Homeland Security Mark-up Hearing – 09-13-18

This morning the House Homeland Security Committee announced that it would be conducting a mark-up hearing for five pieces of legislation including:

• H.R 6620, Protecting Critical Infrastructure Against Drones and Emerging Threats Act;

• HR 6735, To direct the Secretary of Homeland Security to establish a vulnerability disclosure policy for Department of Homeland Security internet websites, and for other purposes; and

• S 1281, Hack the Department of Homeland Security Act of 2017

The official copy of HR 6620 just recently became available and I have just glanced through it at this point; hopefully I’ll get a chance to review it here before Thursday. The quick glance that I have done indicates that this is a ‘collect information and report to Congress’ type of bill, rather than something that will authorized any sort of action similar to S 2836.

The official copy of HR 6735 is not yet available, but a Committee Print is. There is not much in this bill of specific interest to readers of this blog beyond the fact that it uses the definition of ‘security vulnerability’ from 6 USC 1501 which is, in turn, based upon the ICS-inclusive definition of information system while the bill uses the IT-restrictive definition of ‘information system’ from 44 USC 3502.

S 1281 Passes in Senate – Hack DHS Act

Yesterday the Senate amended and then passed S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017, by a voice vote. The Senate took up the substitute language adopted by the Senate Homeland Security and Governmental Affairs Committee with a small change being made by a floor amendment.

The amendment changed the language in §2(c) of the bill. It changed the reporting requirements for the report to Congress on the pilot program outlined in the bill, changing the reporting time frame from 90-days to 180-days. The amendment was adopted by unanimous consent. The amendment was offered by Sen. McConnell (R,KY) for Sen. Hassan (D,NH), the author of the bill.

The bill, as amended, would require DHS to establish “a bug bounty pilot program to minimize vulnerabilities of Internet-facing information technology of the Department” {§2(b)(1)}. The bill uses an IT-limited definition of ‘information system’, so building control, access control, and security monitoring functions would not technically be covered by the pilot program.

The bill was brought to the floor under the Senate’s ‘unanimous consent’ process. A single senator could have prevented the bill from being considered. This means that the bill had a significant measure of bipartisan support and no opposition. If the bill is taken up in the House (and I suspect that it will), it is almost certain to be considered under the House ‘suspension of the rules’ process with limited debate and no amendments from the floor.

S 1281 Reported in Senate – Hack DHS Act

Earlier this month the Senate Homeland Security and Governmental Affairs Committee published their report on S 1281, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The Committee amended and approved the bill at a markup hearing conducted on October 4^th, 2017.

Changes to Bill

The Committee approved a substitute language amendment to the bill. Several minor changes were made to the bill. For example; in two different places in the bill the term ‘information technology’ was modified by preceding it with the words ‘Internet facing’.

The most extensive changes were found in §2(b) and §2(c). The changes to (b) were mostly changes in the order of the subparagraphs in (b)(2), but wording was added to change the hacker registration to a process with the contractor running the program rather than directly with DHS.

The changes in §2(c) deal with the required report to Congress on the pilot program. Two new subparagraphs were added, and one was deleted. The added subparagraphs deal with the “the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans” {§2(c)(4)} and “types of compensation provided” {§2(c)(6)}. The removed subparagraph {§2(c)(5)} would have required more details about the types of compensation provided.

Moving Forward

With the bill being reported out of Committee by voice vote indicates that the bill has significant bipartisan support within the Committee. This will probably translate into a lack of significant opposition if the bill were to make it to the floor of the Senate, and I would suspect that it would be considered under the Senate’s unanimous consent procedure with no debate and no formal vote.

Commentary

The minor change made by adding the words ‘Internet facing’ could significantly reduce the number of systems that could be included in the pilot bug bounty program outlined in the bill. It reflects a common misunderstanding of the vulnerability of computer systems that are not ‘Internet facing'. The lack of ‘Internet facing’ is not even the same as the fabled ‘air gapped’ protection of control systems. Information systems will typically be accessible by networked computers that are Internet accessible even if the information system is not internet facing.

The addition of this limitation on the systems to be included in the pilot program is even more confusing because the term ‘Internet facing’ is not defined in the bill. If the staff really wanted to limit the application of the program they should have included a definition that specified what limits they expected the Department to apply.

There was one interesting definition change made in the bill. The original bill cited 44 USC 3502 for the definition of ‘information system’. The new version of the bill instead uses the definition from 40 USC 11101. This really is not a change in definition since §11101(5) refers back to §3502 for the definition of the term. The term is still the IT-limited definition of the term, so no Department control system (building automation or access control systems for example) would be considered for the pilot program.

Committee Hearings – Week of 10-01-17

This week with the House and Senate both in session in the first day of the new fiscal year, the lawmakers’ focus expands. We have four hearings of potential interest, two markup hearings and two cybersecurity hearings.

Markup Hearings

As I mentioned earlier, the Senate Commerce, Science, and Transportation Committee will hold their markup hearing on Wednesday. In addition to the markup of S 1885, the Committee will also take-up S 1872 [note: this is a link to the committee draft], the TSA Modernization Act. I mentioned this briefly when it was introduced last week, but I will not really cover this bill since it has little to do with surface transportation security. I will note that it is attempting to finally reword the current DOT referenced authorization of the TSA {49 USC 114} to move it to where it actually resides in DHS.

Also on Wednesday, the Senate Homeland Security and Governmental Affairs Committee will hold a markup hearing that will cover a number of bills (many that have yet to have been introduced). It will specifically include S 1281, the HACK DHS Act of 2017. I would like to note that in my post on the bill, I made the statement that Sen. Hassan (D,NH) was not a member of the Homeland Security Committee, but she is currently a member.

Cybersecurity Hearings

The Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee will hold a hearing on Tuesday on “Examining DHS’s Cybersecurity Mission”. The witness list includes:

• Patricia Hoffman, DOE;
• Christopher Krebs, DHS; and

• Jeanette Manfra, DHS

It will be interesting to see if this hearing addresses the reorganization of DHS cyber activities that includes the move of ICS-CERT to NCCIC.

On Tuesday the Information Technology Subcommittee of the House Oversight and Government Reform Committee will hold a hearing on “Cybersecurity of the Internet of Things”. This hearing was originally scheduled for 09-27-17. The witness list includes:

• Matthew J. Eggers, US Chamber of Commerce;

• Josh Corman, Atlantic Council;

• Tommy Ross, The Software Alliance (BSA); and

• Ray O’Farrell, VMware

According to the hearing website the purpose of the hearing is:

• To examine the use of devices that comprise the Internet of Things (IoT) and their current and potential uses in federal government.

• To explore potential cyber threats posed by the use of IoT devices.

• To review private sector recommendations for securing the IoT, and explore potential legislative solutions. 

HR 2774 Introduced – DHS Bug Bounty Program

Last week Rep. Lieu (D,CA) introduced HR 2774, the Hack the Department of Homeland Security (Hack DHS) Act of 2017. This bill is very nearly identical {some minor formatting changes in §2(c)} to S 1281 that was introduced last month.

Unlike in the Senate, neither Lieu or his three cosponsors are members of the House Homeland Security Committee to which this bill was referred for consideration. This means that it is extremely unlikely that this bill will be considered in the House.

S 1281 Introduced – DHS Bug Bounty

Last month Sen. Hassan (D,NH) introduced S 1281 the Hack the Department of Homeland Security (Hack DHS) Act of 2017. The bill would require DHS to set up a pilot program to establish a bug bounty program to minimize vulnerabilities to the information systems of the Department.

Pilot Program

The bill would require the pilot program include registration and background checks for those security researchers participating in the program. It would provide for bounties to be paid “for reports of previously unidentified security vulnerabilities within the websites, applications, and other information systems of the Department that are accessible to the public” {§2(b)(2)(A)}. The program would be patterned on the DOD’s “Hack the Pentagon” program.

The bill authorizes $250,000 for the pilot program. Since the bill calls for letting competitive contracts for both running the program and remediating the vulnerabilities reported, it is not clear if these funds are for the administrative costs or the bounties. In either case, the amount seems low.

This bill is definitely IT centric as it uses the limited definition of ‘information systems’ found at 44 USC 3502(8). Thus, it would seem to exclude building control systems and security systems used by the Department. Additionally, DHS is required to designate ‘mission critical’ operations within the Department that would be exempt from the program.

Moving Forward

Hassan is not [corrected 10-4-17, 8:45 EDT] on the Homeland Security and Governmental Affairs Committee to which this bill has been assigned for consideration. All three of her cosponsors are (with two being fairly high-ranking Democrats) so there is a distinct possibility that the bill could be considered in Committee.

I do not see anything within the bill that would engender any significant opposition to the bill, either in committee or on the floor of the Senate.

Commentary

The one thing missing from this bill is any discussion about the publication of the vulnerabilities reported in the program. Presumably, most of the software involved will be commercial software, so there would be a public interest in having coordinated disclosures of the vulnerabilities in publicly available software. Disclosures in DHS custom or proprietary software could certainly be argued against.

An interesting point is raised in this bill. Section 2(b)(2)(B) specifically requires the Department to “consult with the Attorney General on how to ensure that computer security specialists and security researchers who participate in the pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the pilot program”.

This strikes me as a tad bit paranoid since the researchers are having to register with DHS to participate in the program. This means that they would be accessing the systems with permission which would preclude prosecution under §1030. That some researchers would request specific written permission with §1030 in mind would be understandable (security researchers should be paranoid), but for this verbiage to be included in the bill would seem to indicate an unusual level of paranoia in a Senate staffer (they write the bills in most cases) or someone is trying to make points with the cybersecurity community.

Bills Introduced – 05-26-17

Yesterday with the House and Senate preparing to leave for an extended Memorial Day weekend (10 days) there were 186 bills introduced. Of those three may be of specific interest to readers of this blog:

S 1269 A bill to require the Office of Pipeline Safety to consult with the Environmental Protection Agency or the Coast Guard in the event the Federal on-scene coordinator has concerns about the ability of a pipeline operator to respond to a worst case discharge. Sen. Stabenow, Debbie [D-MI]

S 1272 A bill to preserve State, local, and tribal authorities and private property rights with respect to unmanned aircraft systems, and for other purposes. Sen. Feinstein, Dianne [D-CA]

S 1281 A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes. Sen. Hassan, Margaret Wood [D-NH]

Most of the bills yesterday were introduced to allow various congresscritters the opportunity to show their constituents (and funders) that they are doing something in Washington. The vast majority of those bills will never see the light of day or even a congressional hearing. The first of these probably falls into that category, the other two I am not so sure. In any case I will almost certainly be covering these three bills.