets clear rules of 
the road so, when people outside the Department discover 
vulnerabilities on Department systems, they can report it in a safe, 
secure, and legal manner, with the confidence that the State Department 
will actually fix the problems. We cannot afford to allow 
vulnerabilities discovered in the wild remain known to hackers but 
unknown to the Department. This should be an easy fix.
  The second step is to actually pay vetted, white hat hackers to find 
vulnerabilities. The Department of Defense proved the success of the 
bug bounty program back in 2016. Over a 24-day period, the Pentagon 
learned of and fixed over 138 vulnerabilities in its systems. The DHS 
is now also going to start this very same program. Hopefully, the State 
Department will be able to do this, as well, when this legislation is 
signed into law.
  Let me conclude by saying that, today, with H.R. 328, the House of 
Representatives is taking these recommendations to heart and helping to 
improve cybersecurity at the Department of State.
  Mr. McCAUL. Mr. Speaker, I yield myself such time as I may consume.
  In closing, I want to again thank the author, Mr. Lieu, and his 
primary sponsor, Mr. Yoho, for this creative effort to harness private-
sector know-how to improve cyber defenses at the Department of State.
  As the gentleman, Mr. Lieu, indicated, I moved this very same 
legislation when I was chairman of the Homeland Security Committee for 
the Department of Homeland Security, and I believe it is working very 
effectively. The Department of Defense has done the same thing. Now it 
is time for the Department of State to take on this challenge as well.
  Mr. Speaker, I support this bill, and I yield back the balance of my 
time.
  Mr. ENGEL. Mr. Speaker, I yield myself such time as I may consume.
  Mr. Speaker, I again want to thank Mr. Lieu for this important piece 
of legislation.
  It seems to me, Mr. Speaker, that we have been caught flat-footed 
before a range of new threats, including cyberattacks. Our agencies 
haven't done enough to root out vulnerabilities, and, frankly, Congress 
hasn't done enough to make sure that our government agencies have the 
tools they need to tackle these challenges.
  As we head into the 116th Congress, I will be leading the Foreign 
Affairs Committee in focusing on this. We will be taking a 
comprehensive look at cyber threats to make sure the State Department 
and all our departments and agencies are properly equipped to handle 
this challenge. For now, this bill is an important step in the right 
direction.
  Mr. Speaker, I urge all Members to support the measure before us, and 
I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from New York (Mr. Engel) that the House suspend the rules 
and pass the bill, H.R. 328.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ENGEL. Mr. Speaker, on that I demand the yeas and nays.
  The yeas and nays were ordered.
  The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further 
proceedings on this motion will be postponed.

                          ____________________