CybersecurityBug-bounty program to strengthen DHS cyber defenses

Senators Maggie Hassan (D-New Hampshire) and Rob Portman (R-Ohio) introduced the Hack Department of Homeland Security (DHS) Act. The bill, which is also cosponsored by Senators Claire McCaskill (D-Missouri) and Kamala Harris (D-California), would establish a bug bounty pilot program – modeled off of similar programs at the Department of Defense and major tech companies – in order to strengthen cyber defenses at DHS by utilizing “white-hat” or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems.

“Federal agencies like DHS are under assault every day from cyberattacks. These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help,” Hassan said. “The Hack DHS Actprovides this help by drawing upon an untapped resource—patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens. This bipartisan bill takes the first step to utilize best practices from the private sector to harness the skills of hackers across America as a force multiplier against these cyber threats. I will work with members of both parties to move this important bill forward.”

“The networks and systems at DHS are vital to our nation’s security.  It’s imperative that we take every step to protect DHS from the many cyberattacks they face every day,” said Portman. “One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats.”

Bug bounty programs, which have been implemented at major tech companies including Google, Facebook, Amazon, and Apple, allow ethical hackers to probe the vendor’s systems or networks in order to identify vulnerabilities. For each undiscovered vulnerability that these ethical hackers report to the vendor, the vendor provides a small monetary sum. These activities occur under the agreement that the vendors will not seek criminal charges against the hacker for the activity so long as the hackers abide by a set of strict, pre-determined rules.

The sponsors said that as the department in charge of helping to secure all “.gov” domains, as well as critical infrastructure throughout the country, DHS must ensure that its own networks and data systems are free from unintended or unidentified vulnerabilities. The Hack DHS Actwill establish a bug bounty program based on the Department of Defense’s pilot program. Under the bill, monetary payments would be provided to white-hat hackers that identify unique and undiscovered vulnerabilities in DHS’s networks and data systems. These white-hat hackers must first register with DHS and submit to a background check to help assure that the individual does not pose a threat. Additionally, the DHS secretary must work with the attorney general to ensure that participants in the bug bounty program do not face prosecutions for their specific work in the program.