Hack DHS to Boost Security of DHS Systems
“As the federal government’s cybersecurity quarterback, DHS must lead by example and constantly seek to strengthen the security of our own systems,” said Secretary Alejandro N. Mayorkas. “The Hack DHS program incentivizes highly skilled hackers to identify cybersecurity weaknesses in our systems before they can be exploited by bad actors.” Bug bounty programs are common in Silicon Valley. Tech giants like Apple, Microsoft, Twitter, and dozens of other organizations all run their own. Many people see the use of bug bounty programs by government agencies as a big shift. In the past, government agencies often threatened white hat hackers with legal recourse. Now, they invite them to help prevent security incidents. The very first bug bounty program in the history of the US Federal Government was “Hack the Pentagon,” launched in 2016. The government designed this pilot program to identify and resolve security vulnerabilities within the Defense Department’s public facing websites. Ethical hackers found nearly 140 unique and previously unidentified vulnerabilities. Individual payouts ranged from $100 to $15,000.
Up to $5,000 For Successful Researchers
The Department of Homeland Security will rollout “Hack DHS” in three phases throughout the 2022 fiscal year. During phase one, hackers will conduct virtual assessments on certain DHS external systems. Next, during the second phase, hackers will participate in a live, in-person hacking event. Finally, during the third phase, DHS will review lessons learned and plan for future bug bounties. The main goal, of course, is to identify potential cybersecurity vulnerabilities within DHS’s systems that could be exploited by malicious hackers and to increase the Department’s cybersecurity resilience. Another goal is to develop a model that other government organizations can use to increase their own cybersecurity resilience. As it is rather likely that hackers might access sensitive DHS systems, the department will only allow invited white hat hackers to participate. Successful security researchers will receive anywhere between $500 to $5,000, depending on the gravity of the vulnerability they discover. Note that this is significantly less than some of the bounties offered by big tech companies, which sometimes run into the tens of thousands.
Weaknesses to be Verified Within 48 Hours
Hack DHS will run from a platform created by the Department’s Cybersecurity and Infrastructure Security Agency (CISA). Participating hackers will have to abide by several rules of engagement. They must, for example, include detailed information about the vulnerability. They also have to reveal how they exploited it, and how it might allow other actors to access information. The Department of Homeland Security will then verify any reported weaknesses within 48 hours. The new bounty program builds on the best practices learned from similar, widely implemented initiatives across the private sector and the federal government. Bounty laws permit the Department to compensate individuals for mimicking hacker behavior. US Senator Maggie Hassan, one of the sponsors of the original bug bounty legislation, gave Hack DHS a nod of approval: “I am pleased that following the success of our bug bounty pilot program, [DHS] has decided to make this program a permanent part of its cybersecurity strategy.”
Challenging Times
News of the program comes just as details about an extremely severe zero-day software vulnerability in Apache Log4J are emerging. Cybercriminals are wasting no time to exploit the flaw. Cybersecurity agencies around the world, including CISA, are monitoring the situation and providing assistance as required.
