S 1281 Reported in Senate – Hack DHS Act

Earlier this month the Senate Homeland Security and Governmental Affairs Committee published their report on S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The Committee amended and approved the bill at a markup hearing conducted on October 4^th, 2017.

Changes to Bill

The Committee approved a substitute language amendment to the bill. Several minor changes were made to the bill. For example; in two different places in the bill the term ‘information technology’ was modified by preceding it with the words ‘Internet facing’.

The most extensive changes were found in §2(b) and §2(c). The changes to (b) were mostly changes in the order of the subparagraphs in (b)(2), but wording was added to change the hacker registration to a process with the contractor running the program rather than directly with DHS.

The changes in §2(c) deal with the required report to Congress on the pilot program. Two new subparagraphs were added, and one was deleted. The added subparagraphs deal with the “the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans” {§2(c)(4)} and “types of compensation provided” {§2(c)(6)}. The removed subparagraph {§2(c)(5)} would have required more details about the types of compensation provided.

Moving Forward

With the bill being reported out of Committee by voice vote indicates that the bill has significant bipartisan support within the Committee. This will probably translate into a lack of significant opposition if the bill were to make it to the floor of the Senate, and I would suspect that it would be considered under the Senate’s unanimous consent procedure with no debate and no formal vote.

Commentary

The minor change made by adding the words ‘Internet facing’ could significantly reduce the number of systems that could be included in the pilot bug bounty program outlined in the bill. It reflects a common misunderstanding of the vulnerability of computer systems that are not ‘Internet facing'. The lack of ‘Internet facing’ is not even the same as the fabled ‘air gapped’ protection of control systems. Information systems will typically be accessible by networked computers that are Internet accessible even if the information system is not internet facing.

The addition of this limitation on the systems to be included in the pilot program is even more confusing because the term ‘Internet facing’ is not defined in the bill. If the staff really wanted to limit the application of the program they should have included a definition that specified what limits they expected the Department to apply.

There was one interesting definition change made in the bill. The original bill cited 44 USC 3502 for the definition of ‘information system’. The new version of the bill instead uses the definition from 40 USC 11101. This really is not a change in definition since §11101(5) refers back to §3502 for the definition of the term. The term is still the IT-limited definition of the term, so no Department control system (building automation or access control systems for example) would be considered for the pilot program.