Two U.S. senators have introduced a bill that would create a bug bounty program for the Department of Homeland Security (DHS), but industry experts warned those participating in the program need to be properly vetted.
Senators Maggie Hassan, D-N.H., and Rob Portmann, R-Ohio, late last week introduced the Hack Department of Homeland Security Act that aims to leverage the work of white-hat hackers to help strengthen DHS by pointing out failure points in the code that runs the agency's website and computer network. Similar programs have been used not only in the private sector, but the Department of Defense instituted the Hack the Pentagon, Hack the Air Force and Hack the Army. In each case white hats found dozens of bugs enabling these services to tighten up their security.
Hassan noted that the DHS needs help in order to protect Americans from cyberattacks and that help can come from “patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens.”
Portman said proper cybersecurity at the federal level is a matter of national security and every avenue to improve the country's defenses needs to be explored.
“One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats,” he said.
However, others feel the government needs to be careful when setting up these types of programs because you are giving people carte blanche to do their worst to critical systems.
“As with Hack-The-Pentagon and the recent Hack-The-Army, there's both good and bad. The upside is that a bunch of folks will get to hack the government, however, I would assume pre-registration and background checks as well as an entire set of rules and regulations will have to be followed. So, yes, in the “spirit” of hacking it's good,” said Chris Roberts, Acalvio's chief security architect to SC Media.
Nathan Wenzler, chief security strategist at AsTech, agreed saying appropriate measures have to be in place to vet those participating and he is also in favor of having each federal department or agency introduce bug bounty programs individually.
“Personally, I believe focusing on individual departments is a better plan than trying to have a single program covering every government site. This is especially important since different agencies have different types of data and are likely being attacked in different ways because of it,” he told SC Media.
Cybersecurity researcher Graham Cluley, writing for Tripwire, called the program a sensible, proactive move.
“My expectation is that we will see more and more public sector organizations and private companies recognize the benefits of working closely with ethical hackers and penetration testers,” he wrote.