House lawmakers introduce State Department 'bug bounty' bill

House lawmakers introduce State Department 'bug bounty' bill
© Getty Images

A pair of House lawmakers on Wednesday introduced legislation seeking to boost cybersecurity at the State Department.

Reps. Ted Lieu (D-Calif) and Ted YohoTheodore (Ted) Scott YohoHaley: Giuliani should've been named 'special envoy' to Ukraine GOP lawmakers express concerns about Giuliani's work in Ukraine CNN slams GOP for not appearing on network after mass shootings, conservatives fire back MORE (R-Fla.) are co-sponsoring the Hack Your State Department Act, which seeks to establish a Vulnerability Disclosure Program (VDP) as well as a so-called bug bounty program within one calendar year.

The bill, if passed, would require the nation’s premier diplomatic agency to establish a VDP within six months and then a bug bounty program after one year, so that the State Department can better “identify and report vulnerabilities of internet-facing information technology.”

ADVERTISEMENT

A bug bounty program invites outside hackers to participate in a cyber scavenger hunt of sorts to find digital vulnerabilities. 

The symbiotic practice allows a company or organization the chance patch up security holes — from untraced malware to other unnoticed security system gaps — before a malicious agent can exploit them, while the hackers who first unearth such vulnerabilities receive a financial reward for their efforts.

The Lieu-Yoho legislation gives the secretary of State the room to determine which department information technology should be included in the program, what type of vulnerabilities the program should specifically target, and the chance to identify which individuals and offices in the agency will be responsible for responding to and addressing security vulnerability disclosure reports.

State would be required to report the "number and severity" of security vulnerabilities reported annually to both the House Committee on Foreign Affairs and the Senate Committee on Foreign Relations.

The State Department faced scrutiny in 2014 after Russian hackers reportedly breached its unclassified email system, forcing the department to partially shut down the system as it made security upgrades.

Lonnie Price, head of the department’s Cyber and Technology Security (CTS) directorate, told The Hill in December that the agency is seeing a worrisome increase in cyber threats against its systems.

“What we’re seeing ... is there are heavy hitters going after our employees' accounts,” said Price, who has served in various security and tech roles in his 30 years at State. “They’re looking for information, they’re looking for contacts.”

The Department of Defense during the Obama administration became the first federal agency to invite white hat hackers to attempt to infiltrate their system and identify vulnerabilities within the department’s public webpages.

Participants in the 2016 "Hack the Pentagon” pilot challenge crowdsourced outside help from hackers who wanted to help the agency improve its security under then-Secretary of Defense Ash Carter.

"We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer,” Carter said at the time.

The department determined that 138 out of the 240 reported vulnerabilities were “legitimate, unique and eligible for a bounty” after roughly 1,400 hackers took a stab at the bounty.

About $75,000 in prizes was doled out in a program that cost the Defense Department about $150,000. Carter said this is a small price to pay compared to hiring an outside firm to independently conduct a vulnerability assessment.

“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” Carter said.

A range of high-profile private companies such as Uber, Microsoft, Samsung and Tesla have also participated in such bug hunting schemes.