[Senate Report 115-209]
[From the U.S. Government Publishing Office]


                                                      Calendar No. 335
115th Congress      }                                    {      Report
                                 SENATE
 2d Session         }                                    {     115-209
_______________________________________________________________________

                                     
 

                    HACK THE DEPARTMENT OF HOMELAND

                              SECURITY ACT

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 1281

                TO ESTABLISH A BUG BOUNTY PILOT PROGRAM
   WITHIN THE DEPARTMENT OF HOMELAND SECURITY, AND FOR OTHER PURPOSES









[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]










               February 26, 2018.--Ordered to be printed
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

79-010                         WASHINGTON : 2018 
               
               
               
               
               
               
               
               
               
               
        
        
        
        
        
        
        
               
               
               
               
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California
STEVE DAINES, Montana                DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
                  Colleen E. Berny, Research Assistant
                       Maurice R. Turner, Fellow
               Margaret E. Daum, Minority Staff Director
               Stacia M. Cardille, Minority Chief Counsel
       Charles A. Moskowitz, Minority Senior Legislative Counsel
           Julie G. Klein, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk






















                                                      Calendar No. 335
115th Congress      }                                    {      Report
                                 SENATE
 2d Session         }                                    {     115-209
======================================================================



 
              HACK THE DEPARTMENT OF HOMELAND SECURITY ACT

                                _______
                                

               February 26, 2018.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 1281]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 1281), to establish 
a bug bounty pilot program within the Department of Homeland 
Security, and for other purposes, reports favorably thereon 
with an amendment and recommends that the bill, as amended, do 
pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History..............................................5
 IV. Section-by-Section Analysis......................................6
  V. Evaluation of Regulatory Impact..................................6
 VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............7

                         I. PURPOSE AND SUMMARY

    S. 1281, the Hack the Department of Homeland Security Act 
of 2017, or the Hack DHS Act, directs the Secretary of Homeland 
Security (Secretary) to establish a bug bounty pilot program at 
the Department of Homeland Security (DHS or the Department) to 
enhance the Department's cybersecurity by minimizing 
vulnerabilities to public-facing information technology.
    The bill also requires the Secretary to ensure compensation 
is awarded to participants for identifying undisclosed 
vulnerabilities during the pilot program, and to award 
contracts to manage the pilot program and patch 
vulnerabilities, among other things. Lastly, the bill requires 
the Secretary to submit a report to Congress on the pilot 
program and its findings.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    In early 2017, then-Secretary John Kelly stated that 
``[c]yber threats present a tremendous danger to our American 
way of life. The consequences of these digital threats are no 
less significant than threats in the physical world.''\1\ One 
report found that, in 2016, just one anti-virus software 
company blocked over 229,000 web attacks every day.\2\ In 
addition, ``[m]ore than three-quarters (76 percent) of scanned 
websites in 2016 contained vulnerabilities, nine percent of 
which were deemed critical.''\3\ Bug bounty programs can 
identify these types of vulnerabilities before they are 
exploited, and have proven beneficial in both the public and 
private sectors.
---------------------------------------------------------------------------
    \1\Press Release, Dep't of Homeland Sec., Home and Away: DHS and 
the Threats to America (Apr. 18, 2017), https://www.dhs.gov/news/2017/
04/18/home-and-away-dhs-and-threats-america. Remarks delivered by 
Secretary Kelly at George Washington University Center for Cyber and 
Homeland Security.
    \2\Symantec Corp., Internet Security Threat Report, 7 (2017), 
https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-
2017-en.pdf.
    \3\Id.
---------------------------------------------------------------------------

Private sector bug bounty programs

    Although bug bounty programs vary in composition, 
incentives, and purpose, generally speaking a bug bounty 
program provides incentives to participants to identify 
vulnerabilities in an information technology program or system. 
Individuals, organizations, or companies are incentivized 
through various forms of payouts or non-monetary compensation 
to detect new and valid vulnerabilities on information 
technology and systems. Some examples of rewards include 
recognition, cash, and gifts.\4\ Bug bounty programs have been 
used by the private sector for over 20 years; however, their 
use has rapidly increased in recent years.\5\ According to one 
company's report tracking bug bounty programs, there have been 
``three times more enterprise bug bounty programs launched in 
the past year than the previous three years combined.''\6\ In 
addition, since 2016, the average monetary payout has increased 
by 53 percent, averaging $451.\7\ Between 2016 and 2017, 
hundreds of private and public bug bounty programs have 
identified over 52,000 valid vulnerabilities, a high watermark, 
and critical vulnerabilities identification increased by 25 
percent.\8\
---------------------------------------------------------------------------
    \4\Id.
    \5\Bugcrowd, The Adoption of Bug Bounties in the Financial Services 
Industry, Bugcrowd Industry Report 1 (2016), https://
pages.bugcrowd.com/hubfs/PDFs/Financial-Services-
Spotlight.pdf?t=1507846659848.
    \6\Bugcrowd, 2017 State of Bug Bounty Report (2017), https://
pages.bugcrowd.com/hubfs/Bugcrowd-2017-State-of-Bug-Bounty-Report.pdf 
(quoting an excerpt from the Executive Summary).
    \7\Id.
    \8\Id.
---------------------------------------------------------------------------
    Bug bounties have helped the private sector increase 
security. For example, Microsoft has utilized bug bounty 
programs since 2013.\9\ According to Microsoft, ``[t]hese 
bounty programs help Microsoft harness the collective 
intelligence and capabilities of security researchers to help 
protect customers.''\10\ In 2016, Microsoft launched a bug 
bounty program for Windows, with monetary awards ranging from 
$500 to $250,000.\11\ Microsoft currently has nine active bug 
bounty programs.\12\
---------------------------------------------------------------------------
    \9\Microsoft Bounty Programs, Microsoft Security TechCenter, 
https://technet.microsoft.com/en-us/security/dn425036 (last visited 
Nov. 7, 2017).
    \10\Id.
    \11\Emil Protalinski, Microsoft Launches Windows Bug Bounty Program 
with Rewards Ranging from $500 to $250,000, Venture Beat (July 26, 
2017), https://venturebeat.com/2017/07/26/microsoft-launches-windows-
bug-bounty-program-with-rewards-ranging-from-500-to-250000.
    \12\Microsoft Bounty Programs, supra note 9.
---------------------------------------------------------------------------

Public sector bug bounty programs

    On March 2, 2016, the Department of Defense (DOD) announced 
the ``Hack the Pentagon'' initiative, the Federal Government's 
first bug bounty pilot program.\13\ The bug bounty program was 
modeled after private sector programs and intended ``to improve 
the security and delivery of networks, products, and digital 
services.''\14\ The pilot program ran from April 18, 2016, 
until May 12, 2016, and cost $150,000.\15\ During the pilot 
program, out of more than 1,400 invited participants, 250 
submitted vulnerability reports and 138 were deemed 
``legitimate, unique and eligible for a bounty.''\16\ On 
October 20, 2016, the DOD announced a ``Hack the Pentagon'' 
follow-up initiative.\17\
---------------------------------------------------------------------------
    \13\Press Release, Dep't of Defense, Statement by Pentagon Press 
Secretary Peter Cook on DoD's ``Hack the Pentagon'' Cybersecurity 
Initiative (Mar. 2, 2016), https://www.defense.gov/News/News-Releases/
News-Release-View/Article/684106/statement-by-pentagon-press-secretary-
peter-cook-on-dods-hack-the-pentagon-cybe.
    \14\Id.
    \15\Lisa Ferdinando, Carter Announces `Hack the Pentagon' Program 
Results, Dep't of Defense (June 17, 2016), https://www.defense.gov/
News/Article/Article/802828/carter-announces-hack-the-pentagon-program-
results.
    \16\Id.
    \17\Shannon Collins, DOD Announces `Hack the Pentagon' Follow-Up 
Initiative, Dep't of Defense (Oct. 20, 2016), https://www.defense.gov/
News/Article/Article/981160/dod-announces-hack-the-pentagon-follow-up-
initiative.
---------------------------------------------------------------------------
    After the DOD's Hack the Pentagon's success, on November 
11, 2016, the Secretary of the Army announced its own ``Hack 
the Army'' bug bounty program, which targeted the Army's 
operationally-significant websites.\18\ The bug bounty program 
ran from November 30, 2016, to December 21, 2016.\19\ Overall, 
participants submitted 416 reports, with 118 being deemed 
``unique and actionable.''\20\ The estimated total amount paid 
to the hackers that identified vulnerabilities was 
approximately $100,000.\21\
---------------------------------------------------------------------------
    \18\Maj. Christopher Ophardt, Army Secretary Issues Challenge with 
`Hack the Army' Program, U.S. Army (Nov. 21, 2016), https://
www.army.mil/article/178473/
army_secretary_issues_challenge_with_hack_the_army_program.
    \19\Hack the Army Results Are In, HackerOne (Jan. 19, 2017), 
https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In.
    \20\Id.
    \21\Id.
---------------------------------------------------------------------------
    On April 26, 2017, the Air Force announced the ``Hack the 
Air Force'' bug bounty program.\22\ The program ran from May 
30, 2017, until June 23, 2017, with more than 270 
participants.\23\ Overall, 207 ``valid vulnerabilities'' were 
identified, and participants that identified vulnerabilities 
were collectively awarded more than $130,000.\24\
---------------------------------------------------------------------------
    \22\Press Release, Dep't of Defense, Air Force Issues Challenge to 
``Hack the Air Force'' (Apr. 26, 2017), https://www.defense.gov/News/
News-Releases/News-Release-View/Article/1164012/air-force-issues-
challenge-to-hack-the-air-force.
    \23\Rusty Frank, Hack the Air Force Results Released, U.S. Air 
Force (Aug. 10, 2017), http://www.af.mil/News/Article-Display/Article/
1274518/hack-the-air-force-results-released.
    \24\Id.
---------------------------------------------------------------------------
    On May 9, 2017, the General Services Administration (GSA) 
established the first public bug bounty program run at a non-
military agency.\25\ This bug bounty was developed in the same 
vein as the DOD programs, but runs on an on-going basis.\26\ 
Since its announcement, GSA has identified and resolved 41 
vulnerabilities, and paid out $12,600 in bounties ranging from 
$150 to $2,000.\27\
---------------------------------------------------------------------------
    \25\Omid Ghaffari-Tabrizi, Waldo Jaquith and Eric Mill, The next 
step towards a bug bounty program for the Technology Transformation 
Service, 18F Digital Service Agency, Government Service Administration, 
(May 11, 2017), https://18f.gsa.gov/2017/05/11/the-next-steps-towards-
bug-bounty-program-for-technology-transformation-service/.
    \26\Id.
    \27\TTS Bug Bounty: The First Civilian Agency Public Bug Bounty 
Program, HackerOne, https://hackerone.com/tts (last visited Jan. 23, 
2018).
---------------------------------------------------------------------------
    Entities are now working to institutionalize the public's 
ability to report discovered vulnerabilities. Following the 
start of the ``Hack the Army'' bug bounty program, DOD 
formalized how to report vulnerabilities discovered on their 
public-facing sites with the creation of the Vulnerability 
Disclosure Policy (VDP).\28\ The VDP is ``intended to give 
security researchers clear guidelines for conducting 
vulnerability discovery activities directed at [DOD] web 
properties, and submitting discovered vulnerabilities to 
DOD.''\29\ Former Defense Secretary Ash Carter described the 
VDP as ``a `see something, say something' policy for the 
digital domain.''\30\ The Department of Justice Computer Crime 
& Intellectual Property Section published its ``Framework for a 
Vulnerability Disclosure Program for Online Systems'' on August 
1, 2017.\31\ The framework is designed to help businesses and 
other organizations develop a formal vulnerability disclosure 
program that allows researchers to legally participate without 
running afoul of the Computer Fraud and Abuse Act.\32\
---------------------------------------------------------------------------
    \28\Hack the Pentagon, HackerOne, https://www.hackerone.com/
resources/hack-the-pentagon (last visited Oct. 20, 2017).
    \29\U.S. Dep't of Defense, HackerOne, https://hackerone.com/
deptofdefense (last visited Oct. 20, 2017).
    \30\Hack the Pentagon, supra note 28.
    \31\Press Release, U.S. Computer Emergency Readiness Team, DOJ 
Provides Organizations a Framework for Development of a Vulnerability 
Disclosure Program (Aug. 1, 2017), https://www.us-cert.gov/ncas/
current-activity/2017/08/01/DOJ-Provides-Organizations-Framework-
Development-Vulnerability; see also Cybersecurity Unit, A Framework for 
a Vulnerability Disclosure Program for Online Systems, U.S. Dep't of 
Justice, https://www.justice.gov/criminal-ccips/page/file/983996/
download.
    \32\Cybersecurity Unit, supra note 31 at 1-2.
---------------------------------------------------------------------------

Need at the Department of Homeland Security

    DHS is ``responsible for protecting civilian federal 
government networks and collaborating with other Federal 
agencies, as well as State, local, tribal, and territorial 
governments, and the private sector to defend against cyber 
threats.''\33\ In addition to cybersecurity, the Department is 
responsible for a variety of missions, including preventing 
terrorism, border security, and disaster resilience. As a 
result, it is essential that the Department's information 
technology is secure and resilient.
---------------------------------------------------------------------------
    \33\Examining DHS's Cybersecurity Mission Before the Cybersecurity 
and Infrastructure Protection Subcomm. of the H. Homeland Security 
Comm., 115th Cong. 1 (2017) (statement of Assistant Sec'y for 
Cybersecurity & Comm'ns Nat'l Prot. & Programs Directorate U.S. Dep't 
of Homeland Sec.), available at http://docs.house.gov/meetings/HM/HM08/
20171003/106448/HHRG-115-HM08-Wstate-ManfraJ-20171003.pdf.
---------------------------------------------------------------------------
    The Federal Government, including DHS, faces daily cyber 
threats from a variety of adversaries. In 2016, there were over 
30,899 cyber incidents at Federal agencies.\34\ DHS reported 
1,112 incidents, which is comparable to the 1,888 reported by 
DOD.\35\ The DHS Inspector General additionally found that 
Department ``components were not consistently following DHS's 
policies and procedures to maintain current or complete 
information on remediating security weaknesses in a timely 
manner.''\36\
---------------------------------------------------------------------------
    \34\Executive Office of the President of the United States, Federal 
Information Security Modernization Act of 2014, Annual Report to 
Congress, Fiscal Year 2016, https://www.whitehouse.gov/sites/
whitehouse.gov/files/briefing-room/presidential-actions/related-omb-
material/
fy_2016_fisma_report%20to_congress_official_release_march_10_2017.pdf 
(last visited Dec. 1, 2017).
    \35\Id.
    \36\Id. at 45.
---------------------------------------------------------------------------
    In recognition of this serious threat, the Committee has 
made cybersecurity one of its top priorities. From 2015 through 
2017, the Committee held five hearings on cybersecurity, 
exploring topics such as information sharing, data breaches in 
the Federal Government, and how adversaries continue to target 
information networks.\37\ The Committee has also passed 
multiple pieces of cybersecurity legislation, including the 
Federal Cybersecurity Enhancement Act of 2015, to improve 
Federal network security and authorize and enhance the EINSTEIN 
intrusion detection and prevention system.\38\
---------------------------------------------------------------------------
    \37\Cybersecurity Regulation Harmonization: Hearing before the S. 
Comm. On Homeland Sec. & Governmental Affairs, 115th Cong. (2017); 
Cyber Threats Facing America: An Overview of the Cybersecurity Threat 
Landscape: Hearing before the S. Comm. On Homeland Sec. & Governmental 
Affairs, 115th Cong. (2017); Under Attack: Federal Cybersecurity and 
the OPM Data Breach: Hearing before the S. Comm. On Homeland Sec. & 
Governmental Affairs, 114th Cong. (2015); The IRS Data Breach: Steps to 
Protect Americans' Personal Information: Hearing before the S. Comm. On 
Homeland Sec. & Governmental Affairs, 114th Cong. (2015); Protecting 
America from Cyberattacks: The Importance of Information Sharing: 
Hearing before the S. Comm. On Homeland Sec. & Governmental Affairs, 
114th Cong. (2015).
    \38\Public Law No: 114-113 (S. 1869, with amendments, was included 
in H.R. 2029).
---------------------------------------------------------------------------
    The relative success of the bug bounty programs in the 
private sector, DOD and GSA, as well as findings by the DHS 
Inspector General, suggest the need for DHS to pursue a similar 
pilot program to identify vulnerabilities on Internet-facing 
information technology. This legislation requires DHS to 
establish a one-time bug bounty pilot program under which 
approved individuals, organizations, or companies can detect 
and patch vulnerabilities and receive compensation. Based on 
the findings, the Department can then determine if a permanent 
program is needed.

                        III. LEGISLATIVE HISTORY

    Senator Margaret Wood Hassan (D-NH) introduced S. 1281, the 
Hack the Department of Homeland Security Act of 2017, on May 
25, 2017. Senators Claire McCaskill (D-MO), Rob Portman (R-OH), 
and Kamala Harris (D-CA) are cosponsors.
    The bill was referred to the Committee on Homeland Security 
and Governmental Affairs. The Committee considered S. 1281 at a 
business meeting on October 4, 2017. Senator Hassan offered a 
substitute amendment that made minor revisions to the bill, 
including clarifying the definition and requirements of the bug 
bounty program. The substitute amendment was adopted by 
unanimous consent with Senators Johnson, Lankford, Daines, 
McCaskill, Tester, Heitkamp, Hassan, and Harris present.
    The Committee favorably reported the bill as amended by the 
Hassan substitute amendment by voice vote en bloc. Senators 
present for the vote were Johnson, Lankford, Daines, McCaskill, 
Tester, Heitkamp, Hassan, and Harris.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section provides the bill's title, the ``Hack the 
Department of Homeland Security Act of 2017,'' or the ``Hack 
DHS Act.''

Sec. 2. Department of Homeland Security bug bounty pilot program

    Section 2(a) provides definitions for the following terms: 
``bug bounty program,'' ``Department,'' ``information 
technology,'' ``pilot program,'' and ``Secretary.''
    Section 2(b) instructs the Secretary of Homeland Security 
to establish a bug bounty pilot program at DHS within 180 days 
of the bill's enactment. In establishing the pilot program, the 
Secretary will: ensure compensation is awarded to participants 
for identifying undisclosed vulnerabilities during the pilot 
program; award a contract to manage the pilot program and patch 
identified vulnerabilities; decide which mission-critical 
information technology should not be included in the pilot 
program; seek advice from the Attorney General regarding how to 
ensure approved participants are protected from prosecution for 
their approved activities within the pilot program; confer with 
DOD officials on lessons learned from launching ``Hack the 
Pentagon'' in 2016; develop a vetting process for approved 
participants; and engage public and private sector experts on 
the structure of the pilot program and lessons learned.
    Section 2(c) requires the Secretary to submit a report to 
the U.S. Senate Homeland Security and Governmental Affairs 
Committee and the U.S. House Committee on Homeland Security 
within 90 days of the pilot program's completion. The report 
shall include a number of data points to assist Congress in 
assessing the pilot programs effectiveness, including, but not 
limited to: the number of pilot program participants that 
registered, were approved, submitted vulnerabilities, and 
received compensation; the quantity and severity of 
vulnerabilities identified; the number of unidentified 
vulnerabilities that were patched as a result of the pilot 
program; the number of vulnerabilities that have yet to be 
patched and the Department's plans to do so; how long it takes 
to report the vulnerability and to patch the vulnerability; the 
types of compensation provided for discovering undisclosed 
security vulnerabilities; and any lessons learned.
    Section 2(d) authorizes $250,000 to be appropriated to DHS 
for fiscal year 2018 to carry out the pilot program.

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE












                                     U.S. Congress,
                               Congressional Budget Office,
                                  Washington, DC, October 20, 2017.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 1281, the Hack DHS 
Act.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 1281--Hack DHS Act

    S. 1281 would direct the Department of Homeland Security 
(DHS) to establish a pilot program to improve the security of 
the department's information technology systems, especially 
those that are accessible to the public (such as websites for 
the agencies within DHS). The bill would authorize the 
appropriation of $250,000 for fiscal year 2018 for the pilot 
program. Assuming appropriation of that amount, CBO estimates 
that implementing the bill would cost $250,000.
    Enacting the bill would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply. CBO 
estimates that enacting S. 1281 would not increase net direct 
spending or on-budget deficits in any of the four consecutive 
10-year periods beginning in 2028.
    S. 1281 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was approved by H. Samuel Papenfuss, Deputy 
Assistant Director for Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because this legislation would not repeal or amend any 
provision of current law, it would not make changes in existing 
law within the meaning of clauses (a) and (b) of paragraph 12 
of rule XXVI of the Standing Rules of the Senate.

                                  [all]