Lawmakers last week moved closer to mandating that the Department of Homeland Security start a bug bounty program that will pay computer security researchers to spot weaknesses in DHS’s computer networks. That requirement would bring the department in line with other U.S. agencies with similar cybersecurity programs.
The House Homeland Security Committee on Thursday by unanimous consent approved a Senate bill that would set up a pilot program at the department. The Senate passed the bill on April 17. The Pentagon, the IRS and the General Services Administration already operate such programs, and lawmakers have proposed legislation that would launch similar efforts at the departments of State and Treasury.
The committee also approved another measure that would require DHS to establish a vulnerability disclosure policy. Such a policy would help security researchers notify department officials if they come across weaknesses on DHS digital networks and websites. Both measures now to go the full House for consideration.
Noting that the Pentagon and the GSA already have disclosure policies and bounty programs, Rep. Jim Langevin said at the markup he was disappointed when he learned that DHS had no equivalent programs.
“After all, DHS is the lead civilian agency for cybersecurity and why should they fall behind the Pentagon or the General Service Administration?” the Rhode Island Democrat said. The department would have to boost its efforts to administer a bounty program because once bugs are identified, they need to be quickly patched, he added.
Langevin, one of the senior Democrats on the panel focused on cybersecurity issues, said he had written to DHS Secretary Kirstjen Nielsen for more information on how the agency planned to start a vulnerability disclosure policy but was disappointed she had not responded. A spokesman for DHS did not immediately respond to a request for comment.
Bug bounties, or crowd-sourced security programs as some experts call them, have long been an established practice in private industry since the early days of the internet. The explosion of new software across multiple platforms and devices and the attendant increase in vulnerabilities meant that in-house security experts could not identify all the bugs. Paying good hackers to find weaknesses before bad actors find and exploit the gaps became standard practice.
Private companies and governments together paid out about $11.7 million in bounties to hackers in 2017, according to a July 2018 report by HackerOne, a group that brings together hackers to work collectively on security problems.
Starting in 2016, the Defense Department began trying out bug bounty programs called Hack the Pentagon and it now runs Hack the Army and Hack the Air Force, along with the Defense Information Systems Agency. The IRS also launched its effort in 2016.
Federal agencies look to such programs to find vulnerabilities and patch them because the gap between the in-house talent available to find and fix such problems and the number of weaknesses is significant, said Anne-Marie Chun Witt, director of government services at Synack, a California-based technology company that manages the bug bounty programs at the Pentagon, the IRS and other agencies.
While the federal government’s cybersecurity budget has grown about 1.5 times between 2006 and 2018, the number of cyber incidents on federal computer networks has increased about 15 times in that period, according to Synack.
“Federal cyber budgets are growing, but it’s not working, and that’s why we are seeing an aggressive adoption of the crowd-sourced approach,” Witt said. “There’s an imbalance between the supply and demand for cyber talent, so even with all the money in the world you wouldn’t be able to find the expertise.”
While typical bug bounty programs are open to any hacker to find bugs on open computer networks, the approach doesn’t work for highly sensitive systems, said Jay Kaplan, CEO and founder of Synack.
Instead, “we have a completely closed model,” where the company vets security researchers through background checks and signs nondisclosure agreements with them before allowing them to work on classified computer systems, Kaplan said. “They are doing work through auditable ways, so we can see what they’re doing.”
ICYMI: Trump’s 3 Legislative Priorities Before the Midterm Vote
Find and fix
Finding bugs in a system is the first part, but “if you don’t have people to remediate it, it’s a problem,” Kaplan said.
While private companies move fast to fix identified weaknesses, most government agencies work through contractors and that makes the process slower — “the timeline for fixing is longer than typical corporate organizations,” Kaplan said.
In some cases, hackers hired by Synack provide recommended fixes even if they have no access to the underlying source codes, said Kaplan, a former National Security Agency cyber analyst.
The HackerOne report said companies in consumer goods and financial services were among the fastest to fix bugs, taking 14 and 19 days respectively to patch flaws, while government agencies took about 68 days and the technology industry took 64 days to resolve issues.
When considering bounty programs, government agencies need make sure they have the expertise to differentiate between hackers testing a network and a real attack, said Jake Williams, founder of Rendition InfoSec, a computer security firm based in August, Georgia.
“We saw one of our clients that got compromised during a bug bounty, and their staff missed the alert because it blended in with attack traffic,” Williams said.
The bill requiring DHS to have a vulnerability disclosure policy would be helpful because without it outside researchers who come across a weakness on an agency’s websites don’t know how to formally report a problem, Williams said.
If a client network is under attack from a hacker that is using a government website as a platform to launch the assault, Williams said, he would look to see if the government agency has a vulnerability disclosure policy and pathway to report the problem.
“We have a 10-minute rule to figure out how to report a problem,” Williams said. If he was unable to figure out how to report a problem within that time, Williams said he would just block the website being used as a launch pad for the attack and move on, instead of reporting the problem. “So it’s critical to have a process to make reporting easy,” he said.