Sens. Cory Gardner, R-Colo., and Ed Markey, D-Mass., introduced the Hack Your State Department Act on June 12.
The legislation would require the Secretary of State to “design and establish a Vulnerability Disclosure Process to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of Internet-facing information technology of the Department of State.”
The senators said the hackers used in the program would be “pre-screened” and compensated for their work. The bill also would provide a way for the general public to report cybersecurity vulnerabilities to the State Department.
“We need to be doing everything we can to make sure the State Department’s cyber defenses are hardened and can thwart cyber-attacks from bad actors that wish to do our country harm,” said Gardner. “This bipartisan bill will allow the general public to contribute to our nation’s cyber defenses and will result in a more secure cyber network at the State Department.”
The State Department would have one year following enactment of the bill to launch the pilot of the bug bounty program. Following completion of the pilot, the agency would have 180 days to submit a report to Senate Committee on Foreign Relations and the House Committee on Foreign Affairs detailing the pilot program, its successes, and lessons learned.
The State Department also would have 180 days to “design, establish, and make publicly known a Vulnerability Disclosure Process to improve cybersecurity within the Department.” The agency would have to develop guidelines for security researchers looking for security vulnerabilities and create a plan to address and remediate discovered vulnerabilities.
Bug bounty programs are already in place at the Departments of Defense and Homeland Security.
“Our national security agencies are increasingly under assault by sophisticated and malicious cyber-armies,” said Sen. Markey. “Instead of reacting to attacks and breaches after the fact, we must proactively pursue innovative, cost-effective ways to bolster our defenses and protect the State Department, its data, and its employees before harm occurs. This legislation is a powerful tool to build on similar, successful efforts that have helped other agencies like the Defense Department protect themselves in an increasingly hostile cyber environment.”
The House passed the bill overwhelmingly in January.