[Senate Report 115-209]
[From the U.S. Government Publishing Office]
Calendar No. 335
115th Congress } { Report
SENATE
2d Session } { 115-209
_______________________________________________________________________
HACK THE DEPARTMENT OF HOMELAND
SECURITY ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 1281
TO ESTABLISH A BUG BOUNTY PILOT PROGRAM
WITHIN THE DEPARTMENT OF HOMELAND SECURITY, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
February 26, 2018.--Ordered to be printed
______
U.S. GOVERNMENT PUBLISHING OFFICE
79-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California
STEVE DAINES, Montana DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Colleen E. Berny, Research Assistant
Maurice R. Turner, Fellow
Margaret E. Daum, Minority Staff Director
Stacia M. Cardille, Minority Chief Counsel
Charles A. Moskowitz, Minority Senior Legislative Counsel
Julie G. Klein, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Calendar No. 335
115th Congress } { Report
SENATE
2d Session } { 115-209
======================================================================
HACK THE DEPARTMENT OF HOMELAND SECURITY ACT
_______
February 26, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 1281]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 1281), to establish
a bug bounty pilot program within the Department of Homeland
Security, and for other purposes, reports favorably thereon
with an amendment and recommends that the bill, as amended, do
pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................6
V. Evaluation of Regulatory Impact..................................6
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............7
I. PURPOSE AND SUMMARY
S. 1281, the Hack the Department of Homeland Security Act
of 2017, or the Hack DHS Act, directs the Secretary of Homeland
Security (Secretary) to establish a bug bounty pilot program at
the Department of Homeland Security (DHS or the Department) to
enhance the Department's cybersecurity by minimizing
vulnerabilities to public-facing information technology.
The bill also requires the Secretary to ensure compensation
is awarded to participants for identifying undisclosed
vulnerabilities during the pilot program, and to award
contracts to manage the pilot program and patch
vulnerabilities, among other things. Lastly, the bill requires
the Secretary to submit a report to Congress on the pilot
program and its findings.
II. BACKGROUND AND THE NEED FOR LEGISLATION
In early 2017, then-Secretary John Kelly stated that
``[c]yber threats present a tremendous danger to our American
way of life. The consequences of these digital threats are no
less significant than threats in the physical world.''\1\ One
report found that, in 2016, just one anti-virus software
company blocked over 229,000 web attacks every day.\2\ In
addition, ``[m]ore than three-quarters (76 percent) of scanned
websites in 2016 contained vulnerabilities, nine percent of
which were deemed critical.''\3\ Bug bounty programs can
identify these types of vulnerabilities before they are
exploited, and have proven beneficial in both the public and
private sectors.
---------------------------------------------------------------------------
\1\Press Release, Dep't of Homeland Sec., Home and Away: DHS and
the Threats to America (Apr. 18, 2017), https://www.dhs.gov/news/2017/
04/18/home-and-away-dhs-and-threats-america. Remarks delivered by
Secretary Kelly at George Washington University Center for Cyber and
Homeland Security.
\2\Symantec Corp., Internet Security Threat Report, 7 (2017),
https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-
2017-en.pdf.
\3\Id.
---------------------------------------------------------------------------
Private sector bug bounty programs
Although bug bounty programs vary in composition,
incentives, and purpose, generally speaking a bug bounty
program provides incentives to participants to identify
vulnerabilities in an information technology program or system.
Individuals, organizations, or companies are incentivized
through various forms of payouts or non-monetary compensation
to detect new and valid vulnerabilities on information
technology and systems. Some examples of rewards include
recognition, cash, and gifts.\4\ Bug bounty programs have been
used by the private sector for over 20 years; however, their
use has rapidly increased in recent years.\5\ According to one
company's report tracking bug bounty programs, there have been
``three times more enterprise bug bounty programs launched in
the past year than the previous three years combined.''\6\ In
addition, since 2016, the average monetary payout has increased
by 53 percent, averaging $451.\7\ Between 2016 and 2017,
hundreds of private and public bug bounty programs have
identified over 52,000 valid vulnerabilities, a high watermark,
and critical vulnerabilities identification increased by 25
percent.\8\
---------------------------------------------------------------------------
\4\Id.
\5\Bugcrowd, The Adoption of Bug Bounties in the Financial Services
Industry, Bugcrowd Industry Report 1 (2016), https://
pages.bugcrowd.com/hubfs/PDFs/Financial-Services-
Spotlight.pdf?t=1507846659848.
\6\Bugcrowd, 2017 State of Bug Bounty Report (2017), https://
pages.bugcrowd.com/hubfs/Bugcrowd-2017-State-of-Bug-Bounty-Report.pdf
(quoting an excerpt from the Executive Summary).
\7\Id.
\8\Id.
---------------------------------------------------------------------------
Bug bounties have helped the private sector increase
security. For example, Microsoft has utilized bug bounty
programs since 2013.\9\ According to Microsoft, ``[t]hese
bounty programs help Microsoft harness the collective
intelligence and capabilities of security researchers to help
protect customers.''\10\ In 2016, Microsoft launched a bug
bounty program for Windows, with monetary awards ranging from
$500 to $250,000.\11\ Microsoft currently has nine active bug
bounty programs.\12\
---------------------------------------------------------------------------
\9\Microsoft Bounty Programs, Microsoft Security TechCenter,
https://technet.microsoft.com/en-us/security/dn425036 (last visited
Nov. 7, 2017).
\10\Id.
\11\Emil Protalinski, Microsoft Launches Windows Bug Bounty Program
with Rewards Ranging from $500 to $250,000, Venture Beat (July 26,
2017), https://venturebeat.com/2017/07/26/microsoft-launches-windows-
bug-bounty-program-with-rewards-ranging-from-500-to-250000.
\12\Microsoft Bounty Programs, supra note 9.
---------------------------------------------------------------------------
Public sector bug bounty programs
On March 2, 2016, the Department of Defense (DOD) announced
the ``Hack the Pentagon'' initiative, the Federal Government's
first bug bounty pilot program.\13\ The bug bounty program was
modeled after private sector programs and intended ``to improve
the security and delivery of networks, products, and digital
services.''\14\ The pilot program ran from April 18, 2016,
until May 12, 2016, and cost $150,000.\15\ During the pilot
program, out of more than 1,400 invited participants, 250
submitted vulnerability reports and 138 were deemed
``legitimate, unique and eligible for a bounty.''\16\ On
October 20, 2016, the DOD announced a ``Hack the Pentagon''
follow-up initiative.\17\
---------------------------------------------------------------------------
\13\Press Release, Dep't of Defense, Statement by Pentagon Press
Secretary Peter Cook on DoD's ``Hack the Pentagon'' Cybersecurity
Initiative (Mar. 2, 2016), https://www.defense.gov/News/News-Releases/
News-Release-View/Article/684106/statement-by-pentagon-press-secretary-
peter-cook-on-dods-hack-the-pentagon-cybe.
\14\Id.
\15\Lisa Ferdinando, Carter Announces `Hack the Pentagon' Program
Results, Dep't of Defense (June 17, 2016), https://www.defense.gov/
News/Article/Article/802828/carter-announces-hack-the-pentagon-program-
results.
\16\Id.
\17\Shannon Collins, DOD Announces `Hack the Pentagon' Follow-Up
Initiative, Dep't of Defense (Oct. 20, 2016), https://www.defense.gov/
News/Article/Article/981160/dod-announces-hack-the-pentagon-follow-up-
initiative.
---------------------------------------------------------------------------
After the DOD's Hack the Pentagon's success, on November
11, 2016, the Secretary of the Army announced its own ``Hack
the Army'' bug bounty program, which targeted the Army's
operationally-significant websites.\18\ The bug bounty program
ran from November 30, 2016, to December 21, 2016.\19\ Overall,
participants submitted 416 reports, with 118 being deemed
``unique and actionable.''\20\ The estimated total amount paid
to the hackers that identified vulnerabilities was
approximately $100,000.\21\
---------------------------------------------------------------------------
\18\Maj. Christopher Ophardt, Army Secretary Issues Challenge with
`Hack the Army' Program, U.S. Army (Nov. 21, 2016), https://
www.army.mil/article/178473/
army_secretary_issues_challenge_with_hack_the_army_program.
\19\Hack the Army Results Are In, HackerOne (Jan. 19, 2017),
https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In.
\20\Id.
\21\Id.
---------------------------------------------------------------------------
On April 26, 2017, the Air Force announced the ``Hack the
Air Force'' bug bounty program.\22\ The program ran from May
30, 2017, until June 23, 2017, with more than 270
participants.\23\ Overall, 207 ``valid vulnerabilities'' were
identified, and participants that identified vulnerabilities
were collectively awarded more than $130,000.\24\
---------------------------------------------------------------------------
\22\Press Release, Dep't of Defense, Air Force Issues Challenge to
``Hack the Air Force'' (Apr. 26, 2017), https://www.defense.gov/News/
News-Releases/News-Release-View/Article/1164012/air-force-issues-
challenge-to-hack-the-air-force.
\23\Rusty Frank, Hack the Air Force Results Released, U.S. Air
Force (Aug. 10, 2017), http://www.af.mil/News/Article-Display/Article/
1274518/hack-the-air-force-results-released.
\24\Id.
---------------------------------------------------------------------------
On May 9, 2017, the General Services Administration (GSA)
established the first public bug bounty program run at a non-
military agency.\25\ This bug bounty was developed in the same
vein as the DOD programs, but runs on an on-going basis.\26\
Since its announcement, GSA has identified and resolved 41
vulnerabilities, and paid out $12,600 in bounties ranging from
$150 to $2,000.\27\
---------------------------------------------------------------------------
\25\Omid Ghaffari-Tabrizi, Waldo Jaquith and Eric Mill, The next
step towards a bug bounty program for the Technology Transformation
Service, 18F Digital Service Agency, Government Service Administration,
(May 11, 2017), https://18f.gsa.gov/2017/05/11/the-next-steps-towards-
bug-bounty-program-for-technology-transformation-service/.
\26\Id.
\27\TTS Bug Bounty: The First Civilian Agency Public Bug Bounty
Program, HackerOne, https://hackerone.com/tts (last visited Jan. 23,
2018).
---------------------------------------------------------------------------
Entities are now working to institutionalize the public's
ability to report discovered vulnerabilities. Following the
start of the ``Hack the Army'' bug bounty program, DOD
formalized how to report vulnerabilities discovered on their
public-facing sites with the creation of the Vulnerability
Disclosure Policy (VDP).\28\ The VDP is ``intended to give
security researchers clear guidelines for conducting
vulnerability discovery activities directed at [DOD] web
properties, and submitting discovered vulnerabilities to
DOD.''\29\ Former Defense Secretary Ash Carter described the
VDP as ``a `see something, say something' policy for the
digital domain.''\30\ The Department of Justice Computer Crime
& Intellectual Property Section published its ``Framework for a
Vulnerability Disclosure Program for Online Systems'' on August
1, 2017.\31\ The framework is designed to help businesses and
other organizations develop a formal vulnerability disclosure
program that allows researchers to legally participate without
running afoul of the Computer Fraud and Abuse Act.\32\
---------------------------------------------------------------------------
\28\Hack the Pentagon, HackerOne, https://www.hackerone.com/
resources/hack-the-pentagon (last visited Oct. 20, 2017).
\29\U.S. Dep't of Defense, HackerOne, https://hackerone.com/
deptofdefense (last visited Oct. 20, 2017).
\30\Hack the Pentagon, supra note 28.
\31\Press Release, U.S. Computer Emergency Readiness Team, DOJ
Provides Organizations a Framework for Development of a Vulnerability
Disclosure Program (Aug. 1, 2017), https://www.us-cert.gov/ncas/
current-activity/2017/08/01/DOJ-Provides-Organizations-Framework-
Development-Vulnerability; see also Cybersecurity Unit, A Framework for
a Vulnerability Disclosure Program for Online Systems, U.S. Dep't of
Justice, https://www.justice.gov/criminal-ccips/page/file/983996/
download.
\32\Cybersecurity Unit, supra note 31 at 1-2.
---------------------------------------------------------------------------
Need at the Department of Homeland Security
DHS is ``responsible for protecting civilian federal
government networks and collaborating with other Federal
agencies, as well as State, local, tribal, and territorial
governments, and the private sector to defend against cyber
threats.''\33\ In addition to cybersecurity, the Department is
responsible for a variety of missions, including preventing
terrorism, border security, and disaster resilience. As a
result, it is essential that the Department's information
technology is secure and resilient.
---------------------------------------------------------------------------
\33\Examining DHS's Cybersecurity Mission Before the Cybersecurity
and Infrastructure Protection Subcomm. of the H. Homeland Security
Comm., 115th Cong. 1 (2017) (statement of Assistant Sec'y for
Cybersecurity & Comm'ns Nat'l Prot. & Programs Directorate U.S. Dep't
of Homeland Sec.), available at http://docs.house.gov/meetings/HM/HM08/
20171003/106448/HHRG-115-HM08-Wstate-ManfraJ-20171003.pdf.
---------------------------------------------------------------------------
The Federal Government, including DHS, faces daily cyber
threats from a variety of adversaries. In 2016, there were over
30,899 cyber incidents at Federal agencies.\34\ DHS reported
1,112 incidents, which is comparable to the 1,888 reported by
DOD.\35\ The DHS Inspector General additionally found that
Department ``components were not consistently following DHS's
policies and procedures to maintain current or complete
information on remediating security weaknesses in a timely
manner.''\36\
---------------------------------------------------------------------------
\34\Executive Office of the President of the United States, Federal
Information Security Modernization Act of 2014, Annual Report to
Congress, Fiscal Year 2016, https://www.whitehouse.gov/sites/
whitehouse.gov/files/briefing-room/presidential-actions/related-omb-
material/
fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf
(last visited Dec. 1, 2017).
\35\Id.
\36\Id. at 45.
---------------------------------------------------------------------------
In recognition of this serious threat, the Committee has
made cybersecurity one of its top priorities. From 2015 through
2017, the Committee held five hearings on cybersecurity,
exploring topics such as information sharing, data breaches in
the Federal Government, and how adversaries continue to target
information networks.\37\ The Committee has also passed
multiple pieces of cybersecurity legislation, including the
Federal Cybersecurity Enhancement Act of 2015, to improve
Federal network security and authorize and enhance the EINSTEIN
intrusion detection and prevention system.\38\
---------------------------------------------------------------------------
\37\Cybersecurity Regulation Harmonization: Hearing before the S.
Comm. On Homeland Sec. & Governmental Affairs, 115th Cong. (2017);
Cyber Threats Facing America: An Overview of the Cybersecurity Threat
Landscape: Hearing before the S. Comm. On Homeland Sec. & Governmental
Affairs, 115th Cong. (2017); Under Attack: Federal Cybersecurity and
the OPM Data Breach: Hearing before the S. Comm. On Homeland Sec. &
Governmental Affairs, 114th Cong. (2015); The IRS Data Breach: Steps to
Protect Americans' Personal Information: Hearing before the S. Comm. On
Homeland Sec. & Governmental Affairs, 114th Cong. (2015); Protecting
America from Cyberattacks: The Importance of Information Sharing:
Hearing before the S. Comm. On Homeland Sec. & Governmental Affairs,
114th Cong. (2015).
\38\Public Law No: 114-113 (S. 1869, with amendments, was included
in H.R. 2029).
---------------------------------------------------------------------------
The relative success of the bug bounty programs in the
private sector, DOD and GSA, as well as findings by the DHS
Inspector General, suggest the need for DHS to pursue a similar
pilot program to identify vulnerabilities on Internet-facing
information technology. This legislation requires DHS to
establish a one-time bug bounty pilot program under which
approved individuals, organizations, or companies can detect
and patch vulnerabilities and receive compensation. Based on
the findings, the Department can then determine if a permanent
program is needed.
III. LEGISLATIVE HISTORY
Senator Margaret Wood Hassan (D-NH) introduced S. 1281, the
Hack the Department of Homeland Security Act of 2017, on May
25, 2017. Senators Claire McCaskill (D-MO), Rob Portman (R-OH),
and Kamala Harris (D-CA) are cosponsors.
The bill was referred to the Committee on Homeland Security
and Governmental Affairs. The Committee considered S. 1281 at a
business meeting on October 4, 2017. Senator Hassan offered a
substitute amendment that made minor revisions to the bill,
including clarifying the definition and requirements of the bug
bounty program. The substitute amendment was adopted by
unanimous consent with Senators Johnson, Lankford, Daines,
McCaskill, Tester, Heitkamp, Hassan, and Harris present.
The Committee favorably reported the bill as amended by the
Hassan substitute amendment by voice vote en bloc. Senators
present for the vote were Johnson, Lankford, Daines, McCaskill,
Tester, Heitkamp, Hassan, and Harris.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section provides the bill's title, the ``Hack the
Department of Homeland Security Act of 2017,'' or the ``Hack
DHS Act.''
Sec. 2. Department of Homeland Security bug bounty pilot program
Section 2(a) provides definitions for the following terms:
``bug bounty program,'' ``Department,'' ``information
technology,'' ``pilot program,'' and ``Secretary.''
Section 2(b) instructs the Secretary of Homeland Security
to establish a bug bounty pilot program at DHS within 180 days
of the bill's enactment. In establishing the pilot program, the
Secretary will: ensure compensation is awarded to participants
for identifying undisclosed vulnerabilities during the pilot
program; award a contract to manage the pilot program and patch
identified vulnerabilities; decide which mission-critical
information technology should not be included in the pilot
program; seek advice from the Attorney General regarding how to
ensure approved participants are protected from prosecution for
their approved activities within the pilot program; confer with
DOD officials on lessons learned from launching ``Hack the
Pentagon'' in 2016; develop a vetting process for approved
participants; and engage public and private sector experts on
the structure of the pilot program and lessons learned.
Section 2(c) requires the Secretary to submit a report to
the U.S. Senate Homeland Security and Governmental Affairs
Committee and the U.S. House Committee on Homeland Security
within 90 days of the pilot program's completion. The report
shall include a number of data points to assist Congress in
assessing the pilot programs effectiveness, including, but not
limited to: the number of pilot program participants that
registered, were approved, submitted vulnerabilities, and
received compensation; the quantity and severity of
vulnerabilities identified; the number of unidentified
vulnerabilities that were patched as a result of the pilot
program; the number of vulnerabilities that have yet to be
patched and the Department's plans to do so; how long it takes
to report the vulnerability and to patch the vulnerability; the
types of compensation provided for discovering undisclosed
security vulnerabilities; and any lessons learned.
Section 2(d) authorizes $250,000 to be appropriated to DHS
for fiscal year 2018 to carry out the pilot program.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, October 20, 2017.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 1281, the Hack DHS
Act.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Mark
Grabowicz.
Sincerely,
Keith Hall,
Director.
Enclosure.
S. 1281--Hack DHS Act
S. 1281 would direct the Department of Homeland Security
(DHS) to establish a pilot program to improve the security of
the department's information technology systems, especially
those that are accessible to the public (such as websites for
the agencies within DHS). The bill would authorize the
appropriation of $250,000 for fiscal year 2018 for the pilot
program. Assuming appropriation of that amount, CBO estimates
that implementing the bill would cost $250,000.
Enacting the bill would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply. CBO
estimates that enacting S. 1281 would not increase net direct
spending or on-budget deficits in any of the four consecutive
10-year periods beginning in 2028.
S. 1281 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is Mark Grabowicz.
The estimate was approved by H. Samuel Papenfuss, Deputy
Assistant Director for Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because this legislation would not repeal or amend any
provision of current law, it would not make changes in existing
law within the meaning of clauses (a) and (b) of paragraph 12
of rule XXVI of the Standing Rules of the Senate.
[all]