DHS Plans To Formalize Bug Disclosure Policy

Mikael Damkier/Shutterstock.com

The policy will make it easier for computer researchers to share hackable vulnerabilities they find in Homeland Security systems.

The Homeland Security Department plans to formalize a method for ethical hackers to share with the department hackable vulnerabilities they find in its public-facing websites and other internet tools, Secretary Kirstjen Nielsen told lawmakers Thursday.

That would bring Homeland Security up to speed with the Defense Department and the General Services Administration’s tech transformation wing, which already have vulnerability disclosure policies.

The progress is too slow, however, for Rep. Jim Langevin, D-R.I., who pressed Nielsen about the issue during a budget hearing before the Homeland Security Committee.

“I wasn’t satisfied with her response, but I think she has good intentions,” Langevin told Nextgov after the hearing. “I want to work with her to make sure DHS has a robust vulnerability disclosure policy in place and she did say she’s willing to work on that.”

Currently, Homeland Security has an informal process for accepting vulnerability reports, Nielsen told Langevin. That happens primarily through the department’s cyber operations division, the National Cybersecurity and Communications Integration Center, or its Computer Emergency Readiness Team, which runs a clearinghouse for all cyber threat information, she said.

Homeland Security is in the process of making that process clearer for ethical hackers who want to report bugs, Nielsen said.

In addition to supplying internet security researchers with a point person when they find hackable bugs, vulnerability disclosure policies typically give researchers guidance on how to scour for vulnerabilities without running afoul of the organization’s policies or computer hacking laws, which are notoriously murky.

The government’s cyber standards agency, the National Institute of Standards and Technology, has urged industry to adopt vulnerability disclosure policies.

“First and foremost, there has to be a process in place so that if a security researcher comes across a vulnerability at DHS, there’s a clear mechanism in place as to whom to report it to and a commitment on their part that it's clear what they’re going to do about it,” Langevin said.

Legislation that passed the Senate this month would go one step further than a vulnerability disclosure policy by mandating a bug bounty at Homeland Security. That’s essentially a contest that offers ethical hackers cash rewards for the vulnerabilities they uncover.

The Defense Department has run four bug bounties, one each at the Pentagon and Army and two at the Air Force.

Nielsen repeated a warning Thursday that a bug bounty will be useful for uncovering vulnerabilities at her agency, but “isn’t a silver bullet.” If the bug bounty bill becomes law and the department has sufficient funding, Homeland Security will implement it, she said.

Homeland Security officials previously warned that a bug bounty might duplicate work the agency is already doing to hunt for vulnerabilities and that scarce resources might be better spent elsewhere.

Companion legislation to mandate a Homeland Security bug bounty has been introduced by Rep. Ted Lieu, D-Calif., in the House.

Langevin supports a Homeland Security bug bounty eventually, he told Nextgov, but doesn’t want to force the agency into a bug bounty program before it’s arranged the resources to properly run it and to prioritize and patch vulnerabilities that independent researchers uncover.

He noted that the Defense Department’s “Hack the Pentagon” bug bounty required extensive preparation beforehand.

“Creating a vulnerability disclosure policy is obviously the first step,” he said.

Doing R and D on the Go

Nielsen defended, during Thursday’s hearing, the Trump administration’s plan to shift Homeland Security’s $41 million cyber research and development efforts from its science and technology wing to the department’s cyber operations division.

The goal, she said, is to better align the department’s research efforts with the cybersecurity needs of critical infrastructure sectors that the cyber operations division works with, such as energy plants, hospitals and airports.

“The threat continues to evolve very, very quickly so we need to be continuing to do R and D as we operate, [to] innovate as we go,” she said.

Langevin said he opposed the move and is worried Homeland Security’s cyber operations division is so busy with its primary responsibilities that research will become an afterthought.

The Senate version of a Homeland Security reauthorization bill would mandate that research money remain in the science and technology directorate.

Cyber Strategy Coming Soon

Nielsen also told lawmakers that a long-awaited government cybersecurity strategy will be released within the next two weeks.

One key element of that strategy will be a program for Homeland Security to provide cyber tools directly to critical industry, Nielsen said during a preview at the RSA Cybersecurity Conference last week.

Other priorities include focusing more on systemic cyber risks that cross-industry sectors, improving cyber defense cooperation between industries and government and making digital systems more resilient against cyber strikes.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.