[House Report 115-964]
[From the U.S. Government Publishing Office]


115th Congress    }                                   {         Report
                        HOUSE OF REPRESENTATIVES
 2d Session       }                                   {        115-964

======================================================================



 
          HACK THE DEPARTMENT OF HOMELAND SECURITY ACT OF 2018

                                _______
                                

 September 25, 2018.--Committed to the Committee of the Whole House on 
            the State of the Union and ordered to be printed

                                _______
                                

  Mr. McCaul, from the Committee on Homeland Security, submitted the 
                               following

                              R E P O R T

                         [To accompany S. 1281]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security, to whom was referred 
the Act (S. 1281) to establish a bug bounty pilot program 
within the Department of Homeland Security, and for other 
purposes, having considered the same, report favorably thereon 
with an amendment and recommend that the Act as amended do 
pass.

                                CONTENTS

                                                                   Page
Purpose and Summary..............................................     3
Background and Need for Legislation..............................     3
Hearings.........................................................     4
Committee Consideration..........................................     4
Committee Votes..................................................     5
Committee Oversight Findings.....................................     5
New Budget Authority, Entitlement Authority, and Tax Expenditures     5
Congressional Budget Office Estimate.............................     5
Statement of General Performance Goals and Objectives............     6
Duplicative Federal Programs.....................................     6
Congressional Earmarks, Limited Tax Benefits, and Limited Tariff 
  Benefits.......................................................     6
Federal Mandates Statement.......................................     6
Preemption Clarification.........................................     6
Disclosure of Directed Rule Makings..............................     7
Advisory Committee Statement.....................................     7
Applicability to Legislative Branch..............................     7
Section-by-Section Analysis of the Legislation...................     7
Changes in Existing Law Made by the Bill, as Reported............     8

    The amendment is as follows:
  Strike all after the enacting clause and insert the 
following:

SECTION 1. SHORT TITLE.

  This Act may be cited as the ``Hack the Department of Homeland 
Security Act of 2018'' or the ``Hack DHS Act''.

SEC. 2. DEPARTMENT OF HOMELAND SECURITY BUG BOUNTY PILOT PROGRAM.

  (a) Definitions.--In this section:
          (1) Bug bounty program.--The term ``bug bounty program'' 
        means a program under which--
                  (A) individuals, organizations, and companies are 
                temporarily authorized to identify and report 
                vulnerabilities of appropriate information systems of 
                the Department; and
                  (B) eligible individuals, organizations, and 
                companies receive compensation in exchange for such 
                reports.
          (2) Department.--The term ``Department'' means the Department 
        of Homeland Security.
          (3) Eligible individual, organization, or company.--The term 
        ``eligible individual, organization, or company'' means an 
        individual, organization, or company that meets such criteria 
        as the Secretary determines in order to receive compensation in 
        compliance with Federal laws.
          (4) Information system.--The term ``information system'' has 
        the meaning given that term by section 3502 of title 44, United 
        States Code.
          (5) Pilot program.--The term ``pilot program'' means the bug 
        bounty pilot program required to be established under 
        subsection (b)(1).
          (6) Secretary.--The term ``Secretary'' means the Secretary of 
        Homeland Security.
  (b) Establishment of Pilot Program.--
          (1) In general.--Not later than 180 days after the date of 
        enactment of this Act, the Secretary shall establish, within 
        the Office of the Chief Information Officer, a bug bounty pilot 
        program to minimize vulnerabilities of appropriate information 
        systems of the Department.
          (2) Requirements.--In establishing and conducting the pilot 
        program, the Secretary shall--
                  (A) designate appropriate information systems to be 
                included in the pilot program;
                  (B) provide compensation to eligible individuals, 
                organizations, and companies for reports of previously 
                unidentified security vulnerabilities within the 
                information systems designated under subparagraph (A);
                  (C) establish criteria for individuals, 
                organizations, and companies to be considered eligible 
                for compensation under the pilot program in compliance 
                with Federal laws;
                  (D) consult with the Attorney General on how to 
                ensure that approved individuals, organizations, or 
                companies that comply with the requirements of the 
                pilot program are protected from prosecution under 
                section 1030 of title 18, United States Code, and 
                similar provisions of law, and civil lawsuits for 
                specific activities authorized under the pilot program;
                  (E) consult with the Secretary of Defense and the 
                heads of other departments and agencies that have 
                implemented programs to provide compensation for 
                reports of previously undisclosed vulnerabilities in 
                information systems, regarding lessons that may be 
                applied from such programs; and
                  (F) develop an expeditious process by which an 
                individual, organization, or company can register with 
                the Department, submit to a background check as 
                determined by the Department, and receive a 
                determination as to eligibility; and
                  (G) engage qualified interested persons, including 
                non-government sector representatives, about the 
                structure of the pilot program as constructive and to 
                the extent practicable.
          (3) Contract.--In establishing the pilot program, the 
        Secretary, subject to the availability of appropriations, may 
        award one or more competitive contracts to an entity, as 
        necessary, to manage the pilot program.
  (c) Report.--Not later than 180 days after the date on which the 
pilot program is completed, the Secretary of Homeland Security shall 
submit to the Committee on Homeland Security and Governmental Affairs 
of the Senate and the Committee on Homeland Security of the House of 
Representatives a report on the pilot program, which shall include--
          (1) the number of individuals, organizations, or companies 
        that participated in the pilot program, broken down by the 
        number of individuals, organizations, or companies that--
                  (A) registered;
                  (B) were determined eligible;
                  (C) submitted security vulnerabilities; and
                  (D) received compensation;
          (2) the number and severity of vulnerabilities reported as 
        part of the pilot program;
          (3) the number of previously unidentified security 
        vulnerabilities remediated as a result of the pilot program;
          (4) the current number of outstanding previously unidentified 
        security vulnerabilities and Department remediation plans;
          (5) the average length of time between the reporting of 
        security vulnerabilities and remediation of the 
        vulnerabilities;
          (6) the types of compensation provided under the pilot 
        program; and
          (7) the lessons learned from the pilot program.
  (d) Authorization of Appropriations.--There are authorized to be 
appropriated to the Department $250,000 for fiscal year 2019 to carry 
out this Act.

                           PURPOSE AND SUMMARY

    S. 1281, the Hack the Department of Homeland Security Act 
of 2018, directs the Department of Homeland Security to 
establish a bug bounty pilot program within 180 days of 
enactment. To be located within the Office of the Chief 
Information Officer, the bug bounty program would allow 
participants to probe the appropriate information systems, as 
identified by the Department, to identify vulnerabilities. The 
pilot program authorizes the Secretary to provide compensation 
for reports of previously unidentified security 
vulnerabilities.
    The bill addresses possible security concerns by directing 
the Secretary to designate appropriate information systems that 
should be included by the program. Additionally, the bill 
directs the Secretary to consult with the Attorney General to 
ensure program participants that comply with the requirements 
of the pilot program are protected from prosecution and to 
develop a background check process for eligible program 
participants. The bill requires the Department to submit a 
report, within 180 days upon completion of the program, to 
Congress providing an overview on the pilot program.

                  BACKGROUND AND NEED FOR LEGISLATION

    A bug bounty program entails using white hat hackers to 
probe government systems looking for vulnerabilities and 
compensating any individual who may find one. The Department of 
Defense has been forward leaning on utilizing this tool, having 
run a pilot from April 18, 2016 to May 12, 2016 through its 
Defense Digital Services. Hosted by HackerOne, it included 
1,410 participants who yielded 1,189 reports, the first of 
which came within 13 minutes. The entire cost of the `Hack the 
Pentagon pilot' was $150,000, with about half going to the 
hackers themselves. Furthermore, the GSA launched a pilot 
program in August of 2017.
    The White House has encouraged Federal Agencies to create 
bug bounty programs. The 2017 Report on Federal IT 
Modernization, identifies bug bounty programs as useful tools 
for providing visibility into Federal systems. In particular, 
bug bounty programs were highlighted ``as a tool to expand 
visibility beyond the network level to provide security teams 
with other information feeds, which they can use to better 
understand, process, and triage information security events and 
possible incidents.''

                                HEARINGS

    While the committee didn't hold any hearings on 1281 
directly, the following hearings addressed this issue:
          March 9, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``The Current 
        State of DHS Private Sector Engagement for 
        Cybersecurity''
          March 22, 2017--Full Committee: ``A Borderless 
        Battle: Defending Against Cyber Threats''
          March, 28, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``The Current 
        State of DHS' Efforts to Secure Federal Networks''
          October 3, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Examining DHS' 
        Cybersecurity Mission''
          November 15, 2017--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Maximizing the 
        Value of Cyber Threat Information Sharing''
          July 11, 2018--Full Committee: ``DHS's Progress in 
        Securing Election Systems and Other Critical 
        Infrastructure''
          July 25, 2018--Cybersecurity, Infrastructure 
        Protection and Security Subcommittee: ``Assessing the 
        State of Federal Cybersecurity Risk Determination''

                        COMMITTEE CONSIDERATION

    The Committee met on September 13, 2018, to consider S. 
1281, and ordered the measure to be reported to the House with 
a favorable recommendation, amended, by unanimous consent.
    The following amendments were offered:

An en bloc amendment offered by Mr. Langevin (#1E); was AGREED 
TO by unanimous consent.
    Consisting of the following amendments:
    This amendment defines: Bug Bounty Program as: (A) 
individuals, organizations, and companies are temporarily 
authorized to identify and report vulnerabilities of 
appropriate information systems of the Department; and (B) 
eligible individuals, organizations, and companies receive 
compensation in exchange for such reports.
    Defines Eligible Individual organization or Company as: 
``an individual, organization, or company that meets such 
criteria as the Secretary determines in order to receive 
compensation in compliance with Federal laws.''
    Defines Information System as: ``the meaning given that 
term by section 3502 of title 44, United States Code.''
    Page 3, beginning at line 5, strike ``Internet-facing 
information technology'' and insert ``appropriate information 
systems''.
    Page 3, line 7, after ``establishing'' insert ``and 
conducting''.
    Page 3, beginning at line 9, strike subparagraphs (A), (B), 
and (C) and insert the following:
          (A) designate appropriate information systems to be 
        included in the pilot program;
          (B) provide compensation to eligible individuals, 
        organizations, and companies for reports of previously 
        unidentified security vulnerabilities within the 
        information systems designated under subparagraph (A);
          (C) establish criteria for individuals, 
        organizations, and companies to be considered eligible 
        for compensation under the pilot program in compliance 
        with Federal laws;
    Page 4, beginning at line 5, strike subparagraph (E) and 
insert a new subparagraph (E).
    Page 4, after line 20, inserts information on the 
Secretary's ability to award contracts and makes technical 
changes.

                            COMMITTEE VOTES

    Clause 3(b) of rule XIII of the Rules of the House of 
Representatives requires the Committee to list the recorded 
votes on the motion to report legislation and amendments 
thereto. No recorded votes were requested during consideration 
of S. 1281.

                      COMMITTEE OVERSIGHT FINDINGS

    Pursuant to clause 3(c)(1) of rule XIII of the Rules of the 
House of Representatives, the Committee has held oversight 
hearings and made findings that are reflected in this report.

   NEW BUDGET AUTHORITY, ENTITLEMENT AUTHORITY, AND TAX EXPENDITURES

    In compliance with clause 3(c)(2) of rule XIII of the Rules 
of the House of Representatives, the Committee finds that S. 
1281, the Hack DHS Act, would result in no new or increased 
budget authority, entitlement authority, or tax expenditures or 
revenues.

                  CONGRESSIONAL BUDGET OFFICE ESTIMATE

    The Committee adopts as its own the cost estimate prepared 
by the Director of the Congressional Budget Office pursuant to 
section 402 of the Congressional Budget Act of 1974.
                                     U.S. Congress,
                               Congressional Budget Office,
                                Washington, DC, September 20, 2018.
Hon. Michael McCaul,
Chairman, Committee on Homeland Security,
House of Representatives, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 1281, the Hack DHS 
Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 1281--Hack DHS Act

    S. 1281 would direct the Department of Homeland Security to 
establish a pilot program to improve the security of the 
department's information technology systems. The act would 
authorize the appropriation of $250,000 for fiscal year 2019 
for the pilot program. Assuming appropriation of that amount, 
CBO estimates that implementing S. 1281 would cost $250,000.
    Enacting the legislation would not affect direct spending 
or revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 1281 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 1281 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    On October 20, 2017, CBO transmitted a cost estimate for S. 
1281 as ordered reported by the Senate Committee on Homeland 
Security and Governmental Affairs on October 4, 2017. CBO's 
estimates of the budgetary effects of the two versions of the 
legislation are the same.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was reviewed by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

         STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES

    Pursuant to clause 3(c)(4) of rule XIII of the Rules of the 
House of Representatives, S. 1281 contains the following 
general performance goals and objectives, including outcome 
related goals and objectives authorized.
    S. 1281 requires the Secretary of Homeland Security to 
establish a bug bounty pilot program within 180 days of 
enactment and to provide House and Senate Homeland Security 
Committees a report on the effectiveness of the pilot program.

                      DUPLICATIVE FEDERAL PROGRAMS

    Pursuant to clause 3(c) of rule XIII, the Committee finds 
that S. 1281 does not contain any provision that establishes or 
reauthorizes a program known to be duplicative of another 
Federal program.

   CONGRESSIONAL EARMARKS, LIMITED TAX BENEFITS, AND LIMITED TARIFF 
                                BENEFITS

    In compliance with rule XXI of the Rules of the House of 
Representatives, this bill, as reported, contains no 
congressional earmarks, limited tax benefits, or limited tariff 
benefits as defined in clause 9(e), 9(f), or 9(g) of the rule 
XXI.

                       FEDERAL MANDATES STATEMENT

    The Committee adopts as its own the estimate of Federal 
mandates prepared by the Director of the Congressional Budget 
Office pursuant to section 423 of the Unfunded Mandates Reform 
Act.

                        PREEMPTION CLARIFICATION

    In compliance with section 423 of the Congressional Budget 
Act of 1974, requiring the report of any Committee on a bill or 
joint resolution to include a statement on the extent to which 
the bill or joint resolution is intended to preempt State, 
local, or Tribal law, the Committee finds that S. 1281 does not 
preempt any State, local, or Tribal law.

                  DISCLOSURE OF DIRECTED RULE MAKINGS

    The Committee estimates that S. 1281 would require no 
directed rule makings.

                      ADVISORY COMMITTEE STATEMENT

    No advisory committees within the meaning of section 5(b) 
of the Federal Advisory Committee Act were created by this 
legislation.

                  APPLICABILITY TO LEGISLATIVE BRANCH

    The Committee finds that the legislation does not relate to 
the terms and conditions of employment or access to public 
services or accommodations within the meaning of section 
102(b)(3) of the Congressional Accountability Act.

             SECTION-BY-SECTION ANALYSIS OF THE LEGISLATION

Section 1. Short title

    This section specifies that this Act may be cited as the 
``Hack the Department of Homeland Security Act of 2018,'' or 
the ``Hack DHS Act.''

Sec. 2. Department of Homeland Security Bug Bounty Pilot Program

    Section 2(a) provides definitions for the following terms: 
``bug bounty program,'' ``Department,'' ``information 
technology,'' ``pilot program,'' and ``Secretary.''
    Section 2(b) instructs the Secretary of Homeland Security 
to establish a bug bounty pilot program at DHS within 180 days 
of the bill's enactment. In establishing the pilot program, the 
Secretary will: designate which information systems will be 
included in the program; provide compensation for eligible 
individuals, organizations and companies for reporting 
vulnerabilities within eligible information systems; establish 
criteria to be considered eligible for compensation; seek 
advice from the Attorney General regarding how to ensure 
approved participants are protected from prosecution and civil 
lawsuits for approved activities within the pilot program; 
confer with DOD officials on lessons learned from previously 
implemented programs to provide compensation for reporting 
unknown vulnerabilities in information systems; develop a 
vetting process for individuals, organizations, or companies; 
and engage public and private sector experts on the structure 
of the pilot program and lessons learned. The Department is 
authorized to award one or more contracts to manage the pilot 
program.
    Section 2(c) requires the Secretary to submit a report to 
the Senate Homeland Security and Governmental Affairs Committee 
and the House of Representatives Committee on Homeland Security 
within 90 days of the completion of the pilot program. The 
report shall include a number of data points to assist Congress 
in assessing the pilot programs effectiveness, including, but 
not limited to: the number of pilot program participants that 
registered, were deemed eligible, submitted vulnerabilities, 
and received compensation; the quantity and severity of 
vulnerabilities identified; the number of unidentified 
vulnerabilities that were patched as a result of the pilot 
program; the number of vulnerabilities that have yet to be 
patched and the Department's plans to do so; how long it takes 
to report the vulnerability and to patch the vulnerability; the 
types of compensation provided for discovering undisclosed 
security vulnerabilities; and any lessons learned. The 
Committee intends for the Department to decide the value of 
vulnerabilities found, and offer monetary or other forms of 
compensation reasonably proportional to the value of the 
previously unidentified security vulnerability.
    Section 2(d) authorizes $250,000 to be appropriated to DHS 
for fiscal year 2019 to carry out the pilot program.

         CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    As reported S. 1281 makes no changes to existing law.

                                  [all]