November 28, 2016
In case you missed it, an editorial from the New York Times today applauded the Department of Defense for once again pursuing a “Bug Bounty” program, which rewards so-called “white hat” hackers who detect and report security vulnerabilities within the Pentagon’s cyber-networks. On October 24, 2016, U.S. Senators Angus King (I-Maine) and Martin Heinrich (D-N.M.), members of the Senate Select Committee on Intelligence, also commended the program in a letter to President Obama and urged him to expand it across the entire government.
“We believe such programs represent a cost-effective way to supplement and support the people who defend our government’s IT systems – and these efforts should not be limited to the Pentagon’s networks,” Senators King and Heinrich wrote in their October letter. “As such, we request that your administration work with us to establish standards and appropriate coordination platforms to build on the success of the Department’s pilot and promote government-wide bug bounty programs.”
+++
New York Times Editorial: Pentagon: Looking for a Few Good Hackers
By THE EDITORIAL BOARD| NOV. 28, 2016
In June 2015, the Office of Personnel Management announced that foreign hackers had stolen the personnel records of millions of federal employees, one of the most damaging cyberattacks in history. Just weeks later, the office of the Joint Chiefs of Staff shut down its unclassified email system for several days after officials detected that it had been breached.
These serious intrusions came months after a group affiliated with the Islamic State briefly commandeered the Central Command’s Twitter account and rebranded it as the “Cyber Caliphate.”
Given the enormity of the problem, one of the responses by the Department of Defense might seem befuddling. They’ve asked hackers willing to play by strict rules to find vulnerabilities in some of the Pentagon’s unclassified computer system.
Well-intentioned computer security experts routinely scan the internet in search of vulnerabilities, which they often map out and report. Until now, doing that on Pentagon sites carried the considerable legal risk of running afoul of the Computer Fraud and Abuse Act.
“Hack the Pentagon” kicked off in April with a monthlong trial program that attracted 1,400 so-called white hackers to fiddle with Department of Defense websites on the hunt for weak points that could be exploited to steal data or jam systems. Those hackers spotted 138 weaknesses, according to the Pentagon, and were paid $75,000 in rewards.
Encouraged by the results, the Defense Department last week announced a formal policy permitting outside computer experts to test for vulnerabilities in the system and report them to the department. Secretary of Defense Ashton Carter called the initiative “a ‘see something, say something’ policy for the digital domain.” Those hackers won’t be paid for their reports, but officials hope they will do it out of a sense of duty.
In addition, the department has started “Hack the Army,” a program asking hackers who have been approved by the government to test the Army’s recruiting websites for weaknesses.
While these efforts represent just one aspect of the federal government’s effort to protect secret data more rigorously, Mr. Carter deserves credit for championing an unconventional approach.
“Hack the Pentagon” and “Hack the Army” allows defense officials to draw from a talent pool that includes people who would not ordinarily feel at home in the military’s hierarchical culture. It may well turn into an unconventional recruitment pipeline for an organization that always benefits from outside perspectives and carefully calibrated disruption.
+++
King, Heinrich Urge President to Strengthen Cybersecurity Networks
In a letter that comes days after complex cyber-attack, the Senators call on the President to adopt government-wide policies that will help detect vulnerabilities and communicate them to private sector
BRUNSWICK, ME – In the wake of a complex cyber-attack that disrupted service to Twitter, Spotify, The New York Times and other major websites, U.S. Senators Angus King (I-Maine) and Martin Heinrich (D-N.M.) today called on President Barack Obama to work with Congress to strengthen the federal government’s ability to detect and repair cyber-vulnerabilities within U.S. networks. In a letter sent today, the two members of the Senate Intelligence Committee urged the President to help establish uniform policies across the government that would secure U.S. networks and establish a comprehensive process that would relay any detected vulnerabilities to private sector companies for repair.
“Given the growing threat to our nation’s networks and digital services, we write to urge you to work with us to establish enduring government policies for the discovery, review, and sharing of security vulnerabilities. The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation’s efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities,” Senators King and Heinrich wrote in their letter.
Senators King and Heinrich pointed specifically to the success of the Department of Defense’s (DOD) “Bug Bounty” program, which rewards so-called “white hat” hackers who detect and report security vulnerabilities within the DOD’s networks. Of the 1,410 vetted U.S.-based hackers who registered for the Pentagon’s program, 250 successfully found vulnerabilities and 138 submissions were found to be “legitimate, unique and eligible for a bounty.”
“We believe such programs represent a cost-effective way to supplement and support the people who defend our government’s IT systems – and these efforts should not be limited to the Pentagon’s networks,” the Senators wrote. “As such, we request that your administration work with us to establish standards and appropriate coordination platforms to build on the success of the Department’s pilot and promote government-wide bug bounty programs.”
The Senators also encouraged the President to continue to strengthen the Vulnerabilities Equities Process, otherwise known as VEP, which serves as the primary process for deciding whether a government entity must disclose to private companies’ information about security vulnerabilities in their products, or whether the government may withhold the information for law enforcement or intelligence purposes. The Senators requested that the Administration establish a comprehensive policy that includes standard criteria for reporting vulnerabilities to the VEP, guidelines for making VEP determinations, clear time limits for each stage of the process, adequate participation of all relevant government agencies, and regular reporting to Congress.
“We believe the VEP framework is vital to ensuring that security vulnerabilities are either disclosed immediately so the relevant companies can strengthen consumer security, or put through a robust, accountable, and expeditious review process in the exceptional circumstances when the government may wish to delay disclosure for a limited amount of time,” they wrote.
The complete text of the letter can be read below:
+++
October 24, 2016
The President
The White House
1600 Pennsylvania Avenue, NW
Washington, DC 20500
Dear Mr. President:
Given the growing threat to our nation’s networks and digital services, we write to urge you to work with us to establish enduring government policies for the discovery, review, and sharing of security vulnerabilities.
The recent intrusions into United States networks and the controversy surrounding the Federal Bureau of Investigation’s efforts to access the iPhone used in the San Bernardino attacks have underscored for us the need to establish more robust and accountable policies regarding security vulnerabilities. Specifically, we are exploring whether legislation is needed to establish government-wide policies with respect to two lines of effort: “bug bounty” programs that would help secure government networks like those used by the Office of Personnel Management, and formalizing the vulnerabilities equities process, which notifies software and hardware manufacturers of vulnerabilities discovered in their products.
Bug Bounty Programs: The private sector has been using bug bounty programs for decades to reward people who report security vulnerabilities in companies’ applications, websites, and networks. Earlier this year, the Department of Defense launched “Hack the Pentagon,” the first cyber bug bounty program in the history of the federal government. Of the 1,410 vetted U.S.-based hackers who registered for the Pentagon’s program, 250 successfully found vulnerabilities and 138 submissions were found to be “legitimate, unique and eligible for a bounty.”
We believe such programs represent a cost-effective way to supplement and support the people who defend our government’s IT systems – and these efforts should not be limited to the Pentagon’s networks. As such, we request that your administration work with us to establish standards and appropriate coordination platforms to build on the success of the Department’s pilot and promote government-wide bug bounty programs.
Vulnerabilities Equities Process (VEP): Over the last several years, your administration, led by White House Cybersecurity Coordinator Michael Daniel, has made progress in establishing the VEP as the primary process for deciding whether a government entity must disclose to private companies’ information about security vulnerabilities in their products, or whether the government may withhold the information for law enforcement or intelligence purposes. We believe the VEP framework is vital to ensuring that security vulnerabilities are either disclosed immediately so the relevant companies can strengthen consumer security, or put through a robust, accountable, and expeditious review process in the exceptional circumstances when the government may wish to delay disclosure for a limited amount of time.
During a Senate Armed Services Committee hearing on September 13th, Admiral Rogers said the NSA has utilized a “vulnerability evaluation process” since 2014 and that its “overall disclosure rate [of vulnerabilities to companies] has been 93 percent or so.” However, as of today, there is no legal obligation on government agencies to report the security vulnerabilities they discover or acquire to the White House-led VEP, nor is the VEP codified in law. In fact, it is unclear to us if all security vulnerabilities acquired by our government currently go through the VEP.
Therefore, we request that your administration work with us to establish comprehensive and enduring policies governing the VEP process, including standard criteria for reporting vulnerabilities to the VEP, guidelines for making VEP determinations, clear time limits for each stage of the process, adequate participation of all relevant government agencies, and regular reporting to Congress.
Finally, last year Congress passed, and you signed, the Cybersecurity Information Sharing Act of 2015 (CISA). We were early proponents of this legislation, which directs the federal government to increase its sharing of cyber information with the private sector to assist companies in protecting their systems, and provides clear authority and liability protection for private sector entities to share information with the government. We encourage your administration to use all of the authorities available under CISA to make progress on the lines of effort we have outlined above.
Thank you for your attention to these important issues. We look forward to working closely with your administration on these vital national security challenges in the weeks ahead.
###