DHS May Fast-Track Bug Bounties But Hit Brakes on Election Security

Homeland Security Secretary John Kelly testifies on Capitol Hill in Washington, Tuesday, June 6, 2017.

Homeland Security Secretary John Kelly testifies on Capitol Hill in Washington, Tuesday, June 6, 2017. Susan Walsh/AP

The department may launch a cash rewards program for ethical hackers before legislation requires it.

The Homeland Security Department may not wait for a legislative push before starting a bug bounty program, Secretary John Kelly told lawmakers Tuesday.

Bug bounties are cash rewards organizations offer to ethical hackers who spot exploitable flaws in their systems. They’re common at major tech companies and have been done in pilot form at the Defense Department and several of the military services.

Reps. Ted Lieu, D-Calif., and Scott Taylor, R-Va., introduced legislation Tuesday that would mandate a pilot Hack DHS program similar to DOD’s Hack the Pentagon. Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, introduced similar legislation last month.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

When Hassan asked Kelly about the bills during a budget hearing before the Senate Homeland Security Committee Monday, the secretary said he “absolutely will” review them and “probably will not wait to see if this law passes,” before taking action on a bug bounty.

Both the House and Senate versions of the Hack DHS bill would require participants to register with the government and would appropriate $250,000 to manage the program. Hack the Pentagon participants were also required to register with DOD.

DHS is the lead agency responsible for securing civilian government networks and is a liaison on cybersecurity and physical security issues with critical infrastructure providers such as power plants and transportation systems.

During Tuesday’s hearing, Kelly also told lawmakers he may reconsider a decision made late in the Obama administration to designate state and local election systems as critical infrastructure. Critical infrastructure is an official DHS designation that makes it easier for the department to provide resources and other aid.

Kelly signaled early in his term he supported the designation. He may reconsider the designation, though, in light of “a large amount of pushback” from state-level officials and some members of Congress, he said.

State officials consider the designation a federal power grab and worry it could undermine the nonpartisan image of election contests. The National Association of Secretaries of State called on DHS to rescind the designation in February.

Kelly will meet soon with state-level homeland security officials and plans to discuss the designation, he said.

“I will put that question to them: Should we back off on that?” he said. “I don’t believe we should, but should we back off? Do you see us as partners and helpers in this … to help you make sure your systems are protected?”

Former DHS Secretary Jeh Johnson made the designation after hackers linked to Russian intelligence services allegedly probed state voting systems without penetrating them.

The designation was made around the same time then-President Barack Obama imposed additional sanctions on Russia and expelled 35 Russian diplomats for an influence operation aimed at disrupting the 2016 presidential election. That influence operation included data breaches at Democratic political organizations.

Kelly declined to comment on a Monday report by The Intercept that Russian intelligence agencies may have penetrated the computer systems of a U.S. election software vendor. The story was based on a leaked document that appeared to come from the National Security Agency. The FBI arrested a contractor who may have leaked the document the same day.