[Congressional Record Volume 164, Number 158 (Tuesday, September 25, 2018)] [House] [Pages H8878-H8880] From the Congressional Record Online through the Government Publishing Office [www.gpo.gov] HACK YOUR STATE DEPARTMENT ACT Ms. ROS-LEHTINEN. Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 5433) to require the Secretary of State to design and establish a Vulnerability Disclosure Process (VDP) to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of internet-facing information technology of the Department of State, and for other purposes, as amended. The Clerk read the title of the bill. The text of the bill is as follows: H.R. 5433 Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Hack Your State Department Act''. SEC. 2. DEFINITIONS. In this Act: (1) Bug bounty program.--The term ``bug bounty program'' means a program under which an approved individual, organization, or company is temporarily authorized to identify and report vulnerabilities of internet-facing information technology of the Department in exchange for compensation. (2) Department.--The term ``Department'' means the Department of State. (3) Information technology.--The term ``information technology'' has the meaning given such term in section 11101 of title 40, United States Code. (4) Secretary.--The term ``Secretary'' means the Secretary of State. SEC. 3. DEPARTMENT OF STATE VULNERABILITY DISCLOSURE PROCESS. (a) In General.--Not later than 180 days after the date of the enactment of this Act, the Secretary shall design, establish, and make publicly known a Vulnerability Disclosure Process (VDP) to improve Department cybersecurity by-- (1) providing security researchers with clear guidelines for-- (A) conducting vulnerability discovery activities directed at Department information technology; and (B) submitting discovered security vulnerabilities to the Department; and (2) creating Department procedures and infrastructure to receive and fix discovered vulnerabilities. (b) Requirements.--In establishing the VDP pursuant to paragraph (1), the Secretary shall-- (1) identify which Department information technology should be included in the process; (2) determine whether the process should differentiate among and specify the types of security vulnerabilities that may be targeted; (3) provide a readily available means of reporting discovered security vulnerabilities and the form in which such vulnerabilities should be reported; (4) identify which Department offices and positions will be responsible for receiving, prioritizing, and addressing security vulnerability disclosure reports; (5) consult with the Attorney General regarding how to ensure that approved individuals, organizations, and companies that comply with the requirements of the process are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under the process; (6) consult with the relevant offices at the Department of Defense that were responsible for launching the 2016 Vulnerability Disclosure Program, ``Hack the Pentagon'', and subsequent Department of Defense bug bounty programs; (7) engage qualified interested persons, including nongovernmental sector representatives, about the structure of the process as constructive and to the extent practicable; and (8) award a contract to an entity, as necessary, to manage the process and implement the remediation of discovered security vulnerabilities. (c) Annual Reports.--Not later than 180 days after the establishment of the VDP under subsection (a) and annually thereafter for the next six years, the Secretary of State shall submit to the Committee on Foreign Affairs of the House of Representatives and the Committee on Foreign Relations of the Senate a report on the following with respect to the VDP: (1) The number and severity, in accordance with the National Vulnerabilities Database of the National Institute of Standards and Technology, of security vulnerabilities reported. (2) The number of previously unidentified security vulnerabilities remediated as a result. (3) The current number of outstanding previously unidentified security vulnerabilities and Department of State remediation plans. (4) The average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities. (5) An estimate of the total cost savings of discovering and addressing security vulnerabilities submitted through the VDP. (6) The resources, surge staffing, roles, and responsibilities within the Department used to implement the VDP and complete security vulnerability remediation. (7) Any other information the Secretary determines relevant. SEC. 4. DEPARTMENT OF STATE BUG BOUNTY PILOT PROGRAM. (a) Establishment of Pilot Program.-- (1) In general.--Not later than one year after the date of the enactment of this Act, the Secretary shall establish a bug bounty pilot program to minimize security vulnerabilities of internet-facing information technology of the Department. (2) Requirements.--In establishing the pilot program described in paragraph (1), the Secretary shall-- (A) provide compensation for reports of previously unidentified security vulnerabilities within the websites, applications, and other internet-facing information technology of the Department that are accessible to the public; (B) award a contract to an entity, as necessary, to manage such pilot program and for executing the remediation of security vulnerabilities identified pursuant to subparagraph (A); (C) identify which Department information technology should be included in such pilot program; (D) consult with the Attorney General on how to ensure that approved individuals, organizations, or companies that comply with the requirements of such pilot program are protected from prosecution under section 1030 of title 18, United States Code, and similar provisions of law for specific activities authorized under such pilot program; (E) consult with the relevant offices at the Department of Defense that were responsible for launching the 2016 ``Hack the Pentagon'' pilot program and subsequent Department of Defense bug bounty programs; (F) develop a process by which an approved individual, organization, or company can register with the entity referred to in subparagraph (B), submit to a background check as determined by the Department, and receive a determination as to eligibility for participation in such pilot program; (G) engage qualified interested persons, including nongovernmental sector representatives, about the structure of such pilot program as constructive and to the extent practicable; and (H) consult with relevant United States Government officials to ensure that such pilot program compliments persistent network and vulnerability scans of the Department of State's internet-accessible systems, such as the scans conducted pursuant to Binding Operational Directive BOD-15- 01. (3) Duration.--The pilot program established under paragraph (1) should be short-term in duration and not last longer than one year. (b) Report.--Not later than 180 days after the date on which the bug bounty pilot program under subsection (a) is completed, the Secretary shall submit to the Committee on Foreign Relations of the Senate and the Committee on Foreign Affairs of the House of Representatives a report on such pilot program, including information relating to-- (1) the number of approved individuals, organizations, or companies involved in such pilot program, broken down by the number of approved individuals, organizations, or companies that-- (A) registered; (B) were approved; (C) submitted security vulnerabilities; and (D) received compensation; (2) the number and severity, in accordance with the National Vulnerabilities Database of the National Institute of Standards and [[Page H8879]] Technology, of security vulnerabilities reported as part of such pilot program; (3) the number of previously unidentified security vulnerabilities remediated as a result of such pilot program; (4) the current number of outstanding previously unidentified security vulnerabilities and Department remediation plans; (5) the average length of time between the reporting of security vulnerabilities and remediation of such vulnerabilities; (6) the types of compensation provided under such pilot program; and (7) the lessons learned from such pilot program. The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from Florida (Ms. Ros-Lehtinen) and the gentleman from New York (Mr. Engel) each will control 20 minutes. The Chair recognizes the gentlewoman from Florida. General Leave Ms. ROS-LEHTINEN. Mr. Speaker, I ask unanimous consent that all Members may have 5 legislative days to revise and extend their remarks and to include extraneous material on this measure. The SPEAKER pro tempore. Is there objection to the request of the gentlewoman from Florida? There was no objection. Ms. ROS-LEHTINEN. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, a massive breach of the State Department's unclassified computer network in 2014 exposed grave weaknesses in its information technology systems. And in the years since that attack, problems have continued to mount. The Department's cybersecurity response program received a D rating, the lowest of any agency, on its Federal Information Security Management Act report card in 2017. And just this month, the Department revealed that it recently suffered a breach of its unclassified email system, which exposed the personal information of some of its employees. Mr. Speaker, more must be done to ensure cost-effective solutions to the Department's information technology security challenges. The Hack Your State Department Act, authored by my Foreign Affairs Committee colleagues Ted Lieu and Ted Yoho, will help address cybersecurity gaps at the Department. This bill will crowdsource solutions and offer a layered approach to information technology security, consistent with the 2017 Report to the President on Federal IT Modernization. This bill achieves this in two ways: First, the bill establishes a vulnerability disclosure process to give security researchers clear guidelines for discovering and reporting cybersecurity vulnerabilities. This is considered a best practice in the private sector and, frankly, should be done in all government agencies. Second, this bill would establish a bounty pilot program at the Department to reward ethical hackers for discovering and reporting vulnerabilities. Numerous private-sector companies and the Department of Defense have used programs like this to improve their cyber defenses at minimal cost. The Department said that its Hack the Pentagon program ``demonstrated the power of engaging the hacker community to help address cybersecurity challenges of the Department of Defense.'' In its first pilot, hackers identified over 130 unique vulnerabilities, exceeding the Defense Department's expectations so much that it announced plans to expand the program to all of its more than 700 websites. Both the vulnerability disclosure process and the bounty pilot program are designed to complement persistent network scans currently done by the Department of Homeland Security and other cybersecurity activities undertaken by the Department of State. As a national security Department, the State Department must do more to secure its networks. The Hack Your State Department Act is a small but important step to bring cost-effective solutions commonly used in the private sector to bear in support of this goal. Mr. Speaker, I reserve the balance of my time. Mr. ENGEL. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, I rise in support of this measure. Mr. Speaker, I thank Representative Lieu of southern California, a very valued member of the Committee on Foreign Affairs, for his hard work on this bill. It is important, Mr. Speaker, that we modernize our agencies across government to better deal with 21st century challenges. The State Department is under constant threat of cyberattacks from foreign actors bent on stealing our secrets, disrupting our foreign policy, and undermining our security. Just 8 days ago, it was reported that the State Department's email system was breached. This time, whoever was behind the attack got ahold of private information about State Department personnel. Who knows what they will get their hands on next time. Mr. Lieu's bill will help shore up the State Department against this sort of intrusion. First of all, it requires the Secretary of State to get out ahead of this problem. Instead of waiting for the next attack to happen, this bill would mandate a plan for researchers to actively seek out and report vulnerabilities. Secondly, this bill launches a new initiative, a so-called bug bounty program. This seeks to tap the expertise of everyday Americans by rewarding citizens who uncover and report security risks in the Department's computer system. It will also allow security researchers and friendly hackers to find the cracks in the system so that the Department can patch them. This effort is modeled after a very successful program at the Defense Department, which got off the ground in 2016. Since then, 1,400 people have registered to participate, and they have found roughly 140 vulnerabilities. Our Federal agencies should learn from one another. It is just common sense to put this tested practice to work at the State Department and elsewhere. Mr. Speaker, I commend Mr. Lieu. I am glad to support this bill, and I reserve the balance of my time. Ms. ROS-LEHTINEN. Mr. Speaker, I reserve the balance of my time. Mr. ENGEL. Mr. Speaker, it is my pleasure to yield 5 minutes to the gentleman from California (Mr. Ted Lieu), the author of the bill. Mr. TED LIEU of California. Mr. Speaker, I thank Representative Engel for yielding. Mr. Speaker, I rise today in support of my legislation, H.R. 5433, the Hack Your State Department Act, that I co-authored with my friend, Ted Yoho of Florida. Over the years, the State Department has faced mounting cybersecurity threats from both criminal enterprises and state-sponsored hackers. In 2014, for instance, the Department was infiltrated by Russian hackers and had to temporarily shut down its email system. Just last week, the State Department suffered another cybersecurity breach that exposed the personal information of a number of its employees. As an agency with a critical national security role, we must do more to protect the State Department's cybersecurity. If there is any doubt that diplomatic cables cannot be sent to Washington securely or if sensitive diplomatic subjects are revealed, it jeopardizes the whole operation. As a recovering computer science major, I recognize that there are proven tools at our disposal to improve cybersecurity that the Department has yet to adopt. One such tool is to enlist the help of America's top security researchers to find weaknesses in our cybersecurity. This legislation will bring that tool to the State Department after it has been proven successful in both the private sector, as well as at the Pentagon. My legislation will do two things. The first step of this bill is to establish what is called a vulnerability disclosure process, which sets clear rules of the road so that, when people outside the Department discover vulnerabilities on Department systems, they can report it in a safe, secure, and legal manner with the confidence that the Department will actually fix the problems. {time} 2245 We cannot afford to allow vulnerabilities discovered in the wild remain known to hackers but unknown to the Department. This should be an easy fix. The second step is to actually pay vetted white-hat hackers to find vulnerabilities. The Department of Defense proved the success of their bug [[Page H8880]] bounty program back in 2016. Over a 24-day period, the Pentagon learned of and fixed over 138 vulnerabilities in its systems. A 2017 report to the President on Federal IT modernization stated: ``Agencies must take a layered approach to penetration testing. . . . At a bare minimum, agencies should establish vulnerability disclosure policies. . . . Agencies should also identify programs that are appropriate to place under public bug bounty programs such as those run by the Department of Defense or GSA.'' Today, with H.R. 5433, the House of Representatives is taking these recommendations to heart and helping to improve cybersecurity at the Department of State. Mr. Speaker, I would like to thank Representative Yoho for partnering with me on this important legislation. I would like to thank Chairman Royce, Ranking Member Engel, and their staff for moving this bill through our committee. Ms. ROS-LEHTINEN. I continue to reserve the balance of my time, Mr. Speaker. Mr. ENGEL. Mr. Speaker, I am prepared to close. In closing, I want to again thank Mr. Lieu and Chairman Royce. It seems to me, Mr. Speaker, that we have been caught flatfooted before a range of new threats, including cyber attacks. Our agencies have not done enough to root out vulnerabilities, and, frankly, Congress hasn't done enough either to make sure our agencies across the government have the tools they need to tackle these challenges. I hope going forward we will be able to take a comprehensive look at cyber threats and make sure the State Department, and all our departments and agencies, are up to the task. For now, this bill is a good step in the right direction. It replicates an approach that has worked well over the last few years. Mr. Speaker, I urge all Members to support it, and I yield back the balance of my time. Ms. ROS-LEHTINEN. Mr. Speaker, I yield myself such time as I may consume. Mr. Speaker, in closing, I would like to thank my colleagues--Ted Lieu, a hardworking member of our Foreign Affairs Committee, and Ted Yoho, chairman of the Subcommittee on Asia and the Pacific--for crafting this bipartisan legislation. By unleashing the expertise of patriotic hackers, this bill will help the State Department identify and patch vulnerabilities on its computer systems. The Hack Your State Department Act takes an innovative approach to improving network security at a Department that is in such desperate need of new solutions and improved capabilities. Mr. Speaker, I urge passage of this bipartisan bill, and I yield back the balance of my time. Ms. JACKSON LEE. Mr. Speaker, I rise today in support of H.R. 5433, the ``Hack Your State Department Act''. This act would direct the State Department to establish what is known in the cybersecurity community as a `bug bounty' program. Bug bounty programs, also known as Vulnerability Disclosure Programs, are comprehensive efforts by an organization to lay out the method by which members of the public may report any security vulnerabilities to an entity. They also lay out which of their resources are covered by this policy, and how any identified vulnerabilities will be addressed. At a time when the computer networks of our government are under constant attack, and have suffered serious breaches in recent years, we must take action to ensure that the information of our citizens and the ability of federal agencies to carry out their duties are resilient. As a long-time advocate of a government that works efficiently for the people, it is clear that current information security practices of federal agencies, including the State Department, must evolve to keep pace with improved standards and policies. Without an honest effort to seek awareness of the security of the State Department network, users, and devices, we will continue to be increasingly vulnerable. To that end, H.R. 5433 recognizes the importance of a dynamic approach that will help secure federal networks and data, beginning with the State Department, as well as provide improved information on vulnerabilities and security practices across the various agencies. Without codifying this concrete measure to improve awareness of federal network security at the State Department, this important agency will remain vulnerable. We have seen an unfortunate loss of cybersecurity talent at the State Department this year. Further, even despite this, the White House has eliminated the position of Cybersecurity Coordinator from the National Security Council. This occurred even after Federal Risk Determination Reports found that communication of threat information within agencies is also inconsistent, with only 59 percent of agencies reporting a capability to share threat information to all employees within an enterprise so they have the knowledge necessary to block attacks. Federal agencies are not taking advantage of all available information such as threat intelligence, incident data, and network traffic flow to improve situational awareness regarding systems at risk and to prioritize investments. For this reason, earlier this Congress, I introduced H.R. 3202, the ``Cyber Vulnerability Disclosure Reporting Act'', which was passed by the full House and is now in the Senate. H.R. 3202 requires the Secretary of Homeland Security to submit a report on the policies and procedures developed for coordinating cyber vulnerability disclosures. The report will include an annex with information on instances in which cyber security vulnerability disclosure policies and procedures were used to disclose details on identified weaknesses in computing systems that or digital devices at risk. The report will provide information on the degree to which the information provided by DHS was used by industry and other stakeholders. I would also like to recognize the University of Houston, which has been recognized by the Department of Homeland Security and the National Security Agency as a Center of Academic Excellence for the programs in cybersecurity and cyber defense. In closing, Mr. Speaker, I urge all members to join me in voting to pass H.R. 5433, the ``Hack Your State Department Act''. The SPEAKER pro tempore. The question is on the motion offered by the gentlewoman from Florida (Ms. Ros-Lehtinen) that the House suspend the rules and pass the bill, H.R. 5433, as amended. The question was taken; and (two-thirds being in the affirmative) the rules were suspended and the bill, as amended, was passed. A motion to reconsider was laid on the table. ____________________