The bill, introduced last month by U.S. Rep. Mike Quigley, D-Ill., could ultimately become a catalyst for bug bounty programs within state and local agencies, which have been reluctant to embrace white hat hackers probing their computer networks, websites and applications for vulnerabilities.
Cost, as well as legal issues, such as providing access to regulated systems that contain protected information, may have been stumbling blocks for states and local agencies considering their own bug bounty programs, according to some states and the Center for Internet Security Multi-State Information Sharing and Analysis Center (MS-ISAC).
“The agencies do not have to reveal any proprietary information, but it will be up to the discretion of DHS on what they will focus on for the bug bounty,” Vales said.
According to the bill, DHS or a contractor would establish a recurring competition outlining hacker eligibility; where they can explore; the tools they can use; and a payout schedule for unknown election cybersecurity vulnerabilities that are discovered. Monetary and nonmonetary payouts would be made by from the DHS budget and not by the state or local agencies.
Breaking Out the Bug Spray
With the DHS picking up the tab for a bug bounty program that states and local governments can access for their election systems, it may help address the funding issues that potentially stand in the way of smaller governments and their own programs, Delaware CIO James Collins told Government Technology.“I think continued exploration of the topic and the possibility of funding are both positive steps toward widespread bug bounty programs. My hope is that programs and funding could be leveraged at the state level to allow for adaptation to the many system and program nuances,” he said.
He added there are many resource needs to support a mature state security program and that some needs go without support.
“It is one of the main reasons we are starting with just a vulnerability disclosure program,” Collins said. The state of Delaware recently implemented a vulnerability disclosure policy, in which a button appears on every Delaware.gov webpage to allow people to click on it to report a vulnerability on the site.
According to the CIO, Delaware is hoping to start a bug bounty program later this year and will seek approval to hire a bug bounty company.
The state of Missouri, meanwhile, expects to launch a bug bounty program within the next six months, explained Mike Roling, Missouri’s chief information security officer.
“We’re currently in the process of selecting a bug bounty partner. There are several significant players in this space, each with their own models and pricing,” Roling said.
“While we have a robust method to test our applications and network services, having a fleet of dedicated security researchers continuously testing will add another important layer of security,” he said. “[Penetration] testing is a great method to identify point-in-time vulnerabilities; however, bug bounty programs tend to be continuous.”
Legal Issues Discovered
Although Missouri and Delaware are on a path toward putting their bug bounty programs in place, most state and local governments are not. Tom Duffy, senior vice president of operations and services for the Center for Internet Security, told Government Technology he is not aware of any state or local agencies currently using bug bounty programs.The biggest reason for not using bug bounty programs are the legal issues, said Phil Bates, chief information security officer of Utah.
Concerns center on providing hackers access to regulated systems that contain protected data and information, such as systems with data from the FBI, Internal Revenue Service, or health-care and medical agencies, he noted.
“If we encourage people to hit those systems, they would be in violation of the law,” Bates said.
Although Bates said Utah could create a special separate area for hackers to test out its systems or nonprotected information, the cost to create such a program is not feasible.
Missouri’s Roling, however, said he believes it is possible to do bounty programs within the confines of existing laws, without additional legislation.
“Large federal government agencies such as the Department of Defense have had one for some time,” he said.
The Department of Defense launched its “Hack the Pentagon” program in 2016, and since then the U.S. Army, U.S. Air Force, and the Defense Travel System have debuted programs, according to the 2018 Hacker-Powered Security Report released earlier this week by HackerOne.
Several legislative efforts have also been launched around bug bounty programs since 2016, as well, including a “Hack the DHS” bill (S-1281), introduced in 2017, and “Hack the State Department” bill, (HR-5433) introduced earlier this year.
“State and local government agencies are likely to do bug bounty and vulnerability disclosure programs in the not so distant future. The reason that federal agencies got there first is that they face not just domestic threats but also threats to national security,” Marten Mickos, HackerOne CEO, said. “But when you look a little deeper, you realize that even the smallest local agency can face a foreign threat, for instance when it comes to voting systems and machines. Cyberthreats are on the rise, and so are the methods for defense.”
Alternatives to Bug Bounties as a Defense
Although Mickos points to bug bounties as providing the best method for finding security vulnerabilities quickly and effectively, it is just one of many tools a government agency can use.“We have layered security, and bug bounties would only be one layer in security,” Bates said. He noted that in the near-term he does not expect the Utah to conduct a bug bounty program.
Other free alternatives exist when it comes to finding vulnerabilities, noted Duffy.
DHS, for example, performs free vulnerability scanning and penetration testing of state and local websites through its Risk and Vulnerability Assessment (RVA) program.
“This is essentially mimics what a hacker would do,” Duffy said. “Penetration testing can sometimes have unintended consequences, and you need to be sure you have trained individuals performing the activities. I’m not sure what type of [quality assurance] would be performed, if any, on the bounty participants.”
Additionally the MS-ISAC performs weekly automated scans of its members’ websites and looks for outdated software that could be exploited by an attacker. If it finds outdated software, the organization will notify the state or local agency, Duffy said.
Bug bounties, while useful, would likely fall to the bottom of the priority list compared to penetration testing and vulnerability scanning, he said.
“If you don’t do these first two, then you will get a bug,” he said.
