US DHS Announces New Bug Bounty Program to Safeguard Systems'Hack DHS' Will Occur in 3 Phases During FY 2022; Builds Off DOD Program
The U.S. Department of Homeland Security this week announced a "Hack DHS" bug bounty program to identify potential cybersecurity vulnerabilities within its systems and to increase DHS' overall cyber resilience.
As part of the program, department officials will invite vetted cybersecurity researchers to access "select external DHS systems" and identify vulnerabilities with the potential for exploitation. Hackers uncovering vulnerabilities will be compensated by the department.
"As the federal government's cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems," says DHS Secretary Alejandro Mayorkas. "The 'Hack DHS' program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.
"This program is one example of how the department is partnering with the community to help protect our nation's cybersecurity."
The program will occur in three phases throughout the 2022 fiscal year, officials say, to develop a model that can be used by other organizations across different levels of government.
Phase one, DHS officials say, will involve virtual assessments on its external systems; phase two will see hackers participating in a live, in-person hacking event; and the third and final phase will involve DHS identifying and reviewing the findings and planning for future bug bounty programs.
The program will leverage a platform created by the department's Cybersecurity and Infrastructure Security Agency. It will include rules of engagement and be monitored by the DHS Office of the Chief Information Officer.
Vetted hackers will disclose findings to DHS system owners and leadership, outlining the vulnerability type, how it was exploited and how it might allow bad actors to access information.
The reward, officials say, is determined by using a sliding scale, with the highest bounties doled out to those uncovering the most severe bugs.
"Hack DHS" builds off a pilot program first rolled out by DHS in 2019, as a result of provisions authored by Sens. Maggie Hassan, D-N.H., and Rob Portman, R-Ohio, and Reps. Ted Lieu, D-Calif., and Scott Taylor, R-Va., and passed into law as part of the SECURE Technology Act. The law permits the department to compensate individuals chosen to evaluate DHS' systems.
The Department of Defense implemented a program called Hack the Pentagon in 2016. It was the federal government's first foray into bug bounty programs and according to The Hill, it has uncovered some 7,000 vulnerabilities in the Pentagon's systems.
Hack the Pentagon was pioneered by the DOD's Defense Digital Service, or DDS, under the leadership of then-Secretary of Defense Ash Carter, during the Obama administration. In its pilot, which ran from April to May 2016, white-hat hackers identified security lapses on the DOD's public-facing websites. Some 138 vulnerability reports were deemed legitimate, according to platform partner HackerOne. The program has since grown and received additional funding.
'Outsmart the Adversaries'
Security experts say the "Hack DHS" program should help DHS improve its cyber resilience.
Casey Ellis, founder and CTO at the firm BugCrowd, a platform partner for the "Hack DHS" program, says, "Like any organization who is on the internet, the DHS must outsmart all of the potential adversaries … before it is outsmarted. It takes an army of allies to outsmart an army of adversaries."
Mike Hamilton, former vice chair for the DHS' State, Local, Tribal, and Territorial Government Coordinating Council, and currently CISO of the firm Critical Insight, says the program has three clear benefits.
"First, [it] provides a mechanism for bringing to bear world-class information security practitioners that are reluctant to work for the federal government," he says. "Second, it will serve to identify vulnerabilities in federal agencies that are currently unknown. Third, it will provide some 'enforcement pressure' on agencies to better manage vulnerabilities."
Post-SolarWinds; Active Log4j Threat
DHS' new program comes amid a challenging year for network defenders, including the pervasive SolarWinds hack, which involved suspected Russian government-backed hackers breaching the networks of 100 organizations globally, with follow-on attacks on nine federal agencies, including DHS. And of course, there's latest security concern that has shaken the industry: Log4j.
Since the zero-day was publicly disclosed late last week, network defenders have been charged with mitigating the dangerous vulnerability across widely used Apache software. Cybersecurity experts now warn that a number of attackers tied to nation-states appear to be actively abusing or testing the Log4j vulnerability - tracked as CVE-2021-44228 - which allows for arbitrary remote code execution.
Criminal groups have begun to drop malicious code - including crypto-locking malware - while access brokers are using Log4j to gather enterprise access credentials they can then sell to other criminal gangs (see: Nation-State Attackers Wielding Log4j Against Targets).
Log4j, which is maintained by the nonprofit Apache Software Foundation, provides logging capabilities for Java applications and is widely used, including for Apache web server software. The flaw, feared to be years old, exists in the Apache Log4j library, versions 2.0-beta9 to 2.14.1.
CISA officials have warned that organizations need to prioritize Log4j mitigation. The agency has added the CVE to its new vulnerability catalog and imposed a Christmas Eve deadline for federal agencies to patch it.
CISA said on Tuesday that, to date, there have been no confirmed compromises of any federal agencies due to Log4j. CISA Executive Director for Cybersecurity Eric Goldstein told reporters that the vulnerability was "extremely concerning," according to Federal News Network. He cited the library's wide usage across devices and products - both consumer and enterprise and across sectors - the ease of exploitation, and the possibility of data exfiltration.