WASHINGTON, D.C. – Today, the U.S. Senate Homeland Security and Governmental Affairs Committee passed the bipartisan Hack Department of Homeland Security (DHS) Act, which was introduced by Senators Rob Portman (R-OH) and Maggie Hassan (D-NH). The bill, which is also cosponsored by Senators Claire McCaskill (D-MO) and Kamala Harris (D-CA), would establish a bug bounty pilot program – modeled off of similar programs at the Department of Defense and major tech companies – in order to strengthen cyber defenses at DHS by utilizing “white-hat” or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and information technology.

Bipartisan companion legislation has also been introduced in the U.S. House by Congressmen Ted Lieu (D-CA) and Scott Taylor (R-VA).

The networks and systems at DHS are vital to the security of Ohioans and all Americans.  It is imperative that we take every step to protect our DHS networks from the threats they face every day. One important tool would be to incentivize ethical hackers in the private sector to find vulnerabilities before bad actors do. I applaud the Homeland Security and Governmental Affairs Committee for approving this important bill and look forward to working with Senator Hassan to continue building support in the Senate to protect DHS from cyber threats,” Senator Portman said.

The Department of Homeland Security is a prime target for cyberattacks that can threaten the safety, security, and privacy of millions of Americans, and the Department must do everything in its power to protect the American people from these threats,” Senator Hassan said. “Employing patriotic, ethical hackers who can help identify weaknesses in the Department’s cyber systems is a common-sense step that has been successfully utilized in the private sector, and I will continue working with Senator Portman and colleagues from both parties to pass this important legislation into law.”

NOTE: As the Department in charge of helping to secure all “.gov” domains, as well as critical infrastructure throughout the country, DHS must ensure that its own networks and information technology are free from unintended or unidentified vulnerabilities. The Hack DHS Act will establish a bug bounty program based on the Department of Defense’s pilot program. Under the bill, payments would be provided to white-hat hackers that identify unique and undiscovered vulnerabilities in DHS’s networks and data systems. These white-hat hackers must submit to a background check to help ensure that these individuals do not pose a threat. In addition, the DHS Secretary must work with the Attorney General to ensure that participants in the bug bounty program do not face prosecutions for their specific work in the program.

During a Homeland Security and Governmental Affairs Committee markup today, Senator Portman explained how the Hack DHS Act will strengthen cyber defenses at DHS. Excerpts can be found below and a video can be found here.

I think it’s important to explain it a bit… What we propose is basically taking the Pentagon model. What it says is that you actually bring in the White Hats, the hackers that are good at what they do, and try to find vulnerabilities in the system.  And it’s worked well at the Pentagon. They call it the Bug Bounty Program and they’ve experimented with large contracts to identify a number one vulnerabilities. Over 200 vulnerabilities reports came in from these white-hat hackers in the first six hours alone. In other words, they were able to discover where the vulnerabilities that could then be closed to keep the people who were not wearing the White Hats, who are trying to access are, in this case Department of Defense, but as Senator Daines just said, the Department of Homeland Security’s job is to keep us safe and so we think that it is absolutely appropriate to take this program over to the Department of Homeland Security. He also said we should focus on IT, that’s what this is, so I’m hopeful that this legislation, which was improved today by the way, and I appreciate that, and I think that we’re all interested in making sure it works effectively and that DHS is ready to address any vulnerabilities immediately. I think the bill is improved thanks to your staff today, in that regard. But let’s make this work at DHS, let’s get this through the floor and then let’s see whether it’s appropriate to extend to other agencies and departments, because this is not going away. We’ve seen in the front pages this morning again the discussion of how vulnerable we are as a country to hackers, some of which are foreign country controlled hackers and it’s important that we move this to DHS. So thank you for your support on that and I appreciate the fact that we now have it moving toward the floor for a vote.”

###