Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

Nextgov: Senate-Passed Bill to Hack DHS Heads to House Floor

By Joseph Marks

The House Homeland Security Committee forwarded two bills Thursday to make it easier for ethical hackers to share computer vulnerabilities they find in Homeland Security Department websites.

The first bill, sponsored by House Majority Leader Kevin McCarthy, R-Calif., would direct Homeland Security officials to create a vulnerability disclosure policy. That policy would describe which department websites, hackers can legally probe for vulnerabilities, how they can alert the department about those vulnerabilities and when and how the department will respond to and remediate the vulnerabilities.

Homeland Security Sec. Kirstjen Nielsen told lawmakers in April that the department already plans to adopt such a policy, but the department has not made progress since then, Rep. Jim Langevin, D-R.I., said during Thursday’s markup.

The second bill, which has already been passed by the full Senate, would go a step further, requiring Homeland Security to create a formal program, known as a bug bounty, that would solicit vulnerability reports from hackers and pay them for vulnerabilities that checked out.

The Hack the Department of Homeland Security bill, sponsored by Sen. Maggie Hassan, D-N.H. in the Senate, is partly modeled on numerous successful bug bounty programs at the Pentagon and military services.

The bill would mark the first departmentwide bug bounty in the civilian government. The General Services Administration’s Technology Transformation Service also runs an ongoing a bug bounty.

Those Defense Department bug bounties required a lot of time and money, however, and some bug bounty organizers have warned that a full bug bounty may not be a good investment for civilian agencies—especially if they lacks the resources to investigate and patch all the bugs ethical hackers uncover.

Homeland Security’s top cybersecurity and infrastructure security official Chris Krebs initially expressed skepticism about a department bug bounty, worrying it could steal resources from other parts of the department’s cyber mission. He later endorsed the plan, however, during his confirmation hearing.

Inside Cybersecurity: Rep. Langevin: Restructuring cyber oversight a top priority for Democrats

Inside Cybersecurity: Rep. Langevin: Restructuring cyber oversight a top priority for Democrats

By Charlie Mitchell

Streamlining congressional oversight of cybersecurity policy, creating a high-level “cyber director” role at the White House and — of course — closer scrutiny of Trump administration cyber efforts will top the priority list if Democrats take the House in November, according to one key Democratic lawmaker.

“We haven’t moved the ball enough on [cyber] oversight,” Rep. James Langevin (D-RI) told Inside Cybersecurity. “It needs to happen faster and more comprehensively.”

Langevin is the co-founder of the bipartisan Congressional Cybersecurity Caucus and a senior member of the Armed Services and Homeland Security committees.

He is in line to chair Armed Services’ cyber-focused emerging threats subcommittee if the Democrats get the net 24-seat pickup they need on Election Day to secure a House majority.  Nonpartisan analyses and the latest polling aggregations show the Democrats poised to make the necessary gains.

But within the House’s current committee structure, Langevin said, “oversight of cybersecurity is too stove-piped — the jurisdictional issue is a problem and we need to streamline.”

What’s the problem? “Jurisdiction, jurisdiction, jurisdiction,” Langevin said. “It’s a major roadblock to legislation and oversight.”

With eighty-plus committees and subcommittees exercising authority over myriad cyber issues, “we need more agility in oversight,” Langevin said. “That takes strong leadership at the speaker and minority leader level. I hope we’re in the majority and can streamline oversight. That will be one of my top priorities.”

Otherwise, the ninth-term lawmaker said, “the only thing that moves the needle on cyber is a crisis.”

On other issues, Langevin cited the upcoming one-year anniversary of the Equifax hack in calling for action on data security and breach notice legislation, such as the bill he has introduced that would require notification to consumers within 30 days of detecting a breach and give the Federal Trade Commission statutory authority for “coordinating responses” to cyber attacks.

“There hasn’t been enough done to prevent future Equifaxes from happening or to notify consumers” of breaches, he said.

Langevin said that he will also push for a “Senate-confirmed cyber director role with budget authority, at the White House.”

“There needs to be one person who is responsible and accountable for what the policy is and what the metrics are for success.”

Such a position would have significantly more authority than the White House cyber coordinator role that President Trump eliminated earlier this year — and that was a creation of the Obama administration that lacked statutory authority.

Langevin likened the position he envisions — and has detailed in legislation introduced in the past two Congresses — to the Director of National Intelligence or the Director of National Drug Control Policy.

Langevin also discussed the new National Risk Management Center that the Department of Homeland Security has launched, calling it “a positive step forward” and saying he is “looking forward to hearing from them.”

“We need to make sure they have the tools they need and that the [National Cybersecurity and Communications Integration Center] is more operational in real time. But the risk management center could have real value,” he said.

Still, Langevin said, “we need to get better at assuring interagency coordination. The primacy of DHS is important, which is why enactment of NPPD reorganization is essential.”

Bipartisan legislation has cleared the House that would transform NPPD into a cybersecurity agency, but it remains stalled in the Senate, a source of bipartisan frustration among House members.

“Organizing and making clear the mission of NPPD is important, but we also need to know who is coordinating the whole-of-government strategy,” Langevin said, underscoring the need for a high-level policy director.

The lawmaker also expressed concerns that not enough has been done to secure state elections systems amid ongoing hostile action from Russia.

“We’re going into the elections with just a Band-Aid,” he said. “Time is short now but I’m concerned about DHS having enough resources to deal with states an localities, and to protect other critical infrastructure.”

With concerns lingering about proper state and federal role son election security, he added: “I encourage states to reach out for assistance — the federal government is never going to take over the electoral process.”

Cyber Scoop: DHS supply chain and CDM bills pass the House

Cyber Scoop: DHS supply chain and CDM bills pass the House

By Zaid Shoorbajee

The House passed two bills Tuesday that aim to bolster the Department of Homeland Security’s cybersecurity efforts as they relate to securing the agency’s own vendor supply chain as well as securing other federal agencies’ networks.

Both bills now head to the Senate. One of them, the Securing the Homeland Security Supply Chain Act of 2018, would give the secretary of Homeland Security authority to block IT vendors deemed to pose a supply chain risk from contracting with the agency.

“There is no question that nation-states and criminal actors are constantly trying to exploit U.S. government and private sector systems to steal information or insert potentially harmful hardware or software,” said the bill’s sponsor, Rep. Peter King, R-N.Y., on the House floor before a voice vote.

King cited recent and ongoing U.S. government scrutiny of Russian cybersecurity company Kaspersky Lab and Chinese telecommunications companies Huawei and ZTE as justification for giving DHS this new authority. Those efforts “underscore the threats posed to the federal supply chain and the urgency in developing stronger mechanisms to secure it,” King said.

The bill as passed would only allow DHS to make these decisions for its own contracts.

“I am hopeful, this bill moves through the process, that we will also have an opportunity to consider legislation that provides similar authority to ensure national security vetting is incorporated into the wider government procurement process,” King said.

The other bill, the Advancing Cybersecurity Diagnostics and Mitigation Act, would codify into law DHS’s existing Continuous Diagnostics and Mitigation (CDM) program, which provides other federal agencies with monitoring and threat detection on their networks.

“We need to know what we have before we can try to defend it,” said Rep. John Ratcliffe, R-Texas, who introduced the bill. “[CDM] not only allows the ability to combat our enemies in cyberspace, but also to help federal CIOs manage information technology.”

DHS has been awarding billions of dollars worth of contracts to keep CDM’s various phases going. The bill passed Tuesday would make the program statutorily part of DHS.

Rep. Jim Langevin, D-R.I., also spoke in support of the CDM bill on the House floor, but expressed concern that the bill does not incentivize agencies to actually take advantage of the DHS program.

“This is a good bill, and I urge my colleagues to support its passage. However, I must take this opportunity to mention this bill’s major omission. It does not address the incentive structure at other agencies to actually adopt CDM offerings,” Langevin said.

Langevin lamented that CDM full potential is being hindered by the fact that there are many congressional committees and federal agencies that compete over jurisdiction of cybersecurity issues.

“During hearings and roundtables on the program, we often heard from government stakeholders that internal dynamics at DHS’s sister agencies were actually the biggest obstacle to the program’s success,” Langevin said. “I urge my colleagues to consider the wisdom of having so many committees involved with cybersecurity jurisdiction often to the detriment of making real progress.”