Lawmakers are going to bat in a big way for ethical hackers.
The House Homeland Security Committee advanced a pair of bipartisan bills late last week that would force the Department of Homeland Security to open the door to security researchers to probe the agency for cybersecurity vulnerabilities. DHS has resisted such a move, but lawmakers are ready to force the agency’s hand, saying independent testing is an important step toward improving its cyber hygiene.
One bill, called the Hack DHS Act, would create a bug bounty pilot program that would pay security researchers to root out bugs in the agency’s networks. The other would require DHS to set up a vulnerability disclosure policy that protects ethical hackers from legal action if they find a security flaw and report it responsibly. Both cruised through the committee with bipartisan support.
The votes highlight how Congress is shaking its old fears about hackers and embracing bug bounties as an effective way to address the federal government’s cybersecurity woes.
“There is a greater groundswell around this concept of turning these hackers into friends,” said Casey Ellis, founder of the Bugcrowd, which helps organizations manage bug bounty and vulnerability disclosure programs. Bug bounty programs in particular are “graduating from a weird Silicon Valley, tech company thing to something that’s being adopted as a normal part of cybersecurity strategy,” he told me.
Bug bounty programs, which offer financial rewards or special recognition to security researchers who identify security flaws in an organization's systems, have seen a surge popular in support in recent years from the private sector. Companies as wide ranging as Google, Reddit, Uber and Western Union have adopted them.
Government agencies have also been warming up to the idea of inviting well-intentioned hackers to poke around in federal IT systems. Hack the Pentagon, the federal government's first bug bounty challenge held over four weeks in spring 2016, was a watershed moment for the relationship between feds and security researchers, proving to be such a success that the Defense Department went on to create the government’s first vulnerability disclosure program later that year. The General Services Administration has since adopted a similar program, and lawmakers are considering a bill that would establish bug bounty pilot and vulnerability disclosure programs at the State Department.
Lawmakers are frustrated that DHS, the government’s main cybersecurity agency, isn’t leading the charge on these efforts -- or even showing it's serious about creating one. During last week's votes, Rep. Jim Langevin (D-R.I.), a co-sponsor of the vulnerability disclosure bill, accused Homeland Security Secretary Kirstjen Nielsen of dragging her feet on a pledge to work with the committee on creating such a policy at DHS. “Unfortunately, it appears they will not do so unless Congress requires it of them,” Langevin said.
“This committee recognizes the important contributions security researchers -- the far too oft maligned ‘hackers’ -- can make to protecting our nation,” he said. “My door is always open to those trying to help improve the security of the Internet. I hope the department will embrace this view, and I believe these bills will help steer it in that direction.”
“As the nation’s leading civilian cybersecurity agency, it is of paramount importance that the department lead from the front and be an example of the good cyber-hygiene practices promoted” by the legislation, added Rep. John Ratcliffe (R-Tex.), another co-sponsor of the vulnerability disclosure bill, which was introduced by House Majority Leader Kevin McCarthy (R-Calif.).
The show of support from the committee was an encouraging sign for the hacking community, said Katie Moussouris, a security researcher who advised on the Defense Department's bug bounty and vulnerability disclosure programs. But she cautioned against moving too fast. Hack the Pentagon worked well because the Defense Department had the funding and the staffing to scan its systems beforehand and quickly respond to the onslaught of bug reports it got when it launched its programs, she told me. If lawmakers want to replicate that at DHS or other agencies, she said, they have to make sure those resources are in place.
“I want to make sure that people don’t take for granted how much work it takes to prepare an organization for this,” Moussouris told me. “If they can’t handle known vulnerabilities, how are they going to fare when the focus of all these hackers is going to pile on them?”
Lawmakers seem sensitive to those concerns -- which in itself is a testament to the legwork they’ve done to carve out a role for ethical hackers in government.
“Building the processes to handle reports, triage them and ensure remediation is a tall order,” Langevin said last week of the bug bounty bill. A Senate version of the legislation was introduced by Sen. Maggie Hassan (D-N.H.) and passed by the chamber in April. “A bug bounty will attract thousands and thousands of eyes -- and you have to be prepared for that.”
Langevin seemed skeptical that the $250,000 the House bug bounty bill would set aside for the program was enough. Still, he said, “I am sick of waiting.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The FBI has enlisted the three hackers behind the massive Mirai botnet attack from 2016 to help fight cybercrime. Garrett M. Graff wrote in Wired on Tuesday that “over the 18 months since the FBI first made contact with the trio, they have worked extensively behind the scenes with the agency and the broader cybersecurity community to put their advanced computer skills to noncriminal uses.” The three of them combined have provided more than 1,000 hours of assistance.
“As it turns out, the trio have contributed to a dozen or more different law enforcement and security research efforts around the country and, indeed, around the globe,” Graff reported. “In one instance, they helped private-sector researchers chase what they believed was an ‘advanced persistent threat’ from a nation-state hacking group; in another, they worked with the FBI in advance of last year’s Christmas holiday to help mitigate an onslaught of DDoS attacks.” Additionally, authorities have also made use of the trio's coding abilities. “Prosecutors outline extensive original coding work they’ve done, including a cryptocurrency program they built that allows investigators to more easily trace cryptocurrency and the associated ‘private keys’ in a variety of currencies,” Graff wrote.
The government had recommended that Josiah White, Paras Jha and Dalton Norman be sentenced to five years' probation as well as 2,500 hours of community service, such as cooperating with the FBI on cybersecurity work, according to Wired. On Tuesday, White, Jha and Norman each received that sentence and were also ordered to pay $127,000 in restitution, according to a press release from the U.S. attorney's office for the District of Alaska. “The plea agreement with the young offenders in this case was a unique opportunity for law enforcement officers, and will give FBI investigators the knowledge and tools they need to stay ahead of cyber criminals around the world,” U.S. Attorney for the District of Alaska Bryan Schroder said in a statement.
PATCHED: U.S. Immigration and Customs Enforcement has spent more money than other federal agencies on technology from the company GrayShift, which sells an iPhone-cracking tool called GrayKey, Forbes's Thomas Brewster reported Tuesday. “According to government contract records on FPDS.gov, ICE acquired the services of GrayShift earlier this month,” Brewster reported. “And it’s spent more than any other government department on GrayShift tech, with a single order of $384,000. Other branches of the Trump government, from the Drug Enforcement Administration to the Food and Drug Administration, have splashed between $15,000 and $30,000 on different models of the GrayKey, which requires physical access to an Apple device before it can break through the passcode.” (I wrote in June about the encryption debate.)
ICE has also purchased technology from foreign companies, according to Forbes. “Alongside Israel’s Cellebrite, ICE has looked to a variety of foreign-made hacking tech to aid investigations,” Brewster wrote. “In August, it spent $41,000 on ‘computer support equipment’ from Oxygen Forensics, a company founded by Russians that specializes in extracting WhatsApp data, among other artefacts, from iPhones and Androids. Canadian rival Magnet Forensics sold more ‘computer support equipment’ to ICE in August for $371,000.”
PWNED: “An Iranian government-aligned group of hackers launched a major campaign targeting Mideast energy firms and others ahead of U.S. sanctions on Iran, a cybersecurity firm said Tuesday, warning further attacks remain possible as America re-imposes others on Tehran,” the Associated Press's Jon Gambrell reported. “While the firm FireEye says the so-called ‘spear-phishing’ email campaign only involves hackers stealing information from infected computers, it involves a similar type of malware previously used to inject a program that destroyed tens of thousands of terminals in Saudi Arabia.”
The group, which FireEye refers to as APT33, sent phishing emails containing fake job opportunities and used fake domain names. APT33 sent significantly more phishing emails from July 2 through July 29, the AP reported. “The emails, pretending to be from a Mideast oil and gas company, targeted organizations in the Mideast, North America and Japan,” Gambrell wrote. “The recipients included companies involved in the oil and gas industry, utilities, insurance, manufacturing and education, FireEye said.” Alister Shepherd, director of a FireEye subsidiary, told Gambrell that APT33 “are a very capable group and they manage to meet their objectives, which is to compromise institutions in both the government and private sector and steal data.”
— “The US military is taking a more aggressive stance against foreign government hackers who are targeting the US and is being granted more authority to launch preventative cyberstrikes, according to a summary of the Department of Defense's new Cyber Strategy,” CNN's Jose Pagliery and Ryan Browne reported on Tuesday. “The Pentagon is referring to the new stance as ‘defend forward,’ and the strategy will allow the US military ‘to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.’”
The Pentagon will focus its attention in cyberspace on states that may represent “strategic threats,” such as China and Russia, according to the summary. “The Department must take action in cyberspace during day-to-day competition to preserve U.S. military advantages and to defend U.S. interests,” the document says. “Our focus will be on the States that can pose strategic threats to U.S. prosperity and security, particularly China and Russia. We will conduct cyberspace operations to collect intelligence and prepare military cyber capabilities to be used in the event of crisis or conflict.”
— Sen. John Cornyn (R-Tex.) on Tuesday introduced a bill in the Senate that aims to strengthen the cybersecurity of government systems by codifying the Department of Homeland Security's Continuous Diagnostics and Mitigation program. The bill, titled Advancing Cybersecurity Diagnostics and Mitigation Act, has already passed the House. “Cyber-attacks are escalating at an alarming rate, making it vital that our federal agencies have access to programs and tools to help mitigate these risks,” Cornyn said in a statement. “This legislation would help ensure the Department of Homeland Security can continue to rely on and evolve the CDM program to understand and defend against the cyber threats before them.”
— More cybersecurity news from the public sector:
— Officials from the United States and Chile discussed strengthening cybersecurity cooperation between the two countries during two days of meetings last month, the State Department announced in a press release on Tuesday. The officials met in Washington on Aug. 23 and 24. “Both countries commit to work together to promote and develop the growing international consensus on a framework of responsible state behavior in cyberspace, and advance efforts within the Americas to build trusting partnerships among like-minded nations,” according to a joint statement from the U.S. and Chilean governments. “Both countries further affirm the importance of cooperation among like-minded states to deter malicious cyber activity contrary to this framework.”
— More cybersecurity news from abroad:
- CrowdStrike Cybersecurity Conference in Miami.
- Air Force Association’s Air, Space & Cyber Conference in National Harbor, Md.
“Shut up and step up”: Hirono's message to men
Australians are finding needles in their fruit:
Sony's robot dog Aibo vs. a real puppy: