Senate passes Hack DHS Act

On April 17, 2018, the Senate passed Senate bill S.1281 – Hack the Department of Homeland Security Act of 2017. The bill, otherwise known as the Hack DHS Act, sets the requirements by which DHS is to establish a bug bounty pilot – a program where DHS information technology vulnerabilities are identified in exchange for monetary compensation.

What is a bug bounty?

Commercial tech companies have successfully used bounty programs for many years. Netscape launched the first such program in 1995 and companies have used them ever since. Mozilla began a program in 2004. The same program continues to operate today and has paid around $3 million in bounties.

Taking a page from industry’s play book, federal agencies have started employing programs in which white hat hackers - approved outside individuals or organizations - are temporarily granted access to “hack” a department’s systems in order to identify system vulnerabilities. In return, compensation is made for legitimately identifying vulnerabilities.

The Department of Defense was the first federal agency to conduct such a pilot. From April 18, 2016 to May 12, 2016, 138 of the vulnerabilities submitted were determined to be eligible to collect a bounty. In total, DOD paid out $75,000 in bounties during its pilot. Jump forward two years – DOD has paid out a reported $300,000 in bounties and the fifth “Hack the Pentagon” bug bounty just concluded on April 29th.  

In addition to $150,000 in reported prime spending paid to HackerOne for its pilot program, DOD also contracted with Synack in 2016 for additional bug bounty programs, including an Air Force bounty bug program in 2017. Synack has earned a reported $2.6 million in prime obligations for work relating to DOD bug bounties thus far.

Requirement of the DHS Program:

The bill requires the DHS CIO to establish a bounty bug pilot program in order to decrease weaknesses to DHS internet-facing information technology, which includes computers, software, hardware or any hardware or interconnected system or subsystem used by the agency. This does not include any equipment provided by federal contractors.

General requirements the department will have to accomplish under the bill are:

• engage interested persons, including commercial sector representatives, about the structure of the program.
• consult with the Department of Justice on how to ensure that program participants are protected from prosecution for activities authorized under the program;
• award competitive contracts to manage the program and for executing the remediation of identified vulnerabilities; and
• designate mission-critical operations within DHS that should be excluded;
• develop an expeditious process by which computer security researchers can register with DHS, submit to a background check, and receive a determination as to approval for program participation;
• provide monetary compensation for reports of previously unidentified security vulnerabilities within the websites, applications, and other DHS information systems that are accessible to the public;

As part of the process, DHS is to rely on the expertise of the Department of Defense by consulting with offices within DOD that were responsible for the department’s Hack the Pentagon pilot and following programs.

In addition, no more than 6 months after than completing the program, DHS will be required to submit a report to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives that is to include:

• The number of approved entities (individuals, organization, or companies) involved in the program, broken down by the number of approved entities that
  • Registered
  • Were approved
  • Submitted security vulnerabilities; and
  • Received compensation

• The number and severity of vulnerabilities reported during the program
• The number of previously unidentified security vulnerabilities remediated during the program
• The numbers of remaining previously unidentified security vulnerabilities and remediation plans
• Average length of time between reporting and remediation of the vulnerability
• Types of compensation provided under the program
• Lessons learned

What’s Next?

Agencies have been slow to take up the bug bounty initiative thus far. Outside of DOD, the IRS has been one of the only civilian agencies to conduct a bug bounty program, having enlisted the help of Synack in 2016. However, with DHS’s position as the lead civilian agency for IT security, a successfully run pilot program may encourage other agencies to follow suit.

DHS doesn’t need legislative approval to run such a program - DOD has run several over the past two years with no legislative pressure. The bill may just be a way to push the department into taking action. The bill authorizes appropriations of $250,000 in 2018, which will be a solid foundation should it eventually go into law. The bill has been referred to the House Committee on Homeland Security.