Will Congress Issue an Invitation to Hack the Department of Homeland Security?

On March 7, the Senate Committee on Homeland Security and Governmental Affairs is scheduled to hold a business meeting to consider H.R. 2825, the Department of Homeland Security Authorization Act (DHS Reauthorization Act).  This bill passed the House of Representatives on July 20, 2017, and, if signed into law, would be the first reauthorization of the Department of Homeland Security since its authorization in 2002.

Senators Steve Daines (R-MT) and Maggie Hassan (D-NH) plan to raise amendments concerning cyber security at the Committee’s markup of the Act.  The amendments are related to legislation previously introduced in the Senate as stand-alone bills.

Senator Daines announced amendments based on: the Cyber SAFETY Act, the Support for Rapid Innovation Act, and the Moving Americans Privacy Protection Act.  The House passed its version of the Support for Rapid Innovation Act on January 10, 2017, but the other bills, which are sponsored by Senator Daines, have not progressed since their introduction.  The DHS Reauthorization Act could serve as the vehicle to carry these bills to President Trump’s desk.

Senator Hassan will raise an amendment to the DHS Reauthorization Act based on S. 1281, the Hack the Department of Homeland Security Act of 2017 Act (Hack DHS Act).  The Committee on Homeland Security and Governmental Affairs favorably reported this bill by voice vote on February 26, 2018.  A companion bill was introduced in the House last summer.

Hack DHS Act

The Hack DHS Act directs the Secretary of Homeland Security to establish a one-time bug bounty pilot program to improve the Department’s cybersecurity by minimizing vulnerabilities to public-facing information systems, applications, and websites.  The bill offers a compensation award to approved program participants (individuals, organizations, and companies) who identify vulnerabilities under the bill’s authority.  This program is modeled after successful public and private sector programs intended to enhance the security of digital networks and services.  

According to an Office of Management and Budget report to Congress, there were 30,899 cyber incidents at Federal agencies in 2016, sixteen of which were classified as “major incidents.”  Recognizing this threat and DHS’s central role in protecting civilian federal government networks, the Committee appears poised to move quickly on the Hack DHS Act.

Government Activity on Vulnerability Disclosure

Vulnerability disclosure programs have gained substantial attention from across government.  The Hack DHS Act can be viewed as a successor to the Department of Defense’s “Hack the Pentagon” and the General Service Administration’s bug bounty initiatives.

Elsewhere in the federal government, NIST is considering coordinated vulnerability disclosures in its Cybersecurity Framework update.  The NTIA convened a multi-stakeholder process and produced a research report assessing vulnerability disclosure.  In 2017, the Department of Justice issued A Framework for a Vulnerability Disclosure Program for Online Systems.  And earlier this year, the Senate Commerce Committee examined bug bounties in the context of a high-profile data breach.

As Wiley Rein cyber attorneys have noted, vulnerability disclosure programs are complex and considerations will vary across industries, sectors, and companies.

DHS Reauthorization Act

The Senate Committee on Homeland Security and Governmental Affairs’ Business Meeting to consider the DHS Reauthorization Act is scheduled to be held on March 7, 2018, in Dirksen Senate Office Building room 342.   Interested parties are encouraged to monitor the meeting for discussion of these cybersecurity amendments.