S 1281 Reported in Senate – Hack DHS Act

Earlier this month the Senate Homeland Security and Governmental Affairs Committee published their report on S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The Committee amended and approved the bill at a markup hearing conducted on October 4^th, 2017.

Changes to Bill

The Committee approved a substitute language amendment to the bill. Several minor changes were made to the bill. For example; in two different places in the bill the term ‘information technology’ was modified by preceding it with the words ‘Internet facing’.

The most extensive changes were found in §2(b) and §2(c). The changes to (b) were mostly changes in the order of the subparagraphs in (b)(2), but wording was added to change the hacker registration to a process with the contractor running the program rather than directly with DHS.

The changes in §2(c) deal with the required report to Congress on the pilot program. Two new subparagraphs were added, and one was deleted. The added subparagraphs deal with the “the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans” {§2(c)(4)} and “types of compensation provided” {§2(c)(6)}. The removed subparagraph {§2(c)(5)} would have required more details about the types of compensation provided.

Moving Forward

With the bill being reported out of Committee by voice vote indicates that the bill has significant bipartisan support within the Committee. This will probably translate into a lack of significant opposition if the bill were to make it to the floor of the Senate, and I would suspect that it would be considered under the Senate’s unanimous consent procedure with no debate and no formal vote.

Commentary

The minor change made by adding the words ‘Internet facing’ could significantly reduce the number of systems that could be included in the pilot bug bounty program outlined in the bill. It reflects a common misunderstanding of the vulnerability of computer systems that are not ‘Internet facing'. The lack of ‘Internet facing’ is not even the same as the fabled ‘air gapped’ protection of control systems. Information systems will typically be accessible by networked computers that are Internet accessible even if the information system is not internet facing.

The addition of this limitation on the systems to be included in the pilot program is even more confusing because the term ‘Internet facing’ is not defined in the bill. If the staff really wanted to limit the application of the program they should have included a definition that specified what limits they expected the Department to apply.

There was one interesting definition change made in the bill. The original bill cited 44 USC 3502 for the definition of ‘information system’. The new version of the bill instead uses the definition from 40 USC 11101. This really is not a change in definition since §11101(5) refers back to §3502 for the definition of the term. The term is still the IT-limited definition of the term, so no Department control system (building automation or access control systems for example) would be considered for the pilot program.

S 1281 Introduced – DHS Bug Bounty

Last month Sen. Hassan (D,NH) introduced S 1281 the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The bill would require DHS to set up a pilot program to establish a bug bounty program to minimize vulnerabilities to the information systems of the Department.

Pilot Program

The bill would require the pilot program include registration and background checks for those security researchers participating in the program. It would provide for bounties to be paid “for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public” {§2(b)(2)(A)}. The program would be patterned on the DOD’s “Hack the Pentagon” program.

The bill authorizes $250,000 for the pilot program. Since the bill calls for letting competitive contracts for both running the program and remediating the vulnerabilities reported, it is not clear if these funds are for the administrative costs or the bounties. In either case, the amount seems low.

This bill is definitely IT centric as it uses the limited definition of ‘information systems’ found at 44 USC 3502(8). Thus, it would seem to exclude building control systems and security systems used by the Department. Additionally, DHS is required to designate ‘mission critical’ operations within the Department that would be exempt from the program.

Moving Forward

Hassan is not [corrected 10-4-17, 8:45 EDT] on the Homeland Security and Governmental Affairs Committee to which this bill has been assigned for consideration. All three of her cosponsors are (with two being fairly high-ranking Democrats) so there is a distinct possibility that the bill could be considered in Committee.

I do not see anything within the bill that would engender any significant opposition to the bill, either in committee or on the floor of the Senate.

Commentary

The one thing missing from this bill is any discussion about the publication of the vulnerabilities reported in the program. Presumably, most of the software involved will be commercial software, so there would be a public interest in having coordinated disclosures of the vulnerabilities in publicly available software. Disclosures in DHS custom or proprietary software could certainly be argued against.

An interesting point is raised in this bill. Section 2(b)(2)(B) specifically requires the Department to “consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program”.

This strikes me as a tad bit paranoid since the researchers are having to register with DHS to participate in the program. This means that they would be accessing the systems with permission which would preclude prosecution under §1030. That some researchers would request specific written permission with §1030 in mind would be understandable (security researchers should be paranoid), but for this verbiage to be included in the bill would seem to indicate an unusual level of paranoia in a Senate staffer (they write the bills in most cases) or someone is trying to make points with the cybersecurity community.