By Joseph Marks
The Harry S. Truman Building at the State Department in Washington on Oct. 24, 2014. (Larry Downing/Reuters)
One of the first things the House did this session was pass the Hack the State Department Act -- offering cash prizes to ethical hackers who undergo background checks in exchange for reports about vulnerabilities in State's websites and other Internet tools. Separately, Democrats' wide-ranging H.R. 1 bill -- which outlines their top priorities -- would also allow state and local governments to participate in another bug bounty program so outside researchers could search for unpatched bugs in their election systems.
As one of their final actions last Congress, legislators passed a Homeland Security Department bug bounty. They also considered bounties at the Treasury Department and elsewhere in government.
Congress's eagerness to embrace bug bounties marks a dramatic shift from just a few years ago, when government officials and many lawmakers were wary of this tech company model of crowdsourcing cybersecurity.
But one of the most influential bug bounty proponents in the private sector worries that Congress now incorrectly views them as a panacea -- and a replacement for the hard job of fixing serious and institutional problems in government cybersecurity.
“Bug bounties can be useful. They can be lucrative. [But] they are not universally applicable,” said Katie Moussouris, who was instrumental in launching the first government bug bounty at the Pentagon in 2016 when she was chief policy officer for the bug bounty contractor Hacker One. The company went on to manage bug bounties at the Army, Navy and Air Force.
Moussouris, who is the founder and chief executive of Luta Security, says the model that worked for the Pentagon and military services is unlikely to work for civilian agencies, which have far fewer resources and less technical expertise -- and a poor track record of fixing vulnerabilities that in some cases have festered for decades.
That means researchers are likely to turn up a long list of vulnerabilities the department either can’t fix, can’t fix expeditiously, or should have fixed itself before it invited the outsiders in, Moussouris said.
But Rep. Ted Lieu (D-Calif.) who sponsored the State Department bug bounty bill along with Rep. Ted Yoho (R-Fla.) disagreed.
Lieu told me in an email that his office consulted with the State Department while drafting the bill and is “confident that our approach has the necessary timeline and flexibility to ensure the same success achieved by the Department of Defense.”
“The best response to capacity problems is not to shrug and do nothing, but rather to shine a light on the problem, require the adoption of best practices and conduct rigorous oversight over implementation,” Lieu said.
Yet Moussouris says that before the Pentagon launched its bug bounty, officials spent months doing computer penetration tests to detect and patch easy-to-find computer vulnerabilities.
Once the program launched, it had staff ready to address the most serious bugs, triage others and determine whether the vulnerabilities hackers uncovered affected systems beyond the scope of the program.The State Department, however, lacks the Pentagon’s hefty technology resources and is bound by more stringent contractor requirements that make patching vulnerabilities a complicated process.
The department is also struggling under serious and ongoing cybersecurity vulnerabilities that it has been unable to fix in house, according to audit reports.
Other critics have warned against rushing bug bounties too soon, but said it's useful for agencies to aspire to them — especially if they start slowly by launching a vulnerability disclosure policy, or VDP, first. A VDP essentially tells ethical hackers how to search an organization for digital vulnerabilities and who to contact when they find them, but doesn't offer any cash rewards.
Lieu and Yoho's Hack the State Department Act would begin with a vulnerability disclosure policy mandated within six months and follow with a full bug bounty after one year.
Even establishing a vulnerability disclosure program in six months would be a very difficult task, however, Moussouris said.
“You need to be prepared to fix your bugs when people report them, and that’s easier said than done,” she said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
Employees of the Fulton County Election Preparation Center in Atlanta test electronic voting machines on Sept. 22, 2016. (Alex Sanz/ AP)
“We believe that you get a better result, a more accurate result, and are actually able to move people through the lines faster when you have a ballot-marking device, so you don’t have to cipher out what someone meant with stray marks,” Raffensperger said, according to the AP.
While Raffensperger said the procurement process for the new voting system would have no “predetermined outcome,” the amount of $150 million that he requested is in line with estimates for ballot-marking systems. “Raffensperger said that, ideally, the state would have new machines in place in some cities for municipal elections in November 2019, before having them fully online across the state before November 2020,” the AP reported.
A Google employee holds media information files in Berlin on Jan. 22. (Clemens Bilan/EPA-EFE/Shutterstock)
“The 27-person team tracks more than 200 hacker groups that pose a threat to Google and its users, analyzing hacking techniques and clues to the groups’ identities to head off attacks,” McMillan wrote. “It leverages access to data across widely used Google products like Gmail, with more than 1.5 billion accounts world-wide, and to a database of attack code called VirusTotal managed by another arm of Google-parent Alphabet Inc.” The group also works to combat disinformation operations.
Huntley and others who have been part of cyber threat teams for major tech firms say their work for a company can have more impact than in the public sector. “There were a lot of people who had spent close to a decade in government, and everyone was recognizing, ‘Yeah, we can’t really do much,’ ” Sergio Caltagirone, a former NSA analyst who went to work at Microsoft and is now at Dragos, told the Journal.
Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
The Integrity Initiative has removed content from its website for now, Collier noted. “Initial findings indicate that the theft was part of a campaign to undermine the work of the Integrity Initiative in researching, publicising and countering the threat to European democracies from disinformation and other forms of hybrid warfare,” according to a message on the site.
The dome of the Capitol is reflected in a window in Washington on Jan. 12. (Jabin Botsford/The Washington Post)
— House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) will host a panel discussion at the Capitol today on the impact of the partial federal government shutdown on homeland security personnel and agencies, which includes the Cybersecurity and Infrastructure Security Agency. You can watch the event here.
— The Senate Intelligence Committee will also probably hear about cybersecurity threats next week as Paul Nakasone, the NSA director, will appear before the panel alongside the heads of other U.S. intelligence agencies for an open hearing on worldwide threats. A closed session will follow the open hearing.
— More cybersecurity news from the public sector:
A man on his phone at the Eastern Market Metro station in Washington. (Michael S. Williamson/The Washington Post)
However, FCC Chairman Ajit Pai said the commission doesn't plan to end consent requirements for sharing personal data. “The FCC’s position is that we have no interest in removing consent requirements around the sharing of personal data, and that extends to having no interest in working with Congress to remove any of those requirements,” Pai told Motherboard in an email.
— More cybersecurity news from the private sector:
A Surface Laptop computer at Microsoft's main campus in Redmond, Wash., on April 20, 2017. (Mike Kane/Bloomberg News )
— A database containing more than 24 million financial documents leaked online following a server security blunder, according to TechCrunch's Zack Whittaker. The database was exposed online for two weeks, according to TechCrunch. “The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life,” Whittaker wrote. “But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents.”
— More news about security incidents:
- Senate Intelligence Committee open hearing on worldwide threats on Jan. 29.
- The Atlantic Council hosts an event titled “Cyber Risk Wednesday: Operationalizing Cyber Strategies” on Jan. 30.
Nancy Pelosi keeps throwing shade at Donald Trump:
Federal workers, unions protest the government shutdown on Capitol Hill:
We tried folding like Marie Kondo. Here's how it went.