Rep. Ted Lieu, D-Calif., will announce Tuesday a bill that would require all federal contractors to have a vulnerability disclosure program.
The Improving Contractor Cybersecurity Act draws inspiration from the Department of Homeland Security’s Binding Operational Directive 20-01, which ordered federal agencies to develop disclosure programs.
”As we have seen with SolarWinds and now with USAID, every vendor is a potential threat vector. With this bill, we're acknowledging that risk and making sure the federal contracting statute can meet our needs from a risk management standpoint,” Lieu told SC Media.
The bill does not require contractors to patch a vulnerability. But it does require contractors to tell a researcher submitting a vulnerability what steps (if any) would remediate the bug, confirm remediation when complete, assess whether the vulnerability is valid, and, if the contractor is not actually responsible for the component with the vulnerability, to notify whoever is.
“Ultimately, our approach is to incentivize these companies to take appropriate measures, not to take enforcement action against them for failing to patch a vulnerability,” said Lieu.
Lieu worked with several well-known disclosure experts and federal cybersecurity experts in crafting the bill. A press release lists praise from the Institute for Critical Infrastructure Technology, HackerOne, and the Electronic Privacy Information Center, as well as former top cyber diplomat at the State Department Christopher Painter, former Deputy Assistant Secretary for Policy at DHS Paul Rosenzweig (currently of the R Street Institute), and Atlantic Council Cyber Safety Innovation Fellow Beau Woods.
One prominent researcher solicited for advice was Katie Moussouris, founder and CEO of Luta Security, who created the bug bounty and disclosure program at Microsoft and the Pentagon. With the final text of the bill not available at the time of the interview with SC Media, she was not able to assess exactly how effective the bill would be.
But one concern she noted was the lack of a team dedicated to remediating the flood of vulnerabilities such disclosure programs would spotlight.
“Without trained people, process, and technology positioned internally to assess relative prioritization of all bugs, and develop and test solutions, simply standing up a way to report bugs will miss the intent,” she said.
This is a common problem even for companies that fully intend to address all submitted vulnerabilities in disclosure or bounty programs: learning about more vulnerabilities will not translate to more fixes, unless resources are put in place to keep up.
Though contracts would not require remediation of any amount of vulnerabilities brought in through the programs, the government would be able to not renew contracts with companies whose handling of vulnerabilities raised researchers' ire.
One major purported benefit of the recent White House executive order imposing cybersecurity requirements on software sold to the government was that it would move the broader technology market. Lieu hopes the same for his bill.
“Contracting requirements are a good way to shift the market toward a more aggressive, active role in remediating vulnerabilities and making sure the [U.S. government] is tackling low-hanging fruit,” he said.