[House Report 115-964] [From the U.S. Government Publishing Office] 115th Congress } { Report HOUSE OF REPRESENTATIVES 2d Session } { 115-964 ====================================================================== HACK THE DEPARTMENT OF HOMELAND SECURITY ACT OF 2018 _______ September 25, 2018.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______ Mr. McCaul, from the Committee on Homeland Security, submitted the following R E P O R T [To accompany S. 1281] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security, to whom was referred the Act (S. 1281) to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes, having considered the same, report favorably thereon with an amendment and recommend that the Act as amended do pass. CONTENTS Page Purpose and Summary.............................................. 3 Background and Need for Legislation.............................. 3 Hearings......................................................... 4 Committee Consideration.......................................... 4 Committee Votes.................................................. 5 Committee Oversight Findings..................................... 5 New Budget Authority, Entitlement Authority, and Tax Expenditures 5 Congressional Budget Office Estimate............................. 5 Statement of General Performance Goals and Objectives............ 6 Duplicative Federal Programs..................................... 6 Congressional Earmarks, Limited Tax Benefits, and Limited Tariff Benefits....................................................... 6 Federal Mandates Statement....................................... 6 Preemption Clarification......................................... 6 Disclosure of Directed Rule Makings.............................. 7 Advisory Committee Statement..................................... 7 Applicability to Legislative Branch.............................. 7 Section-by-Section Analysis of the Legislation................... 7 Changes in Existing Law Made by the Bill, as Reported............ 8 The amendment is as follows: Strike all after the enacting clause and insert the following: SECTION 1. SHORT TITLE. This Act may be cited as the ``Hack the Department of Homeland Security Act of 2018'' or the ``Hack DHS Act''. SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM. (a) Definitions.--In this section: (1) Bug bounty program.--The term ``bug bounty program'' means a program under which-- (A) individuals, organizations, and companies are temporarily authorized to identify and report vulnerabilities of appropriate information systems of the Department; and (B) eligible individuals, organizations, and companies receive compensation in exchange for such reports. (2) Department.--The term ``Department'' means the Department of Homeland Security. (3) Eligible individual, organization, or company.--The term ``eligible individual, organization, or company'' means an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws. (4) Information system.--The term ``information system'' has the meaning given that term by section 3502 of title 44, United States Code. (5) Pilot program.--The term ``pilot program'' means the bug bounty pilot program required to be established under subsection (b)(1). (6) Secretary.--The term ``Secretary'' means the Secretary of Homeland Security. (b) Establishment of Pilot Program.-- (1) In general.--Not later than 180 days after the date of enactment of this Act, the Secretary shall establish, within the Office of the Chief Information Officer, a bug bounty pilot program to minimize vulnerabilities of appropriate information systems of the Department. (2) Requirements.--In establishing and conducting the pilot program, the Secretary shall-- (A) designate appropriate information systems to be included in the pilot program; (B) provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A); (C) establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws; (D) consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law, and civil lawsuits for specific activities authorized under the pilot program; (E) consult with the Secretary of Defense and the heads of other departments and agencies that have implemented programs to provide compensation for reports of previously undisclosed vulnerabilities in information systems, regarding lessons that may be applied from such programs; and (F) develop an expeditious process by which an individual, organization, or company can register with the Department, submit to a background check as determined by the Department, and receive a determination as to eligibility; and (G) engage qualified interested persons, including non-government sector representatives, about the structure of the pilot program as constructive and to the extent practicable. (3) Contract.--In establishing the pilot program, the Secretary, subject to the availability of appropriations, may award one or more competitive contracts to an entity, as necessary, to manage the pilot program. (c) Report.--Not later than 180 days after the date on which the pilot program is completed, the Secretary of Homeland Security shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on the pilot program, which shall include-- (1) the number of individuals, organizations, or companies that participated in the pilot program, broken down by the number of individuals, organizations, or companies that-- (A) registered; (B) were determined eligible; (C) submitted security vulnerabilities; and (D) received compensation; (2) the number and severity of vulnerabilities reported as part of the pilot program; (3) the number of previously unidentified security vulnerabilities remediated as a result of the pilot program; (4) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans; (5) the average length of time between the reporting of security vulnerabilities and remediation of the vulnerabilities; (6) the types of compensation provided under the pilot program; and (7) the lessons learned from the pilot program. (d) Authorization of Appropriations.--There are authorized to be appropriated to the Department $250,000 for fiscal year 2019 to carry out this Act. PURPOSE AND SUMMARY S. 1281, the Hack the Department of Homeland Security Act of 2018, directs the Department of Homeland Security to establish a bug bounty pilot program within 180 days of enactment. To be located within the Office of the Chief Information Officer, the bug bounty program would allow participants to probe the appropriate information systems, as identified by the Department, to identify vulnerabilities. The pilot program authorizes the Secretary to provide compensation for reports of previously unidentified security vulnerabilities. The bill addresses possible security concerns by directing the Secretary to designate appropriate information systems that should be included by the program. Additionally, the bill directs the Secretary to consult with the Attorney General to ensure program participants that comply with the requirements of the pilot program are protected from prosecution and to develop a background check process for eligible program participants. The bill requires the Department to submit a report, within 180 days upon completion of the program, to Congress providing an overview on the pilot program. BACKGROUND AND NEED FOR LEGISLATION A bug bounty program entails using white hat hackers to probe government systems looking for vulnerabilities and compensating any individual who may find one. The Department of Defense has been forward leaning on utilizing this tool, having run a pilot from April 18, 2016 to May 12, 2016 through its Defense Digital Services. Hosted by HackerOne, it included 1,410 participants who yielded 1,189 reports, the first of which came within 13 minutes. The entire cost of the `Hack the Pentagon pilot' was $150,000, with about half going to the hackers themselves. Furthermore, the GSA launched a pilot program in August of 2017. The White House has encouraged Federal Agencies to create bug bounty programs. The 2017 Report on Federal IT Modernization, identifies bug bounty programs as useful tools for providing visibility into Federal systems. In particular, bug bounty programs were highlighted ``as a tool to expand visibility beyond the network level to provide security teams with other information feeds, which they can use to better understand, process, and triage information security events and possible incidents.'' HEARINGS While the committee didn't hold any hearings on 1281 directly, the following hearings addressed this issue: March 9, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``The Current State of DHS Private Sector Engagement for Cybersecurity'' March 22, 2017--Full Committee: ``A Borderless Battle: Defending Against Cyber Threats'' March, 28, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``The Current State of DHS' Efforts to Secure Federal Networks'' October 3, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Examining DHS' Cybersecurity Mission'' November 15, 2017--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Maximizing the Value of Cyber Threat Information Sharing'' July 11, 2018--Full Committee: ``DHS's Progress in Securing Election Systems and Other Critical Infrastructure'' July 25, 2018--Cybersecurity, Infrastructure Protection and Security Subcommittee: ``Assessing the State of Federal Cybersecurity Risk Determination'' COMMITTEE CONSIDERATION The Committee met on September 13, 2018, to consider S. 1281, and ordered the measure to be reported to the House with a favorable recommendation, amended, by unanimous consent. The following amendments were offered: An en bloc amendment offered by Mr. Langevin (#1E); was AGREED TO by unanimous consent. Consisting of the following amendments: This amendment defines: Bug Bounty Program as: (A) individuals, organizations, and companies are temporarily authorized to identify and report vulnerabilities of appropriate information systems of the Department; and (B) eligible individuals, organizations, and companies receive compensation in exchange for such reports. Defines Eligible Individual organization or Company as: ``an individual, organization, or company that meets such criteria as the Secretary determines in order to receive compensation in compliance with Federal laws.'' Defines Information System as: ``the meaning given that term by section 3502 of title 44, United States Code.'' Page 3, beginning at line 5, strike ``Internet-facing information technology'' and insert ``appropriate information systems''. Page 3, line 7, after ``establishing'' insert ``and conducting''. Page 3, beginning at line 9, strike subparagraphs (A), (B), and (C) and insert the following: (A) designate appropriate information systems to be included in the pilot program; (B) provide compensation to eligible individuals, organizations, and companies for reports of previously unidentified security vulnerabilities within the information systems designated under subparagraph (A); (C) establish criteria for individuals, organizations, and companies to be considered eligible for compensation under the pilot program in compliance with Federal laws; Page 4, beginning at line 5, strike subparagraph (E) and insert a new subparagraph (E). Page 4, after line 20, inserts information on the Secretary's ability to award contracts and makes technical changes. COMMITTEE VOTES Clause 3(b) of rule XIII of the Rules of the House of Representatives requires the Committee to list the recorded votes on the motion to report legislation and amendments thereto. No recorded votes were requested during consideration of S. 1281. COMMITTEE OVERSIGHT FINDINGS Pursuant to clause 3(c)(1) of rule XIII of the Rules of the House of Representatives, the Committee has held oversight hearings and made findings that are reflected in this report. NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES In compliance with clause 3(c)(2) of rule XIII of the Rules of the House of Representatives, the Committee finds that S. 1281, the Hack DHS Act, would result in no new or increased budget authority, entitlement authority, or tax expenditures or revenues. CONGRESSIONAL BUDGET OFFICE ESTIMATE The Committee adopts as its own the cost estimate prepared by the Director of the Congressional Budget Office pursuant to section 402 of the Congressional Budget Act of 1974. U.S. Congress, Congressional Budget Office, Washington, DC, September 20, 2018. Hon. Michael McCaul, Chairman, Committee on Homeland Security, House of Representatives, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 1281, the Hack DHS Act. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Keith Hall, Director. Enclosure. S. 1281--Hack DHS Act S. 1281 would direct the Department of Homeland Security to establish a pilot program to improve the security of the department's information technology systems. The act would authorize the appropriation of $250,000 for fiscal year 2019 for the pilot program. Assuming appropriation of that amount, CBO estimates that implementing S. 1281 would cost $250,000. Enacting the legislation would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 1281 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 1281 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. On October 20, 2017, CBO transmitted a cost estimate for S. 1281 as ordered reported by the Senate Committee on Homeland Security and Governmental Affairs on October 4, 2017. CBO's estimates of the budgetary effects of the two versions of the legislation are the same. The CBO staff contact for this estimate is Mark Grabowicz. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES Pursuant to clause 3(c)(4) of rule XIII of the Rules of the House of Representatives, S. 1281 contains the following general performance goals and objectives, including outcome related goals and objectives authorized. S. 1281 requires the Secretary of Homeland Security to establish a bug bounty pilot program within 180 days of enactment and to provide House and Senate Homeland Security Committees a report on the effectiveness of the pilot program. DUPLICATIVE FEDERAL PROGRAMS Pursuant to clause 3(c) of rule XIII, the Committee finds that S. 1281 does not contain any provision that establishes or reauthorizes a program known to be duplicative of another Federal program. CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF BENEFITS In compliance with rule XXI of the Rules of the House of Representatives, this bill, as reported, contains no congressional earmarks, limited tax benefits, or limited tariff benefits as defined in clause 9(e), 9(f), or 9(g) of the rule XXI. FEDERAL MANDATES STATEMENT The Committee adopts as its own the estimate of Federal mandates prepared by the Director of the Congressional Budget Office pursuant to section 423 of the Unfunded Mandates Reform Act. PREEMPTION CLARIFICATION In compliance with section 423 of the Congressional Budget Act of 1974, requiring the report of any Committee on a bill or joint resolution to include a statement on the extent to which the bill or joint resolution is intended to preempt State, local, or Tribal law, the Committee finds that S. 1281 does not preempt any State, local, or Tribal law. DISCLOSURE OF DIRECTED RULE MAKINGS The Committee estimates that S. 1281 would require no directed rule makings. ADVISORY COMMITTEE STATEMENT No advisory committees within the meaning of section 5(b) of the Federal Advisory Committee Act were created by this legislation. APPLICABILITY TO LEGISLATIVE BRANCH The Committee finds that the legislation does not relate to the terms and conditions of employment or access to public services or accommodations within the meaning of section 102(b)(3) of the Congressional Accountability Act. SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION Section 1. Short title This section specifies that this Act may be cited as the ``Hack the Department of Homeland Security Act of 2018,'' or the ``Hack DHS Act.'' Sec. 2. Department of Homeland Security Bug Bounty Pilot Program Section 2(a) provides definitions for the following terms: ``bug bounty program,'' ``Department,'' ``information technology,'' ``pilot program,'' and ``Secretary.'' Section 2(b) instructs the Secretary of Homeland Security to establish a bug bounty pilot program at DHS within 180 days of the bill's enactment. In establishing the pilot program, the Secretary will: designate which information systems will be included in the program; provide compensation for eligible individuals, organizations and companies for reporting vulnerabilities within eligible information systems; establish criteria to be considered eligible for compensation; seek advice from the Attorney General regarding how to ensure approved participants are protected from prosecution and civil lawsuits for approved activities within the pilot program; confer with DOD officials on lessons learned from previously implemented programs to provide compensation for reporting unknown vulnerabilities in information systems; develop a vetting process for individuals, organizations, or companies; and engage public and private sector experts on the structure of the pilot program and lessons learned. The Department is authorized to award one or more contracts to manage the pilot program. Section 2(c) requires the Secretary to submit a report to the Senate Homeland Security and Governmental Affairs Committee and the House of Representatives Committee on Homeland Security within 90 days of the completion of the pilot program. The report shall include a number of data points to assist Congress in assessing the pilot programs effectiveness, including, but not limited to: the number of pilot program participants that registered, were deemed eligible, submitted vulnerabilities, and received compensation; the quantity and severity of vulnerabilities identified; the number of unidentified vulnerabilities that were patched as a result of the pilot program; the number of vulnerabilities that have yet to be patched and the Department's plans to do so; how long it takes to report the vulnerability and to patch the vulnerability; the types of compensation provided for discovering undisclosed security vulnerabilities; and any lessons learned. The Committee intends for the Department to decide the value of vulnerabilities found, and offer monetary or other forms of compensation reasonably proportional to the value of the previously unidentified security vulnerability. Section 2(d) authorizes $250,000 to be appropriated to DHS for fiscal year 2019 to carry out the pilot program. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED As reported S. 1281 makes no changes to existing law. [all]