The House Foreign Affairs Committee on Wednesday approved a bipartisan bill that would incentivize ethical hackers to hunt for vulnerabilities in the State Department’s digital systems.
The legislation would direct the department to set up a pilot “bug bounty” program to pay security researchers for discovering and reporting vulnerabilities in the department’s public internet-facing systems.
{mosads}The bill and others like it represent a growing effort in Washington to address weaknesses in the federal government’s digital systems and better guard against evolving threats from nation-state and criminal hackers.
“The 2014 breach of the department’s unclassified computer network exposed grave weaknesses in its public-facing information technology systems,” Chairman Ed Royce (R-Calif.) said Wednesday, noting that the legislation “would help address cybersecurity gaps at the department.”
The 2014 hack, in which Russia is suspected, forced the department to shut down its unclassified email system for several days.
Lawmakers approved the legislation along with several others at a meeting Wednesday morning. The bill, offered by Reps. Ted Lieu (D-Calif) and Ted Yoho (R-Fla.), now heads to the full House for a vote. There is currently no companion legislation being offered in the Senate.
The proposed State Department pilot program would be modeled after a program that the Defense Department has run for two years called “Hack the Pentagon.” The program has been widely cheered as a success, turning up more than 3,000 vulnerabilities in public-facing Pentagon websites.
Under the legislation, the department would be required to set up the pilot bug bounty program within one year of the bill’s enactment. The department would be required to report to Congress on its progress three months after its establishment, including disclosing the number and severity of vulnerabilities discovered.
Additionally, the bill would also direct the State Department to set up a public Vulnerability Disclosure Program (VDP) to provide guidelines for security researchers to follow when looking for and reporting vulnerabilities and to establish procedures at the department for fixing those vulnerabilities.
Lieu said Wednesday that the provision “sets clear rules of the road so that when people outside the department discover vulnerabilities on systems, they can report it in a safe, secure and legal manner with the confidence that the department will actually fix the problems.”
The department would be required to report annually to Congress on the progress of the vulnerability disclosure program for six years after the bill’s enactment.
The legislation is one of several efforts in Congress to expand bug bounty programs in the federal government.
Similar legislation that would establish a program at the Department of Homeland Security passed the upper chamber in April.