January 31, 2020 Public Contract Law Journal

Bug the Bounty Hunter: Recommendations to Congress to Best Effectuate the Purpose of the SECURE Technology Act

by Myles Ashong

Myles Ashong is a J.D. candidate at The George Washington University Law School and a member of the Public Contract Law Journal. He would like to thank Professors Jayna Rust
and Paul Rosenzweig for their direction and feedback in helping edit and write this Note. He is also grateful to Deirdre A. Clarke for her thoughtful engagement and dependable guidance throughout the process.

I.  Introduction: A Cyber Nightmare Is Closer Than You Think: How Can We Ensure That We Are Secure?

Picture this: you are on your way home from work and, as is routine, safely seat-belted in the back seat of a taxi cab, or Uber, or Lyft.1 You have just finished reviewing the last of that day’s e-mail threads from your colleagues at the office and are beginning to mentally decompress. You insert your headphones and turn on your favorite podcast. Suddenly, you feel a jolting acceleration, then a swerve, a skid, and finally a stop. Thankfully safe, you quickly realize that the car is not. You have been involved in a multi-vehicle accident. And your driver claims that it was not his fault. “The car did it,” he claims.2 What if the driver was absolutely right?3

In theory, everything grounded in technology is hackable4 because the human-written, algorithmic code of which it is comprised is inherently imperfect.5 Even when secured by passwords, cellular phones and laptops can be hacked.6 Surprisingly, smart-televisions can be hacked,7 coffee machines can be hacked,8 and intimate dating websites can be hacked.9 Even the Dalai Lama has been hacked.10 This is in large part because since the Internet’s inception in the latter part of the twentieth century, interconnected systems have seen expansive growth and rapid development, both in utility and convenience, and have become omnipresent.11 Correspondingly, the commonness and usefulness of digital and cyber-infrastructure has, too, expanded at a parallel rate.12 This proliferation has provided bad actors and hackers with yet another domain through which they can commit cyberattacks and intrusions on a hosted network without an owner’s consent.13 Fittingly, as former FBI Director Robert Mueller noted, the same roads that enabled the spread of Roman civilization also led invaders to Roman doorsteps.14 In the context of the Internet, this is equally true. Along with its countless benefits, the Internet’s own rapid expansion has paradoxically led to cybersecurity defects, or “bugs,” and other exploitative vulnerabilities.15 As such, the federal government, tasked with the protection and safety of its citizens, has proactively begun increasing investments in research aimed at addressing cybersecurity vulnerabilities and identifying internal vulnerabilities to protect their infrastructures against cybertheft, cyberespionage, and the infiltration of harmful malware.16

One defensive tactic, the “bug-bounty program,” invites hired computer- security experts, also known as “white hat hackers,” to hack into existing infrastructures with the goal of identifying and reporting potentially harmful vulnerabilities to the host.17 Though this “hacker-powered security”18 is a relatively new phenomenon in government, it has solidified its place in mainstream cybersecurity practice after decades of success in identifying and resolving “zero-day vulnerabilities”19 within the private sector. Zero-day vulnerabilities are exploitable vulnerabilities of which a software vendor is not aware and for which no patch has yet been created. 20 Google, for example, paid out more than $2.9 million in bounties in 2017, and Apple offers up to $200,000 for the identification of certain vulnerabilities.21 Most recently, the value of the bug bounties in federal government agencies has caught the eye of Congress.22 On January 3, 2018, President Donald Trump signed H.R. 7327 - Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act” or the “Act”) into law.23 The SECURE Technology Act (1) compels the Department of Homeland Security (“DHS”) to establish a security vulnerability disclosure policy (“VDP”); (2) requires DHS to establish a bug-bounty pilot program to minimize vulnerabilities of DHS information systems; and (3) establishes an interagency Federal Acquisition Security Council to set supply-chain risk management standards.24 The SECURE Technology Act aims to advance digital security systems within the federal government, using previously efficacious bug-bounty programs as an instructive mold.25

However, the documented success of completed programs and the prospect of future programs do not evince or guarantee perfection in the application of bug-bounty programs, generally, because these programs have not yet been optimized to reach their full potential.26 There remains ample room for increased clarity, utility, and efficiency in federal bug-bounty offerings. Going forward, it is imperative that federal agencies offering bug-bounty programs seek to ensure to their participants fundamental fairness within criminal and intellectual property law while operating within the bounds of the Computer Fraud and Abuse Act (“CFAA”).27 Unfortunately, it is difficult to harmonize and operate within these competing principles because the usage of government bug bounties as a cybersecurity tool is still a largely novel concept.

This Note argues that the SECURE Technology Act should expand the scope of past bug-bounty programs offered by government agencies to permit hacking attempts against critical and sensitive cyberinfrastructures that contain sensitive, highly sensitive, confidential, or classified materials. For ostensibly obvious reasons regarding reliability and trustworthiness, current and past government bug-bounty programs have been reluctant to grant bug- bounty participants access to sensitive and classified materials.28 This Note recommends a departure from that sentiment in order to best effectuate the purpose of the SECURE Technology Act and receive the best value from the appropriated funds.

Part I of this Note presents a brief overview of past bug-bounty programs offered by the federal government and compares their application to those offered in the private sector. Part II of this Note argues that it would be a misapplication of congressionally appropriated funds to constrain bug-bounty participants to the least difficult systems because, for reasons later discussed, doing so identifies ancillary vulnerabilities without actually making infrastructures any more secure. Finally, Part III of this Note argues that Congress has little to gain from allowing the bug-bounty portion of the SECURE Technology Act to mirror its mandated bug-bounty program after past government bug-bounty offerings. To obtain the best value from the congressionally appropriated funds, the SECURE Technology Act must carve out sufficient safe harbor protections for participants and allow those participants to access sensitive security systems. The Act should clearly define its scope and require formalized reports regarding successful vulnerability discoveries and, for unsuccessful attempts, reports that indicate the nature of the attempted intrusions. Finally, in response to anticipated skepticism about the reality of its proposal, this Note posits strict criminal penalties for any participants who are found to have retained data, attempted to retain data, exceeded the government’s scope, or attempted to exceed the government’s scope.

A.  Setting the Stage to Swat the Bug: Why the Government Needs Bug-Bounty Programs

Sophisticated, anonymous attackers pose a great danger to government cyber-infrastructures with their ability to discover weaknesses through design and implementation flaws within even the most secure computer networks.29 These nimble hackers incessantly target interconnected government cyber-networks with malicious attacks.30 It has been reported that cyberterrorists and hackers attempt to penetrate Department of Defense (“DoD”) computer systems “thousands of times a day.”31 Further, the number of “cyber incidents” on federal systems reported to the DHS increased more than tenfold between 2006 and 2015.32 Still, even the most accurate malware reports will only represent an infinitesimally small fraction of the actual total because, by their nature, most malicious cyber-intrusions ultimately go undetected.33 Even when malicious activity is detected, there remains the costly and time-consuming problem of identifying the source and preventing its reoccurrence.34 Due to the immense cost, resources, and manpower required to locate and patch existing “bugs,” this category of vulnerabilities is often neglected and left ripe for exploitation, specifically, by way of cyber-intrusions, or “hacks.”35 Both domestically and abroad, digital infrastructures have suffered intrusions that make them susceptible to disruption and permit bad actors to steal money, intellectual property, and sensitive military information.36 The revolution of the Internet calls for an urgent reassessment of the value of a secure cyber-infrastructure, as well as the threat that information theft and other cyberattacks pose to domestic and international security.37 To ignore this sign of modern times would all-but encourage attempts to threaten America’s cyber-infrastructures.

In 2009, President Barack Obama identified cybersecurity as one of the “most serious economic and national security challenges we face as a nation” but are ill-equipped to counter.38 More recently, the Council of Economic Advisors estimated that one major cyberattack could cost between $57 billion and $109 billion.39 In 2015, there were 112 million recorded healthcare data breaches.40 In 2017, Symantec reportedly blocked 611,141 web attackers per day and encountered a fifty-four percent increase in the number of new variants of malware that infect computers.41 In the same year, the FBI’s Internet Crime Complaint Center (“IC3”) received a total of 301,580 complaints with reported losses exceeding $1.4 billion.42 In late 2018, the Pentagon reported that it had been hacked and that the breach may have taken place several months before it was discovered.43 Instances like the aforementioned are particularly harmful in the context of government cybersecurity not only because they can result in financial harm, but also because they can give rise to safety concerns and cause immeasurable damage to the public’s faith in the government.44 Portended suppositions — similar to those of President Obama — bolstered by such staggering figures no doubt reflect the necessity of strong, proactive defensive capabilities.

Still, while cyberattacks vary significantly in complexity and impact, 45 U.S. federal government agencies continue to face increasingly sophisticated and persistent cyber threats from devious hackers, commonly known as “black-hat hackers,”46 who hack into protected platforms — without permission —for a variety of reasons.47 Additionally, because attack tools have become more sophisticated and easier to use, black-hat hackers can simply download attack scripts and protocols from the Internet and subsequently launch them against government websites.48 Far from solicited auxiliaries, these black-hat hackers comfortably operate while shrouded in anonymity, a phenomenon that has been called the “cornerstone” of Internet culture.49 As such, identifying cyber-vulnerabilities and locating and protecting against attackers is particularly difficult in the cyberworld in comparison to the physical world, in part due to the abilities of sophisticated actors to mask their activity and hide the origins of their attacks.50 All in all, the rise of malicious hacking attacks against governments mirrors the uptick in hacking that similarly mars the private sector.51

1.   What Doesn’t Kill Them, Only Makes Them Stronger: How Developments in Cybersecurity Have Made Bugs More Prevalent

The prevalence of software in society has continued to rapidly grow and expand across societal functions with no signs of deceleration.52 As users continue to demand additional functions from existing software, that software must be redeveloped and consequently becomes more complex and difficult to understand.53 Logically, an increase in quantity of complex software inevitably leads to more vulnerabilities because such complex software has more lines of code and therefore attendant security bugs, which makes them harder to test, and thus more likely to contain untested sections.54 This is particularly true in the context of public sector infrastructures, who are commonly known to be a step or two behind their private sector counterparts.55

B.  Proactive Combat: Federal Government Agencies Taking a Chance on Bug- Bounty Programs and Congressional Backing

New problems require new solutions. April 16, 2016, marked an interdepartmental acceptance of this principle when the federal government took an unusual action in its fight against cybercrime.56 In coordination with the Department of Justice (“DOJ”), the DoD’s Defense Digital Services (“DDS”) group introduced its pilot “Hack the Pentagon” bug-bounty program, the first of its kind to ever run at a federal agency.57 The initiative, which ran throughout April and May of 2016, was directed by the DDS with strong support from then-Secretary of Defense Ash Carter and mimicked best practices from the private sector.58 Hack the Pentagon attracted more than 1,400 hackers who — after registering and completing a background check — submitted vulnerabilities discovered within the Department’s public-facing websites, like defense.gov.59 After their acceptance to Hack the Pentagon, hackers were provided legal consent to perform specific hacking techniques against DoD websites and received financial awards for successfully submitting vulnerability reports.60 One hacker submitted the first bug within just thirteen minutes of the beginning of the contest.61 In the end, “138 legitimate and unique vulnerabilities were found.”62 Bounty rewards totaling $75,000 were paid out.63 Former Secretary of Defense Ash Carter even met with two of the bug-bounty’s participants to congratulate them for their work.64 The federal government’s willingness to partner with freelance hackers to bridge the gap between the private sector and the Pentagon is a marked departure from its erstwhile policies on combatting cybercrime.65 Two-and-a-half years later, the DoD announced renewed efforts to deepen the focus of its first bug-bounty program.66

Building upon the success of Hack the Pentagon, the government ran more bug-bounty programs, received reports of more than 5,000 unique vulnerabilities, and paid out roughly $500,000.67 Yet, this figure still pales in comparison to the cost of hiring an outside firm to do security audit and vulnerability assessment.68 Secretary Carter observed this financial benefit: it would have cost the DoD more than $1 million to identify and resolve these vulnerabilities internally.69 Even still — this is less costly than seeing such vulnerabilities exploited to or on the black market.70 The Marine Corps Cyber Command has also hailed the benefits of bug bounties.71

Most recently, the value of the bug bounties in federal government agencies has caught the eye of Congress.72 The SECURE Technology Act was introduced by Rep. Will Hurd (R-TX) on December 19, 2018, and it passed the House of Representatives by an electronic vote of 362-1 on the same day.73 It later passed the Senate by unanimous consent and was signed into law by President Trump two days later on December 21, 2018.74 The Act was a legislative package that “subsumed a trio of bills aimed at strengthening Homeland Security’s cyber defenses and protecting the government’s supply chain.”75 In doing so, the Act appropriates $250,000 and requires the DHS to establish a bug-bounty program and a vulnerability disclosure program.76 Next, on the supply-chain front, the bill establishes a Federal Acquisition Security Council to provide executive agencies with authorities relating to mitigating supply-chain risks in the procurement of information technology.77 This council is to include members from the DHS, the DoD, the General Services Administration (“GSA”), the Office of the Director of National Intelligence (“DNI”), the Federal Bureau of Investigation (“FBI”), the Office of Management and Budget (“OMB”), and the National Institute of Standards and Technology (“NIST”).78 The council must then establish criteria for determining what types of products pose supply-chain security risks to the federal government and will provide guidance to agencies to help them understand the risks to their supply chains when making procurement decisions.79 By its terms, the SECURE Technology Act portends congressional interest in and commitment to employing cutting-edge approaches for optimal cybersecurity.80 The Act’s requirements further hold the DHS’s feet to the fire by requiring continual and periodic reports regarding the program’s efficacy.81

1.  Know Thy “Enemy”: Who Participates in Bug-Bounty Programs?

The SECURE Technology Act’s bug-bounty program will be open to “eligible individual[s], organization[s], or company[ies],” that is, pre-vetted “hackers.”82 To the general public, “hacker” is often a term that is most often synonymous with the image of a shadowy and hooded member of the cyber-criminal underground.83 But, not all hacking is created equal.84

The cybersecurity community generally recognizes three distinct subcategories of hackers: white-hat, black-hat, and grey-hat.85 “White-hat” hackers are members or affiliates of the security industry that are contracted with the specific goal of identifying and testing security flaws, whereas “black hats” engage in criminal conduct and infiltrate systems for no other reason than to commit that crime — usually, pursuing some sort of economic profit as an end-game.86 Somewhere in the middle of the road lies the “grey-hat hacker,” who operates on the fringe of civil and criminal liability to discover and report security vulnerabilities.87 Large corporations like Microsoft, Google, Facebook, and Mozilla have discovered and demonstrated the utility of hacker-powered security as an essential safeguard against criminal cyberattacks.88 There is no one better-suited to locate a cyber-vulnerability than someone who is practiced in exploiting these vulnerabilities.89 With this in mind, government bug-bounty programs should be restricted in their offerings to stringently pre-vetted trusted hackers90 that pass background checks in order to safely and effectively test their security. Additionally, bug-bounty sponsors should ensure that “no bounty money goes to a person or organization targeted by U.S. sanctions.”91 In light of these exclusionary requirements, well-intentioned white-hat hackers remain among the most apt and attractive candidates to participate in government bug-bounty programs.

2.   Flying Too Close to the Sun: What Kind of and How Much Liability Do Participants Face?

Today, even white-hat hackers who are granted authorization for cybersecurity testing must walk a tightrope to avoid criminal prosecution.92 This poses a major problem that must be definitively ironed-out to maximize the participant pool in government bug bounties. Accordingly, the DOJ issued an assistive framework that guides the administration of vulnerability disclosure policies in order to “substantially reduc[e]” the likelihood that activities related to vulnerability disclosures will result in a civil or criminal violation of law under the CFAA.93 However, the framework is merely instructive.94 Thus, because prospective white-hat hackers presumably have less bargaining power in negotiations with the government than with private companies, they ostensibly welcome a considerable amount of civil and criminal exposure under the broad language and application of the CFAA.95 To balance this disparity in bargaining and offer appreciable protections to the involved parties, the DOJ’s guidelines instruct that the sponsor of the program should evaluate (1) the sensitive nature of information stored or processed on the organization’s systems,96 (2) the ability to segment its network or otherwise segregate sensitive information stored on its systems, and (3) any regulatory or contractual restrictions placed on disclosure of protected classes of information in an organization’s possession.97 The DOJ is less clear with respect to the handling of sensitive or classified information within the bounds of the CFAA.

As indicated earlier in this Note,98 the CFAA criminalizes access to a computer without proper authorization.99 But, the language of the statute is notoriously broad100 and imprecise101 and fails to adequately define “authorization,”102 leaving a significant amount of disconcerting grey area within which the white-hat hackers must operate.103 Additionally, in 1996, Congress passed an amendment to the CFAA which appreciably expanded the scope of § 1030(a)(2)(C).104 As a result, the CFAA, while once limited in its protection of “unauthorized access,”105 has expanded to prohibit intentional access of information from any protected computer or in a manner that “exceeds authorized access.”106 This notably broad language has been the source of pronounced uncertainty for bug-bounty participants.107 Thus, for sponsors, the DOJ suggests placing limits on the sensitive material108 and urges that organizations seriously weigh the risks and consequences of exposing sensitive information “when making its scoping decisions.”109

The DOJ also offers guiding principles to aid in the drafting of vulnerability disclosure policies to avoid legal action and proscribes worthwhile considerations to that end.110 The DOJ’s framework recommends that, prior to launching, sponsors decide “how [they] will handle accidental, good faith violations of the vulnerability disclosure policy, as well as intentional, malicious violations.”111 Additionally, the framework instructs that sponsors use plain-language in describing acceptable and non-acceptable conduct and “[e]xplain the consequences of complying — and not complying — with the policy” in order to avoid ambiguities.112

C.  Don’t Let the Bad Bugs Bite: A Necessary Shift from Diffidence to Proactivity

In the past, government agencies sponsoring bug-bounty programs have been generally reluctant to make available their most critical infrastructures for white-hat hackers to test.113 Such an approach, however, diminishes the value of running a bug-bounty program because restricting participants’ access to the “low-hanging fruit” that exists within less-guarded systems necessarily limits vulnerability reports to those of lower-to-more-moderate severity.114 This, among other things, has prompted various criticisms about the underlying methodologies of government bug-bounty programs.115 It even led Katie Moussouris, former Chief Policy Officer with HackerOne and one of the driving figures of the organization who helped launch and direct the 2016 Hack the Pentagon bug-bounty,116 to characterize government bug-bounty bills as “well-meaning, but misdirected.”117 Similar criticisms surround the government’s inability — or reluctance — to allocate sufficient resources to curing the reported vulnerabilities.118

Discovering cyber-vulnerabilities quickly is the first step in the attainment of cybersecurity. But quickly patching them is another. Today, there is a notable lack of cybersecurity resources in federal government agencies.119 This poses problems both in the administration of and response to reported vulnerabilities in bug-bounty programs in two ways. First, an agency that is understaffed in its cybersecurity divisions necessarily has fewer human resources to monitor and effectuate its operations. During the sponsorship of a bug-bounty program, this can inadvertently allow for potentially obstructive, or even injurious, supervision of the participants and their hacking techniques.120 Furthermore, failure to triage and patch reported bugs can lead to grievous consequences: “slips-through-the-cracks” can be costly, dangerous, or both. Second, if and when unique bugs are identified and reported, these reports run the risk of taking a priority over current and open bugs that may have previously been receiving attention or, alternatively, of taking a back-seat to those currently opened matters.121 This general “backlog” has been a common concern among cybersecurity experts and must be mitigated.122 These problems are not distinct, either. In some cases, they compound one another. For example, during Hack the Army, the program sponsors123 received 416 bug reports but only 118, or about one-fourth, were evaluated to be “unique and actionable.”124

This is a time-consuming problem to have.125 In contrast, most major private corporations already have robust information technology departments that include expert personnel and specialized software that work in concert to catch, monitor, and are otherwise generally aware of, if not already clearing out, the “low-hanging fruit.”126 Furthermore, because of higher budgets and personnel capabilities, bug-bounty sponsors in the private sector are more readily able to monitor and communicate with participants at all stages throughout the bug-bounty process.127 In comparison, government agencies lack the time and resources to engage meaningfully with participants.128 Thus, government agencies must remain flexible to different practices, including hiring additional staff specialists to triage reported vulnerabilities or affording more autonomy to bug-bounty participants as they probe for and report vulnerabilities.

D.  Hackers Gotta Hack: The DHS Must Allow Freer Rein to Bug-Bounty Participants

The government should aim to be more predictive and less reactive in its protection of our critical cyber-infrastructures.129 The funds appropriated for the DHS’s bug-bounty program by the SECURE Technology Act are a good start. The DHS can best effectuate the purpose of the SECURE Technology Act by 1) contracting a trusted pool of talented participants and 2) allowing those participants to dissect the DHS’s most valuable systems. As previously mentioned in this Note, in the past, government bug-bounty sponsors have avoided allowing their most sensitive systems from being probed by white- hat hackers.130 The most recently awarded government bug-bounty contract, however, departs from this sentiment and expands the scope and capacity of the program to bounties that are permitted to target private DoD assets.131 According to a statement released by the DoD, this approach will welcome valuable new security perspectives to emulate combat adversaries and mitigate risk.132 The SECURE Technology Act should be implemented in accordance with this trend to ensure that its appropriated funds are used in the most efficient manner and that the program reaps its best possible value.133 Calculated temerity, in this sense, promises to bear greater rewards than any cautious and continued maintenance of past methods.

To date, there have been roughly a dozen federal government bug-bounty programs.134 Imaginably, the federal government and its contractors have encountered some overlap in some of the participants across each program. To maximize their utility, the government and its contractors should review the results of each bug-bounty and “keep tabs” on the volume of submissions from each participant. With that information, and to the extent possible, the government should seek to break down the walls of skepticism between the parties and build a rapport that can sustain trusting, long-term partnerships. This can either be done by monitoring hacker participants over a temporal period or, alternatively, by monitoring hackers’ statistics based on their level and frequency of participation and the utility of their reporting. Once that is done, the DHS can examine the attributes and tenure of certain hackers and assign a level of trust to them that will allow these hackers to access (however closely monitored) more sensitive systems to test for vulnerabilities. With well-defined parameters and test-proven hackers, both parties stand to benefit — the government, in its sense of structural security, and the participants, in their safeguard against criminal prosecution.

To be effective, bug-bounty programs must clearly identify the scope and goals of its offering. This may seem obvious, but, at its core, the importance of this idea cannot be understated. For the DHS to reap the benefits of its bug- bounty program, it is imperative that its goals are clearly stated to serve as a road map for the participants. If the DHS is interested in a particular class of vulnerabilities or is less concerned with another, it should state so unequivocally as part of its offering so that the participants’ time is more purposefully spent reviewing reports of bugs that are in-line with the concerns. Similar initiatives have already been deployed. For example, HackerOne has introduced “Signal Requirements” and “Rate Limiter” instructions that organizations can use to increase the quality of reports by limiting certain types of activity.135 Signal Requirements allow only those hackers who maintain a certain ratio of “valid” to “invalid” submissions, while the Rate Limiter constrains the number of reports that a hacker can make in a given time interval.136

Defining the scope of the bug-bounty program is equally important. This encompasses both defining the parameters of the program and indicating what sorts of methods are sought after as part of the program.137 Plainly and squarely defining the parameters can include outlining or informing participants of the civil and criminal penalties under the CFAA and reserving or waiving certain rights (assuming compliance from the participants). As previously discussed, the CFAA can have extensive bearings on the conduct of black-hat, grey-hat, and even authorized white-hat hackers. The previously discussed ambiguity in the CFAA can be a source of uncertainty for participants who are voluntarily undertaking government sanctioned-hacking of the government. It would do great damage to the landscape of bug-bounty programs if the government then turned around and prosecuted innocent missteps. For those reasons, in order to attract the best talent, common ground must be ensured.

II.  Conclusion: Past is Prologue — Learning from & Building Upon Past Bug-Bounty Programs

The solutions proposed by this Note would strengthen the partnership between the government, as bug-bounty sponsors, and hackers, as bug-bounty participants, and lead to more valuable and beneficial dealings between the two parties in their joint efforts to identify and dissect vulnerabilities. This Note firstly calls for increased clarity with regard to the terms and parameters of bug-bounty offerings to ensure that participants, who may be wary of engaging with the government, can begin to build a workable level of trust in future dealings. Then, this Note urges the DHS, during its recently congressionally mandated bug-bounty program, to examine the efficacy of past bug-bounty programs (especially in the DoD) and allow a selected pool of participants to hack their more sensitive private systems. Admittedly, this approach may be met with healthy skepticism and hesitation. After all, there is a justified cause for concern when putting such significant faith in the hacker community. Importantly, however, government bug-bounty sponsors must recall that hacker culture — in its entirety — was once “taboo.” Cyber-society is ever-evolving, and the regularity of bounty programs is a sign of these changing times. As such, this Note posits that with sufficiently deliberate terms of agreement, good-faith dealing, and the lengthy reach of the CFAA, bug-bounty programs are ready to level up. Abandoning the erstwhile inhibitions of past government bug-bounty programs in favor of this new-fashioned methodology is a vitally necessary step towards obtaining the best value from the funds congressionally appropriated to Hack the DHS. If optimized, the SECURE Technology Act has the potential to break the timeworn mold of government-sanctioned hacking and to serve as a fortifying directive for the future of U.S. cyberinfrastructures.

Entity:
Topic:
  1. This scenario is inspired in substantial part by Reeves Wiedeman, The Big Hack, N.Y. Mag. (June 19, 2016), http://nymag.com/intelligencer/2016/06/the-hack-that-could-take-down-nyc.html?gtm=bottom>m=top#fn-mb-2 [https://perma.cc/A5KA-H59R].
  2. See id. Carmakers have begun paying greater attention to the fact that some new vehicles have become as hackable as laptops. See id. (noting that researchers have discovered that hackers have been able to access the ignitions on Audi, BMW, Ford, Honda, Hyundai, Kia, Lexus, Mazda, Mitsubishi, Nissan, Range Rover, Subaru, Toyota, and Volkswagen cars); see also Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway - With Me in It, Wired (July 21, 2015), https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway [https://perma.cc/5AWD-22JC] (detailing a “zero-day” hacking exploit in which two hackers took control of a driver’s Jeep from their couch).
  3. See JC Reindl, Car Hacking Remains a Very Real Threat as Autos Become Ever More Loaded with Tech, USA Today (Jan. 15, 2018), https://eu.usatoday.com/story/money/2018/01/14/car-hacking-remains-very-real-threat-autos-become-ever-more-loaded-tech/1032951001 [https://perma.cc/89RP-FUQR] (discussing how hackers can infiltrate vehicles through minor devices, such as infotainment systems, and “wreak[] havoc by taking control of the vehicle’s door locks, brakes, engine or even semi-autonomous driving features”).
  4. This includes powerplants, banks, and hospitals. See Jay Hathaway, Hackers Hold a Hollywood Hospital’s Files for Ransom, Demand $3.4 Million, N.Y. Mag. (Feb. 16, 2016), http://nymag.com/intelligencer/2016/02/hackers-holding-hollywood-hospital-for-ransom html [https://perma.cc/VWY2-3BBU] (detailing how in February 2016, a hospital in Los Angeles, paid roughly $17,000 in Bitcoin to get back into its system); see also Roger A. Grimes, Everything Is Hackable—and Cyber Criminals Can’t Be Tracked, CSO (May 10, 2011), https://www.csoonline.com/article/2621721/everything-is-hackable----and-cyber-criminals-can-t-be-tracked.html [https://perma.cc/BE9Z-H39W]; Christopher M. Sanders, Note, The Battlefield of Tomorrow, Today: Can a Cyberattack Ever Rise to an “Act of War?,” 2018 Utah L. Rev. 503, 506 (2018) (stating that “[t]here is no real limit to what ‘hackers’ can do”).
  5. See Thomas Holt, What Are Software Vulnerabilities, and Why Are There So Many of Them?, Conversation (May 23, 2017), https://theconversation.com/what-are-software-vulnerabilities-and-why-are-there-so-many-of-them-77930 [https://perma.cc/6XNN-94BL]; see also Jay Pil Choi et al., Network Security: Vulnerabilities and Disclosure Policy, 58 J. Indus. Econ. 868, 869 (2010) (noting that it is “virtually impossible” to design vulnerability-free software); Taiwo A. Oriola, Bugs for Sale: Legal and Ethical Proprieties of the Market in Software Vulnerabilities, 28 J. Marshall J. Computer & Info. L. 451, 465 (2011) (“[T]he human link remains . . . a potent source of vulnerability in the computing and network systems security chain.”); Aaron B. Brown, Oops! Coping with Human Error in IT Systems, Queue 34, 35 (2004) (“[H]uman error [is] inevitable in the rapidly changing environments characteristic of IT systems.”).
  6. See generally Natasha Stokes, How to Tell if Your Phone Has Been Hacked, Techlicious (May 1, 2019), https://www.techlicious.com/tip/how-to-tell-if-your-phone-has-been-hacked/comments-/CP3 [https://perma.cc/Z9FC-U4ZS]; Jeff Kosseff, Defining Cybersecurity Law, 103 Iowa L. Rev. 985 (2018).
  7. See Samsung and Roku Smart TVs Vulnerable to Hacking, Consumer Reports Finds, Consumer Rep. (Feb. 7, 2018), https://www.consumerreports.org/televisions/samsung-roku-smart-tvs-vulnerable-to-hacking-consumer-reports-finds [[https://perma.cc/Z2Q4-8GFY].
  8. See Waqas Amir, How a Coffee Machine Infected Factory Computers with Ransomware, Hack-Read (July 28, 2017), https://www.hackread.com/how-a-coffee-machine-infected-factory-computers-with-ransomware [https://perma.cc/R3TB-JJLN].
  9. See Jon L. Mills & Kelsey Harclerode, Privacy, Mass Intrusion, and the Modern Data Breach, 69 Fla. L. Rev. 771, 771 (2018).
  10. There have been documented GhostNet malware penetrations on computer systems containing sensitive and secret information at the private offices of the Dalai Lama and other Tibetan targets. See The SecDevGroup et al., Tracking GhostNet: Investigating a Cyber Espionage Network 6 (2009).
  11. See Doe v. 2Themart.com Inc., 140 F. Supp. 2d 1088, 1091 (W.D. Wash. 2001) (describing the Internet as a “revolutionary advance in communication technology”).
  12. Cf. Michael Gervais, Cyber Attacks and the Laws of War, 30 Berkeley J. Int’l L. 525, 546 (2012) (In cyberspace, private non-state actors “present a complicated issue for targeted states.”).
  13. See Shannon L. Hopkins, Cybercrime Convention: A Positive Beginning to a Long Road Ahead, 2 J. High Tech. L. 101, 102 (2003) (recognizing that although computer networks confer numerous benefits, they also create new opportunities for criminals and increase complexities for prosecuting cybercrimes).
  14. See Robert S. Mueller III, Director of the Federal Bureau of Investigation, Penn State Forum Speaker Series (Nov. 6, 2007), https://archives.fbi.gov/archives/news/speeches/the-fbi-stopping-real-enemies-at-the-virtual-gates [https://perma.cc/E5AU-A2Q3].
  15. A software vulnerability, or “bug,” is a flaw in computer code that can compromise the security of a computer system. Bugs are usually the unintended consequences of a design choice or mathematical error in a code or model. See Andreas Kuehn, New Paradigms in Securing Software Vulnerabilities—An Institutional Analysis of Emerging Bug Bounty Programs and Their Implications for Cybersecurity 2 (9th Annual GigaNet Symposium 2014, Working Paper).
  16. See id. at 3.
  17. The term “white hat hacker” refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization’s information systems. See What Is the Difference Between Black, White and Grey Hat Hackers?, Norton Security, https://us.norton.com/Internetsecurity-emerging-threats-what-is-the-difference-between-black-white-and-grey-hat-hackers.html [https://perma.cc/T5X5-PWKR] (last visited November 6, 2018) [hereinafter What Is the Difference]; see also Kuehn, supra note 15, at 3.
  18. See HackerOne, The Hacker-Powered Security Report 2017 6 (2017) (“Hackerpowered security is any technique that utilizes the power of the external hacker community to find unknown security vulnerabilities in technology.”).
  19. See Oriola, supra note 5, at 480. These vulnerabilities are called “zero days” because they are exploited before the developers or system owners discover them and thus, there are “zero days to address and patch the vulnerability” before it is exploited. See Richard A. Clarke et al., Liberty and Security in a Changing World 37 (2013). The phrase “zero-day” is commonly attached to every point in the process. See id. For example, zero-day vulnerabilities are turned into zero-day exploits that are used in zero-day attacks. See id.
  20. See Clarke et al., supra note 19, at 37.
  21. See Jan Keller, Vulnerability Reward Program: 2017 Year in Review, Google Security Blog (Feb. 7, 2018), https://security.googleblog.com/2018/02/vulnerability-reward-program-2017-year.html [https://perma.cc/ZDK3-LR56]; Lily Hay Newman, Apple’s Finally Offering Bug Bounties-With the Highest Rewards Ever, Wired (Aug. 4, 2016), https://www.wired.com/2016/08/apples-finally-offering-bug-bounties-highest-rewards-ever [https://perma.cc/J7GB-LD2P].
  22. See Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, H.R.7327 1, 115th Cong. (2018). The efficacy of bug-bounty programs has also garnered international repute. Government legislators in Singapore and the United Kingdom are readying VDPs in their respective countries. See Ed Targett, Hack the Gov’t and Tell the NCSC? You’ll Now Get a Pat on the Back, Comput. Bus. Rev. (Dec. 21, 2018), https://www.cbronline.com/news/ncsc-vulnerability-reporting [https://perma.cc/98YJ-U3D4]; Matt Burgess, HackerOne Is Heading to the UK After Raising £30m in Series C Funding, Wired UK (Feb. 8, 2017), https://www.wired.co.uk/article/hackerone-uk-bug-bounty-funding [https://perma.cc/S57M-XRLD]. Aaron Tan, Singapore Government to Start Bug-Bounty Programme, Comput. Weekly (Sept. 18, 2018), https://www.computerweekly.com/news/252448812/Singapore-government-to-start-bug-bounty-programme [https://perma.cc/U596-H3QK].
  23. Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, H.R.7327 1, 115th Cong. (2018)
  24. See id. at 1–8.
  25. See generally id.
  26. See Mingyi Zhao et al., Devising Effective Policies for Bug-Bounty Platforms and Security Vulnerability Discovery, 7 J. Info. & Policy 372, 372–75 (2017).
  27. The Computer Fraud and Abuse Act of 1986 (“CFAA”), 18 U.S.C. § 1030, is a United States cybersecurity bill that governs the prosecution of crimes that use or target computer networks. Among other things, it criminalizes access to a protected computer without proper authorization. See H. Marshall Jarrett et al., Office of Legal Education Executive Office for United States Attorneys, Prosecuting Computer Crimes 1; see also S. Rep. No. 99-432, 99th Cong. at 2 (1986) (noting the pressing need for statutory safeguards against hacks of schools, hospitals, and government agencies).
  28. See generally Dan Lohrmann, Hacking: When Your White Hat Is Really a Black Hat, Gov’t Tech. (Aug. 2, 2015), https://www.govtech.com/blogs/lohrmann-on-cybersecurity/Hacking-When-your-white-hat-is-a-really-a-black-hat-.html [https://perma.cc/Y99X-KDFG].
  29. See National Research Council, Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities 83 (2009).
  30. See Gervais, supra note 12, at 530.
  31. Kelly A. Gable, Cyber-Apocalypse Now: Securing the Internet Against Cyberterrorism and Using Universal Jurisdiction as a Deterrent, 43 Vand. J. Transnat’l L. 57, 59–60 (2010).
  32. See Dep’t of Homeland Security, Cybersecurity Strategy 2 (2018).
  33. See Jessica R. Gross, Note, Hack and Be Hacked: A Framework for the United States to Respond to Non-State Actors in Cyberspace, 46 Cal. W. Int’l L.J. 109, 110 (2016).
  34. See id.
  35. See generally A Crisis of Context: The State of Vulnerability Management (Part 1), Recorded Future (Apr. 5, 2019), https://www.recordedfuture.com/vulnerability-management-state[https://perma.cc/29T8-U5G5]; see also Is There Such a Thing as Responsible Disclosure of Vulnerabilities?, Tripwire (Dec. 10, 2012), https://www.tripwire.com/state-of-security/security-data-protection/is-there-such-a-thing-as-responsible-disclosure-of-vulnerabilities [https://perma.cc/7KZD-HP48].
  36. See The White House, Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure i, v (2009).
  37. For purposes of this Note, the term “cyberattack” will refer to the use of deliberate actions to alter, disrupt, deceive, degrade, or destroy adversary computer networks. See National Research Council, supra note 29, at 82.
  38. See Executive Office of the President, The Comprehensive National Cybersecurity Initiative 1 (2010) (declassified summary); see also U.S. Gov’t Accountability Off., GAO-16-332, Civil Support: DOD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities During Cyber Incidents (2016) (noting that, as of April 2016, the Pentagon lacked a defined “cyber incident” chain of command).
  39. SeeExecutive Office of the President, The Cost of Malicious Cyber Activity to the U.S. Economy 1 (2016).
  40. See Dan Munro, Data Breaches in Healthcare Totaled over 112 Million Records In 2015, Forbes (Dec. 31, 2015), https://www.forbes.com/sites/danmunro/2015/12/31/data-breaches-in-healthcare-total-over-112-million-records-in-2015/#1c81c2a27b07 [https://perma.cc/2GT6-PRCS].
  41. Symantec is a software and cybersecurity company that provides security products and solutions to protect small, medium, and enterprise businesses from advanced threats, malware, and other cyberattacks. See Symantec Corporation, https://www.symantec.com (last visited Aug. 15, 2019); Symantec, Internet Security Threat Report 50, 64 (2018).
  42. See Federal Bureau of Investigation, 2017 Internet Crime Report 3 (2017).
  43. See Paul Szoldra, The Pentagon’s Travel Records Were Hacked, Possibly Affecting 30,000 Personnel, Task & Purpose (Oct. 13, 2018), https://taskandpurpose.com/pentagon-travel-hack[https://perma.cc/LDS9-TDM5]; Lolita C. Baldor, Pentagon Reveals Cyber Breach of Travel Records, Mil. Times (Oct. 12, 2018), https://www.militarytimes.com/news/your-military/2018/10/12/pentagon-reveals-cyber-breach-of-travel-records/?utm_campaign=Socialflow+AIR&utm_medium=social&utm_source=twitter.com [https://perma.cc/7GFF-YNL3] (describing a cyber breach of DoD travel records that compromised the personal information and credit card data of an estimated 30,000 U.S. military and civilian personnel).
  44. See generally Chris Hamby, Hacking, Glitches, Disinformation: Why Experts Are Worried About the 2020 Census, N.Y. Times (July 3, 2019), https://www.nytimes.com/2019/07/03/us/2020-census-digital.html [https://perma.cc/FX2M-9TTX].
  45. See The Two Faces of Hacking, IEEE Spectrum (July 6, 2011), http://spectrum.ieee.org/static/hacker-matrix [https://perma.cc/XCF8-5XAK].
  46. The term “black-hat hacker” refers to hackers who breach the security of computer systems for nefarious, and often times illegal, purposes. See What Is the Difference, supra note 17; Chris Hoffman, Hacker Hat Colors Explained: Black Hats, White Hats, and Gray Hats, How-To Geek (July 10, 2017), http://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white -hats-and-gray-hats [https://perma.cc/4F2G-K7KP].
  47. See U.S. Gov’t Accountability Off., GAO-15-758T, Cyber Threats and Data Breaches Illustrate Need for Stronger Controls Across Federal Agencies 4 (2015) (“Hackers break into networks for the challenge, revenge, stalking, or monetary gain, among other reasons.”).
  48. See id.
  49. See David Davenport, Anonymity on the Internet: Why the Price May Be Too High, 45 Commc’ns of the ACM 33, 33 (2002).
  50. See Gross, supra note 33, at 110.
  51. See generally Akemi T. Chatfield et al., Crowdsourced Cybersecurity Innovation: The Case of the Pentagon’s Vulnerability Reward Program, 23 Information Polity: The Int’l. J. of Govt. & Democracy in the Information Age 177–94.
  52. See Center for Strategic and International Studies, An Assessment of the National Security Software Industrial Base 2 (2006); Lillian Ablon, et al., Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar x, 43 (2014) (noting that cybercrime grew as more of the world gained a digital component, access to computing technology became more prevalent, and there were more technologically savvy people).
  53. See U.S. Dep’t of Defense, Defense Science Board, Report of the Defense Science Board Task Force on Mission Impact of Foreign Influence on DoD Software 20 (2007).
  54. See McCabe Software, More Complex = Less Secure Miss a Test Path and You Could Get Hacked 2 (stating that the future of digital systems is complexity and that “complexity is the worst enemy of security”).
  55. See Paul Szoldra, New Report Says Pentagon Cyber Security Is a Huge Dumpster Fire, Task & Purpose (Oct. 9, 2018), https://taskandpurpose.com/gao-cyber-pentagon-weapons-hack [https://perma.cc/XHG7-TFP2] (noting that “[b]etween 2012 and 2017, penetration testers ‘routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development.’ . . . Also noteworthy was the fact that testers weren’t taking nearly as much time or using sophisticated methods as a nation-state adversary would.”).
  56. See Lisa Vaas, “Hack The Pentagon” Bug Bounty Program Announced, Sophos Limited (Mar. 7, 2016), https://nakedsecurity.sophos.com/2016/03/07/hack-the-pentagon-bug-bounty-program-announced [https://perma.cc/ZTD6-BH2L].
  57. See Press Release, U.S. Dep’t of Def., Statement by Pentagon Press Secretary Peter Cook on DoD’s “Hack the Pentagon” Cybersecurity Initiative (Mar. 2, 2016), https://dod.defense.gov/News/News-Releases/News-Release-View/Article/684106/statement-by-pentagon-press-secretary-peter-cook-on-dods-hack-the-pentagon-cybe [https://perma.cc/4MJS-JRZY]; Lily Hay Newman, The Pentagon Opened Up to Hackers—and Fixed Thousands of Bugs, Wired (Nov. 10, 2017), https://www.wired.com/story/hack-the-pentagon-bug-bounty-results [https://perma.cc/3A5N-B3B5].
  58. See Shannon Collins, DoD Announces ‘Hack the Pentagon’ Follow-Up Initiative, Dep’t of Def. (Oct. 20, 2016), https://dod.defense.gov/News/Article/Article/981160/dod-announces-hack-the-pentagon-follow-up-initiative [https://perma.cc/3CED-JGWF].
  59. See id.; Lisa Ferdinando, Carter Announces ‘Hack the Pentagon’ Program Results, Dep’t of Def. (June 17, 2016), https://dod.defense.gov/News/Article/Article/802828/carter-announces-%20hack-the-pentagon-program-results [https://perma.cc/W2K7-5FKM].
  60. See Newman, supra note 57.
  61. Susan Miller, DoD Leads the Way in Crowdsourced Security, Def. Sys. (July 13, 2018), https://defensesystems.com/articles/2018/07/13/government-bug-bounties.aspx [https://perma.cc/QT9F-W9ZY].
  62. Id. For reported bugs to be eligible for prize payment, they must be both “legitimately a bug” and “unique” from previously identified vulnerabilities. See id.
  63. See Tara Copp, 18-Year-Old Hacker Honored at Pentagon, Stars & Stripes (June 17, 2016), https://www.stripes.com/news/18-year-old-hacker-honored-at-pentagon-1.415197 [https://perma.cc/Z822-QQ5A].
  64. See id.
  65. See Secretary of Defense, The Pentagon’s First Bug Bounty Exceeded All Expectations, Medium (June 17, 2016), https://medium.com/@SecDef/the-pentagons-first-bug-bounty-exceeded-all-expectations-a5a44faa4d81 [https://perma.cc/VW3A-T3EW] (recognizing the Department of Defense’s longstanding position on security as “[s]ecurity through obscurity”); Aaron Boyd, DOD Invests $34 Million in Hack the Pentagon Expansion, Nextgov (Oct. 24, 2018), https://www.nextgov.com/cybersecurity/2018/10/dod-invests-34-million-hack-pentagon-expansion/152267 [https://perma.cc/7KPD-4U3J]. Regarding the significance of the program, DDS Director Chris Lynch, said,

    Finding innovative ways to identify vulnerabilities and strengthen security has never been more important. . . . When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets.

    Id.
  66. See Press Release, Department of Defense Expands ‘Hack the Pentagon’ Crowdsourced Digital Defense Program, Dep’t of Def. (Oct. 24, 2018) [hereinafter Press Release, Department of Defense Expands], https://dod.defense.gov/News/News-Releases/News-Release-View/Article/1671231/department-of-defense-expands-hack-the-pentagon-crowdsourced-digital-defense-pr [https://perma.cc/ZRU2-LGEN]. In October 2018, the DoD awarded multi-year contracts to three private-sector Silicon Valley firms (BugCrowd, HackerOne, and Synack) to boost the Department’s capacity “to run bug bounties aimed at strengthening security for internal DOD assets.” Id. HackerOne was the sole contractor for Hack the Pentagon One. See Newman, supra note 57.
  67. The bug-bounty programs included Hack the General Services Administration’s Technology Transformation Services (“TTS”), Hack the Army, Hack the Air Force, Hack the Air Force 2.0, Hack the Marine Corps, and Hack the Defense Travel System. See U.S. Department of Defense Concludes Third “Hack the Air Force Bug Bounty Challenge with HackerOne to Improve Cybersecurity,” HackerOne, https://www.hackerone.com/press-release/us-department-defense-concludes-third-hack-air-force-bug-bounty-challenge-hackerone [https://perma.cc/LV6B-AUGY] (last visited Feb. 16, 2019); see Boyd, supra note 65 (“When something works tremendously well, you do more of it.”); see als Chatfield, supra note 51 at 186–87 (delineating high-tech, private-sector companies who conduct their bug-bounty operations in-house, from the federal government, which outsourced its pilot bug-bounty operations to HackerOne, a third-party white-hat hacking management and support platform operator). The Marine Corps Cyber Command has also hailed the benefits of bug bounties. See Lauren C. Williams, Lessons Learned from DoD’s Bug-Bounty Programs, Fed. Comput. Week (Oct. 5, 2018), https://fcw.com/articles/2018/10/05/dds-bug-bounty-williams.aspx?m=1 [https://perma.cc/KJ7N-Y7L9]. A “Hack Your State Department” bill has also been introduced in Congress. See H.R. 328. 115th Cong. (2018). Notably, Hack Your State Department does not include an appropriation to subsidize the cost of the bug-bounty. See id.
  68. See Rob Waugh, “Bug Bounties” Are Cheap Way to Keep Companies Secure, Berkeley Study Finds, We Live Sec. (July 10, 2013), https://www.welivesecurity.com/2013/07/10/bug-bounties-are-cheap-way-to-keep-companies-secure-berkeley-study-finds [https://perma.cc/VP4Y-Z2KH].
  69. Chatfield, supra note 51 at 189.
  70. See Jay P. Kesan & Carol M. Hayes, Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities, 58 Ariz. L. Rev. 753, 761 (2016) (“Unfortunately, bug bounties are often just a fraction of what the researcher could earn if he or she sold the information to someone else.”).
  71. See Doug Olenick, Marine Corps Bug Bounty Program Finds 150 Vulnerabilities, SC Magazine (Oct. 3, 2018), https://www.scmagazine.com/home/security-news/marine-corps-bug-bounty-program-finds-150-vulnerabilities [https://perma.cc/8E5A-CQCW].
  72. The efficacy of bug-bounty programs has also garnered international repute. Government legislators in Singapore and the United Kingdom are readying VDPs in their respective countries. See Targett, supra note 22; Burgess, supra note 22; Aaron Tan, Singapore Government to Start Bug-Bounty Programme, Comput. Weekly (Sept. 18, 2018), https://www.computerweekly.com/news/252448812/Singapore-government-to-start-bug-bounty-programme [https://perma.cc/U596-H3QK].
  73. See 164 Cong. Rec. H10291, H10316 (daily ed. Dec. 19, 2018).
  74. See 164 Cong. Rec. S7950 (daily ed. Dec. 19, 2018); see also Trump Signs SECURE Technology Act into Law, MeriTalk (Dec. 24, 2018, 10:59 AM), https://www.meritalk.com/articles/trump-signs-secure-technology-act-into-law [https://perma.cc/92UJ-LAEM].
  75. Jack Corrigan, New Laws Call on Homeland Security to Consolidate Its Data and Force Agencies to Improve Their Websites, Nextgov (Dec. 21, 2018), https://www.nextgov.com/policy/2018/12/federal-tech-bills-moved-funding-legislation-stalled/153765 [https://perma.cc/QJP5-48QP].
  76. See 164 Cong. Rec. H10291-H10292 (daily ed. Dec. 19, 2018).
  77. See Trump Signs SECURE Technology Act, supra note 74.
  78. See id.
  79. See Calvin Biesecker, Congress Passes Cyber, Supply Chain Security Legislation, Connecting Innovations with Insight (Dec. 20, 2018), https://www.iiotconnection.com/congress-passes-cyber-supply-chain-security-legislation [https://perma.cc/3PER-2BY3].
  80. See generally Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act, H.R.7327 1, 115th Cong. (2018).
  81. See id. § 101(e)(2).
  82. Id. § 102(a)(4).
  83. See Kristen E. Eichensehr, Public-Private Cybersecurity, 95 Tex. L. Rev. 467, 485 (2017); Cassandra Kirsch, The Grey Hat Hacker: Reconciling Cyberspace Reality and the Law, 41 N. Ky. L. Rev. 383, 385 (2014).
  84. See Kirsch, supra note 84, at 385.
  85. See id. at 386.
  86. See id.
  87. See id. The term “security vulnerability” means “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.” 6 U.S.C. § 1501(17) (2012).
  88. See HackerOne, The Hacker-Powered Security Report 2017 5 (2017).
  89. See Aron Laszka et al., The Rules of Engagement for Bug Bounty Programs 1–2, http://aronlaszka.com/papers/laszka2018rules.pdf (last visited Sept. 24, 2019) (“As part of bug bounty programs, organizations allow white hats to perform ethical hacking on their systems, to identify the loopholes that their internal security teams could not identify (given personnel, time, expertise, and cost constraints) and which could become important targets of black hats.”); Deanna Hartley, Grey Hats: Tapping into the Dark Side to Secure Data, Certification Mag. (Oct. 8, 2009), http://certmag.com/gray-hats-tapping-into-the-dark-side-to-secure-data [https://perma.cc/9EXB-BUHN] (“The gray hat concept is the understanding by many people in the information security community that as much as we want to stay away from the adversary . . . the only way we can understand what’s going on is to interact to some degree with that community.”).
  90. The term “trusted hacker” is ostensibly a misnomer because hackers, by their nature, operate along the fringe of criminal activity.
  91. See Joseph Marks, Congress Has Gone Bananas for Bug Bounties but They May Not Always Be the Right Choice, Nextgov (Apr. 4, 2018), https://www.nextgov.com/cybersecurity/2018/04/heres-what-government-gets-wrong-about-bug-bounties/147194 [https://perma.cc/3CSK-8343]. The government has especially sensitive public policy concerns it must weigh, and thus it is imperative that it continue to be diligent in its relationships in selecting contractors, and subsequently, its dealings with the participants.
  92. See generally Shawn E. Tuma, What Does CFAA Mean and Why Should I Care? A Primer on the Computer Fraud and Abuse Act for Civil Litigators, 63 S.C. L. Rev. 26–27 (2011).
  93. U.S. Dep’t of Justice, Computer Crime and Intellectual Property Section, A Framework for a Vulnerability Disclosure Program for Online Systems 1–2 (2017) [hereinafter DOJ, A Framework for a VDP]; see What Is a Vulnerability Disclosure Policy and Why You Need One, HackerOne (Aug. 30, 2018), https://www.hackerone.com/blog/What-Vulnerability-Disclosure-Policy-and-Why-You-Need-One [https://perma.cc/9DHW-UQF9] (describing vulnerability disclosure policies as “the digital equivalent of ‘if you see something, say something’ . . . intended to give . . . clear guidelines for reporting . . . security vulnerabilities to the proper person or team responsible”); HackenProof Guide to Vulnerability Disclosure Policy, Hacken-Proof Blog (Nov. 9, 2018), https://blog.hackenproof.com/industry-news/hackenproof-guide-to-vulnerability-disclosure-policy [https://perma.cc/783A-VXET] (“By publishing a VDP, a company is basically saying that it won’t prosecute or press charges against independent researchers who find vulnerabilities on their assets or products if they follow certain rules.”).
  94. See DOJ, A Framework for a VDP, supra note 94, at 1 n.3 (“[This Framework] is intended as assistance, not authority. Nothing in it is intended to create any substantive or procedural rights, privileges, or benefits enforceable in any administrative, civil, or criminal matter.”).
  95. See Lindsey O’Donnell, Navigating an Uncharted Future, Bug Bounty Hunters Seek Safe Harbors, ThreatPost (July 2, 2018), https://threatpost.com/navigating-an-uncharted-future-bug-bounty-hunters-seek-safe-harbors/133202 [https://perma.cc/94TR-2ZZ2].
  96. See DOJ, A Framework for a VDP, supra note 94, at 2 (“[Examples include] financial data, medical information, proprietary information, and/or customer data or other personally identifiable information”).
  97. See id. This consideration includes, but is not limited to, personal health information. See id.
  98. See supra note 27.
  99. 18 U.S.C. § 1030.
  100. See Data Security and Bug-Bounty Programs: Lessons Learned, Hearing Before the Subcomm. on Consumer Protection, Product Safety, Insurance, and Data Security, 115 Cong. (2018) (Statement of Mr. Mårten Mickos) (noting that the CFAA contains vague wording that has not kept pace with the Internet and calling for urgent reform to “create a safe harbor for individuals that act in good faith to identify and report potential vulnerabilities”); see also Amanda B. Gottlieb, Note, Reevaluating the Computer Fraud and Abuse Act: Amending the Statute to Explicitly Address the Cloud, 86 Fordham L. Rev. 767, 770–71, 777 (2017) (noting that circuits are split on how “authorization” under § 1030(a)(2) should be construed as applied to invited hackers who enjoy limited authorization); see United States v. Nosal, 676 F.3d 854, 864 (9th Cir. 2012) (upholding charges against a man who used another individual’s password to access his former employer’s client database); Justin Peters, America’s Awful Computer-Crime Law Might Be Getting a Whole Lot Worse, Slate (Mar. 25, 2013), https://slate.com/news-and-politics/2013/03/computer-fraud-and-abuse-act-the-cfaa-america-s-awful-computer-crime-law-might-be-getting-a-whole-lot-worse.html [https://perma.cc/CVT6-4CLX ] (calling for CFAA reform, noting that the Act, today, reaches far beyond its original scope and admonishing the harsh penalties it proscribes).
  101. Jamie Williams, New Federal Guidelines For Computer Crime Law Do Nothing to Reign in Prosecutorial Overreach Under Notoriously Vague Statute, Electronic Frontier Found. (Oct. 31, 2016), https://www.eff.org/deeplinks/2016/10/what-were-scared-about-halloween-prosecutorial-discretion-under-notoriously-vague [https://perma.cc/88WQ-8CX2] (referencing the “Rule of Lenity[’s]” purpose to ensure that people have “clear and unambiguous notice in the letter of the law itself of what behavior could land them in prison” and opining that the DOJ’s federal guidelines for prosecution under CFAA give prosecutors “broad discretion”).
  102. See id.
  103. See USENIX Enigma Conference, USENIX Enigma 2018—Hacking the Law: Are Bug Bounties a True Safe Harbor?, YouTube (Feb. 22, 2018), https://www.youtube.com/watch?time_continue=527&v=riZIFOw0pJA [https://perma.cc/BFF3-8S46] (advocating for clear safe harbors for white-hats and researchers taking part in bug bounties); see also Seth Rosenblatt, Bug Bounties Have Bugs of Their Own, The Parallax (Apr. 20, 2018), https://the-parallax.com/2018/04/20/bug-bounties-safe-harbor-rsa-bsides [https://perma.cc/SKX3-TZN4].
  104. Economic Espionage Act of 1996, Pub. L. No. 104-294, § 201, 110 Stat. 3488, 3491–94 (1996).
  105. See H.R. 5112, 98th Cong.—Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (explaining how § 1030 initially protected only classified information, financial records, and credit information stored on computers owned by the government and financial institutions).
  106. See Tuma, supra note 93, at 12, 27, 30 (analyzing the differences between “without authorization” and “exceeding authorized access”); Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596, 1630 (2003) (“Although courts have struggled to distinguish between these two phrases, prohibitions against exceeding authorization appear to reflect concerns that users with some rights to access a computer network could otherwise use those limited rights as an absolute defense to further computer misuse.”).
  107. See Tuma, supra note 93, at 26–27 (noting that the definitions of “unauthorized” and “exceeding authorized access” are “elusive” and that line(s) differentiating the two are “paper thin” and have become “blurred by the courts”). “Without authorization” can be best understood as accessing a computer to which you have no right to access. See id. at 27. “Exceeding authorized access” can be understood as exceeding the bounds of your authorization. See id. at 30. In United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), for instance, an Internal Revenue Service employee was found to have exceeded his “authorized access” to IRS computer systems by viewing taxpayer records unrelated to his profession duties but instead for his own personal, non-work-related curiosities. See id.
  108. Still, the VDP sponsor has broad discretion in its independent determination with regard to prohibiting sensitive information from being “saved, stored, transferred, or otherwise accessed after initial discovery.” DOJ, A Framework for a VDP, supra note 94, at 3. The DOJ recommends that this determination consider directing that “sensitive information be viewed only to the extent required to identify a vulnerability” or limiting access all together. Id.
  109. Id. at 2 n.4.
  110. See id. at 1.
  111. Id. at 6. Additionally, sponsors should identify hacking tactics and techniques that are not authorized for use. Id.
  112. Id. at 2, 7.
  113. See Boyd, supra note 65 (noting that previous bug-bounty contracts were restricted first to public-facing websites and later opened to more sensitive internal systems).
  114. See Marks, supra note 92.
  115. One such criticism is that government agencies often times are tightly budgeted and too understaffed to even keep up with patching the vulnerabilities that they already know about. See id.
  116. See id.
  117. Id.
  118. See id.
  119. See Marks, supra note 92 (“[Those agencies] don’t need outsiders pointing out more bugs in exchange for cash if the problem is keeping up with the volume of bug issues they already know about”).
  120. For instance, if participants have time sensitive questions or seek clarity during their tests, this lack of human resources might raise concerns. Additionally, there are obvious problems that can arise if participants’ malfeasance goes unnoticed.
  121. See Marks, supra note 92.
  122. See id.; see also U.S. Gov’t Accountability Off., GAO-16-501, Information Security: Agencies Need to Improve Controls over Selected High-Impact Systems 2 (2016) (auditing high-impact federal systems and assets and noting that “[w]eaknesses . . . existed in patching known software vulnerabilities and planning for contingencies”). The audit also reported that for certain agencies, the required “time period for installing critical patches ranged from 7 to 30 days” including one workstation patch in particular that was initially released in May 2012 and another in April 2011. Id. at 52.
  123. HackerOne ran Hack the Army. See Hack the Army Results Are In, HackerOne (Jan. 19, 2017), https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In [https://perma.cc/CC4R-YFHD].
  124. Id.
  125. Marks, supra note 92 (“All of that takes time to sort through and reduces the time an agency’s IT staff can spend on its other responsibilities—including patching known vulnerabilities.”).
  126. Id.
  127. Id.
  128. Id.
  129. See James B. Comey, Director, Federal Bureau of Investigation. Address at the Symantec Government Symposium: The FBI’s Approach to the Cyber Threat (Aug. 30, 2016), https://www.fbi.gov/news/speeches/the-fbis-approach-to-the-cyber-threat [https://perma.cc/5WEC-MWRB].
  130. See, e.g., Boyd, supra note 65 (conceding that 2016’s Hack the Pentagon was “a low-cost and low-risk version of what many large private sector companies have had in place for years”); see supra Part C.
  131. Press Release, Department of Defense Expands, supra note 66.
  132. See id.
  133. This Note posits that “success” and “value” should be measured in terms of quality of vulnerabilities, not quantity of vulnerabilities. Protecting against low-level intrusions is important, especially when contemplated in the aggregate, but one intrusion of a larger scale by a bad actor or enemy state can be exponentially more damaging to America.
  134. See supra note 67.
  135. See Improving Public Bug Bounty Programs with Signal Requirements, HackerOne (Mar. 15, 2016), https://www.hackerone.com/blog/signal-requirements [https://perma.cc/8EPF-A3T].
  136. See Mingyi Zhao et al., supra note 26, at 379, 387–88.
  137. See Anthony Caruana, AusCert 2018—The Art of Bug Bounty Programs, Int’l Data Grp. (June 5, 2018), https://www.cso.com.au/article/641936/auscert-2018-art-bug-bounty-programs [https://perma.cc/BJY2-NPUW] (discussing various methods of limiting the scope of a bugbounty offering, including “placing a cap on the number of hackers that participate in the program, and asking for hacking techniques rather than specific bugs”). This equates to teaching the sponsor “how to fish,” rather than simply delivering fish.