Congressional Record, Volume 165 Issue 13 (Tuesday, January 22, 2019)

[Congressional Record Volume 165, Number 13 (Tuesday, January 22, 2019)]
[House]
[Pages H979-H981]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

HACK YOUR STATE DEPARTMENT ACT

Mr. ENGEL. Mr. Speaker, I move to suspend the rules and pass the bill
(H.R. 328) to require the Secretary of State to design and establish a
Vulnerability Disclosure Process (VDP) to improve Department of State
cybersecurity and a bug bounty program to identify and report
vulnerabilities of internet-facing information technology of the
Department of State, and for other purposes.
The Clerk read the title of the bill.
The text of the bill is as follows:

H.R. 328

Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

This Act may be cited as the ``Hack Your State Department
Act''.

SEC. 2. DEFINITIONS.

In this Act:
(1) Bug bounty program.--The term ``bug bounty program''
means a program under which an approved individual,
organization, or company is temporarily authorized to
identify and report vulnerabilities of internet-facing
information technology of the Department in exchange for
compensation.
(2) Department.--The term ``Department'' means the
Department of State.
(3) Information technology.--The term ``information
technology'' has the meaning given such term in section 11101
of title 40, United States Code.
(4) Secretary.--The term ``Secretary'' means the Secretary
of State.

SEC. 3. DEPARTMENT OF STATE VULNERABILITY DISCLOSURE PROCESS.

(a) In General.--Not later than 180 days after the date of
the enactment of this Act, the Secretary shall design,
establish, and make publicly known a Vulnerability Disclosure
Process (VDP) to improve Department cybersecurity by--
(1) providing security researchers with clear guidelines
for--
(A) conducting vulnerability discovery activities directed
at Department information technology; and
(B) submitting discovered security vulnerabilities to the
Department; and
(2) creating Department procedures and infrastructure to
receive and fix discovered vulnerabilities.
(b) Requirements.--In establishing the VDP pursuant to
paragraph (1), the Secretary shall--
(1) identify which Department information technology should
be included in the process;
(2) determine whether the process should differentiate
among and specify the types of security vulnerabilities that
may be targeted;
(3) provide a readily available means of reporting
discovered security vulnerabilities and the form in which
such vulnerabilities should be reported;
(4) identify which Department offices and positions will be
responsible for receiving, prioritizing, and addressing
security vulnerability disclosure reports;
(5) consult with the Attorney General regarding how to
ensure that individuals, organizations, and companies that
comply with the requirements of the process are protected
from prosecution under section 1030 of title 18, United
States Code, and similar provisions of law for specific
activities authorized under the process;
(6) consult with the relevant offices at the Department of
Defense that were responsible for launching the 2016
Vulnerability Disclosure Program, ``Hack the Pentagon'', and
subsequent Department of Defense bug bounty programs;
(7) engage qualified interested persons, including
nongovernmental sector representatives, about the structure
of the process as constructive and to the extent practicable;
and
(8) award contracts to entities, as necessary, to manage
the process and implement the remediation of discovered
security vulnerabilities.
(c) Annual Reports.--Not later than 180 days after the
establishment of the VDP under subsection (a) and annually
thereafter for the next six years, the Secretary of State
shall submit to the Committee on Foreign Affairs of the House
of Representatives and the Committee on Foreign Relations of
the Senate a report on the VDP, including information
relating to the following:
(1) The number and severity, in accordance with the
National Vulnerabilities Database of the National Institute
of Standards and Technology, of security vulnerabilities
reported.
(2) The number of previously unidentified security
vulnerabilities remediated as a result.
(3) The current number of outstanding previously
unidentified security vulnerabilities and Department of State
remediation plans.

[[Page H980]]

(4) The average length of time between the reporting of
security vulnerabilities and remediation of such
vulnerabilities.
(5) The resources, surge staffing, roles, and
responsibilities within the Department used to implement the
VDP and complete security vulnerability remediation.
(6) Any other information the Secretary determines
relevant.

SEC. 4. DEPARTMENT OF STATE BUG BOUNTY PILOT PROGRAM.

(a) Establishment of Pilot Program.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, the Secretary shall establish a
bug bounty pilot program to minimize security vulnerabilities
of internet-facing information technology of the Department.
(2) Requirements.--In establishing the pilot program
described in paragraph (1), the Secretary shall--
(A) provide compensation for reports of previously
unidentified security vulnerabilities within the websites,
applications, and other internet-facing information
technology of the Department that are accessible to the
public;
(B) award contracts to entities, as necessary, to manage
such pilot program and for executing the remediation of
security vulnerabilities identified pursuant to subparagraph
(A);
(C) identify which Department information technology should
be included in such pilot program;
(D) consult with the Attorney General on how to ensure that
individuals, organizations, or companies that comply with the
requirements of such pilot program are protected from
prosecution under section 1030 of title 18, United States
Code, and similar provisions of law for specific activities
authorized under such pilot program;
(E) consult with the relevant offices at the Department of
Defense that were responsible for launching the 2016 ``Hack
the Pentagon'' pilot program and subsequent Department of
Defense bug bounty programs;
(F) develop a process by which an approved individual,
organization, or company can register with the entity
referred to in subparagraph (B), submit to a background check
as determined by the Department, and receive a determination
as to eligibility for participation in such pilot program;
(G) engage qualified interested persons, including
nongovernmental sector representatives, about the structure
of such pilot program as constructive and to the extent
practicable; and
(H) consult with relevant United States Government
officials to ensure that such pilot program complements
persistent network and vulnerability scans of the Department
of State's internet-accessible systems, such as the scans
conducted pursuant to Binding Operational Directive BOD-15-
01.
(3) Duration.--The pilot program established under
paragraph (1) should be short-term in duration and not last
longer than one year.
(b) Report.--Not later than 180 days after the date on
which the bug bounty pilot program under subsection (a) is
completed, the Secretary shall submit to the Committee on
Foreign Relations of the Senate and the Committee on Foreign
Affairs of the House of Representatives a report on such
pilot program, including information relating to--
(1) the number of approved individuals, organizations, or
companies involved in such pilot program, broken down by the
number of approved individuals, organizations, or companies
that--
(A) registered;
(B) were approved;
(C) submitted security vulnerabilities; and
(D) received compensation;
(2) the number and severity, in accordance with the
National Vulnerabilities Database of the National Institute
of Standards and Technology, of security vulnerabilities
reported as part of such pilot program;
(3) the number of previously unidentified security
vulnerabilities remediated as a result of such pilot program;
(4) the current number of outstanding previously
unidentified security vulnerabilities and Department
remediation plans;
(5) the average length of time between the reporting of
security vulnerabilities and remediation of such
vulnerabilities;
(6) the types of compensation provided under such pilot
program; and
(7) the lessons learned from such pilot program.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from New
York (Mr. Engel) and the gentleman from Texas (Mr. McCaul) each will
control 20 minutes.
The Chair recognizes the gentleman from New York.

General Leave

Mr. ENGEL. Mr. Speaker, I ask unanimous consent that all Members have
5 legislative days in which to revise and extend their remarks and
include extraneous material on H.R. 328, the Hack Your State Department
Act.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from New York?
There was no objection.
Mr. ENGEL. Mr. Speaker, I yield myself such time as I might consume.
Mr. Speaker, let me start by thanking Representative Lieu, a valued
member of the Committee on Foreign Affairs, for his hard work on this
bill and on everything else.
This important legislation passed the House in the last Congress with
strong bipartisan support, and I certainly support passing it again.
Mr. Speaker, it is critical that we modernize our government to
better deal with 21st century challenges. The State Department is under
the constant threat of cyberattack from foreign actors bent on stealing
our secrets, disrupting our foreign policy, and undermining our
security.
Mr. Lieu's bill will help shore up the State Department against this
sort of intrusion.
First, it requires the Secretary of State to get out ahead of this
problem. Instead of waiting for the next attack to happen, this bill
would mandate a plan for researchers to actively seek out and report
vulnerabilities.
Secondly, this bill launches a new initiative, the so-called ``bug
bounty program.'' This seeks to tap the expertise of everyday Americans
by rewarding citizens who uncover and report security risks in the
Department's computer system. It will allow security researchers and
friendly hackers to find the cracks in the system so that the
Department can patch them.
This effort is modeled after a successful program at the Defense
Department, which got off the ground in 2016. Since then, 1,400 people
have registered to participate, and they have found roughly 140
vulnerabilities.
Our Federal agencies should learn from one another. It is just common
sense to put this tested practice to work at the State Department and
elsewhere.
Mr. Speaker, I am very glad to support this bill, and I reserve the
balance of my time.
Mr. McCAUL. Mr. Speaker, I yield myself as much time as I may
consume.
Mr. Speaker, I rise in support of the Hack Your State Department Act,
which will help address lingering cybersecurity gaps at the Department
of State.
The massive breach of the State Department's unclassified computer
network in 2014 exposed grave weaknesses.
In the years since that attack, problems have continued to mount. The
Department's cybersecurity response program received a ``D'' rating,
the lowest of any agency, on its Federal Information Security
Management Act report card in 2017.
Last September, the Department revealed that it recently suffered a
breach of its unclassified email system, which exposed the personal
information of some of its employees.
The Department needs cost-effective solutions to these IT security
challenges.
Today's legislation directs the Secretary of State to develop and
implement a vulnerability disclosure process that will allow threat
researchers from the private sector to identify and report
cybersecurity flaws.
Currently, there is no legal avenue that allows them to do so. This
bill fixes that problem.
The bill will establish a ``bug bounty'' pilot program to reward
ethical hackers for discovering and reporting vulnerabilities at the
Department.
These programs have been used successfully by the Defense Department
and numerous private companies to improve their cyber defenses at
minimal cost. In fact, I remember introducing a similar bill for the
Department of Homeland Security.
As a national security agency, the State Department must do more to
secure its networks. The Hack Your State Department Act is a small but
important step towards cost-effective solutions.
Mr. Speaker, I want to thank the author, Mr. Lieu, for putting his
computer science background to work here in the Congress, and he
understands, I believe, the nature of the threats that we face in the
cyber realm and the importance of a strong cybersecurity partnership
between the public and the private sectors.
Mr. Speaker, I urge support, and I reserve the balance of my time.
Mr. ENGEL. Mr. Speaker, I yield 4 minutes to the gentleman from
California (Mr. Ted Lieu), the author of this bill and a very honored
member of the Foreign Affairs Committee.
Mr. TED LIEU of California. Mr. Speaker, I thank Ranking Member

[[Page H981]]

McCaul for his support of this legislation and I thank Chairman Engel
for his leadership of the House Foreign Affairs Committee.
Mr. Speaker, I rise in support of my legislation, H.R. 328, which
will strengthen cybersecurity at the State Department. This legislation
is known as the Hack Your State Department Act. It is introduced with
my colleague, Ted Yoho of Florida, and has received strong bipartisan
support, and that is because there is no such thing as Republican
cybersecurity or Democratic cybersecurity; it is just cybersecurity,
and we are behind.
American institutions are under constant attack from criminals, from
foreign intelligence services, and from everyday hackers. That is why
last term, I was very honored to have introduced legislation known as
the Hack DHS Act, along with Senators Maggie Hassan, Rob Portman,
Kamala Harris, and Congressman Scott Taylor. That legislation was
signed into law last month.
This legislation focuses on the State Department. It is something
that we need to do, because we know that the State Department over the
years has faced mounting cybersecurity threats from both criminal
enterprises and state-sponsored hackers.
In 2014, for instance, the Department was infiltrated by Russian
hackers and had to temporarily shut down its email system.
Last year, the State Department suffered another breach of its email
system, exposing the personal information of a number of its employees.
As a recovering computer science major, I recognize there are
improvement tools at our disposal to improve cybersecurity that the
State Department has not yet adopted, and one such tool is exactly what
this bill will do.

{time} 1730

This bill does primarily two things. The first is to establish what
is called a vulnerability disclosure process, which sets clear rules of
the road so, when people outside the Department discover
vulnerabilities on Department systems, they can report it in a safe,
secure, and legal manner, with the confidence that the State Department
will actually fix the problems. We cannot afford to allow
vulnerabilities discovered in the wild remain known to hackers but
unknown to the Department. This should be an easy fix.
The second step is to actually pay vetted, white hat hackers to find
vulnerabilities. The Department of Defense proved the success of the
bug bounty program back in 2016. Over a 24-day period, the Pentagon
learned of and fixed over 138 vulnerabilities in its systems. The DHS
is now also going to start this very same program. Hopefully, the State
Department will be able to do this, as well, when this legislation is
signed into law.
Let me conclude by saying that, today, with H.R. 328, the House of
Representatives is taking these recommendations to heart and helping to
improve cybersecurity at the Department of State.
Mr. McCAUL. Mr. Speaker, I yield myself such time as I may consume.
In closing, I want to again thank the author, Mr. Lieu, and his
primary sponsor, Mr. Yoho, for this creative effort to harness private-
sector know-how to improve cyber defenses at the Department of State.
As the gentleman, Mr. Lieu, indicated, I moved this very same
legislation when I was chairman of the Homeland Security Committee for
the Department of Homeland Security, and I believe it is working very
effectively. The Department of Defense has done the same thing. Now it
is time for the Department of State to take on this challenge as well.
Mr. Speaker, I support this bill, and I yield back the balance of my
time.
Mr. ENGEL. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I again want to thank Mr. Lieu for this important piece
of legislation.
It seems to me, Mr. Speaker, that we have been caught flat-footed
before a range of new threats, including cyberattacks. Our agencies
haven't done enough to root out vulnerabilities, and, frankly, Congress
hasn't done enough to make sure that our government agencies have the
tools they need to tackle these challenges.
As we head into the 116th Congress, I will be leading the Foreign
Affairs Committee in focusing on this. We will be taking a
comprehensive look at cyber threats to make sure the State Department
and all our departments and agencies are properly equipped to handle
this challenge. For now, this bill is an important step in the right
direction.
Mr. Speaker, I urge all Members to support the measure before us, and
I yield back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from New York (Mr. Engel) that the House suspend the rules
and pass the bill, H.R. 328.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. ENGEL. Mr. Speaker, on that I demand the yeas and nays.
The yeas and nays were ordered.
The SPEAKER pro tempore. Pursuant to clause 8 of rule XX, further
proceedings on this motion will be postponed.

____________________