January 31, 2020 Public Contract Law Journal

Bug the Bounty Hunter: Recommendations to Congress to Best Effectuate the Purpose of the SECURE Technology Act

by Myles Ashong

Myles Ashong is a J.D. candidate at The George Washington University Law School and a member of the Public Contract Law Journal. He would like to thank Professors Jayna Rust
and Paul Rosenzweig for their direction and feedback in helping edit and write this Note. He is also grateful to Deirdre A. Clarke for her thoughtful engagement and dependable guidance throughout the process.

I.  Introduction: A Cyber Nightmare Is Closer Than You Think: How Can We Ensure That We Are Secure?

Picture this: you are on your way home from work and, as is routine, safely seat-belted in the back seat of a taxi cab, or Uber, or Lyft.1 You have just finished reviewing the last of that day’s e-mail threads from your colleagues at the office and are beginning to mentally decompress. You insert your headphones and turn on your favorite podcast. Suddenly, you feel a jolting acceleration, then a swerve, a skid, and finally a stop. Thankfully safe, you quickly realize that the car is not. You have been involved in a multi-vehicle accident. And your driver claims that it was not his fault. “The car did it,” he claims.2 What if the driver was absolutely right?3

In theory, everything grounded in technology is hackable4 because the human-written, algorithmic code of which it is comprised is inherently imperfect.5 Even when secured by passwords, cellular phones and laptops can be hacked.6 Surprisingly, smart-televisions can be hacked,7 coffee machines can be hacked,8 and intimate dating websites can be hacked.9 Even the Dalai Lama has been hacked.10 This is in large part because since the Internet’s inception in the latter part of the twentieth century, interconnected systems have seen expansive growth and rapid development, both in utility and convenience, and have become omnipresent.11 Correspondingly, the commonness and usefulness of digital and cyber-infrastructure has, too, expanded at a parallel rate.12 This proliferation has provided bad actors and hackers with yet another domain through which they can commit cyberattacks and intrusions on a hosted network without an owner’s consent.13 Fittingly, as former FBI Director Robert Mueller noted, the same roads that enabled the spread of Roman civilization also led invaders to Roman doorsteps.14 In the context of the Internet, this is equally true. Along with its countless benefits, the Internet’s own rapid expansion has paradoxically led to cybersecurity defects, or “bugs,” and other exploitative vulnerabilities.15 As such, the federal government, tasked with the protection and safety of its citizens, has proactively begun increasing investments in research aimed at addressing cybersecurity vulnerabilities and identifying internal vulnerabilities to protect their infrastructures against cybertheft, cyberespionage, and the infiltration of harmful malware.16

One defensive tactic, the “bug-bounty program,” invites hired computer- security experts, also known as “white hat hackers,” to hack into existing infrastructures with the goal of identifying and reporting potentially harmful vulnerabilities to the host.17 Though this “hacker-powered security”18 is a relatively new phenomenon in government, it has solidified its place in mainstream cybersecurity practice after decades of success in identifying and resolving “zero-day vulnerabilities”19 within the private sector. Zero-day vulnerabilities are exploitable vulnerabilities of which a software vendor is not aware and for which no patch has yet been created. 20 Google, for example, paid out more than $2.9 million in bounties in 2017, and Apple offers up to $200,000 for the identification of certain vulnerabilities.21 Most recently, the value of the bug bounties in federal government agencies has caught the eye of Congress.22 On January 3, 2018, President Donald Trump signed H.R. 7327 - Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act (the “SECURE Technology Act” or the “Act”) into law.23 The SECURE Technology Act (1) compels the Department of Homeland Security (“DHS”) to establish a security vulnerability disclosure policy (“VDP”); (2) requires DHS to establish a bug-bounty pilot program to minimize vulnerabilities of DHS information systems; and (3) establishes an interagency Federal Acquisition Security Council to set supply-chain risk management standards.24 The SECURE Technology Act aims to advance digital security systems within the federal government, using previously efficacious bug-bounty programs as an instructive mold.25

However, the documented success of completed programs and the prospect of future programs do not evince or guarantee perfection in the application of bug-bounty programs, generally, because these programs have not yet been optimized to reach their full potential.26 There remains ample room for increased clarity, utility, and efficiency in federal bug-bounty offerings. Going forward, it is imperative that federal agencies offering bug-bounty programs seek to ensure to their participants fundamental fairness within criminal and intellectual property law while operating within the bounds of the Computer Fraud and Abuse Act (“CFAA”).27 Unfortunately, it is difficult to harmonize and operate within these competing principles because the usage of government bug bounties as a cybersecurity tool is still a largely novel concept.

This Note argues that the SECURE Technology Act should expand the scope of past bug-bounty programs offered by government agencies to permit hacking attempts against critical and sensitive cyberinfrastructures that contain sensitive, highly sensitive, confidential, or classified materials. For ostensibly obvious reasons regarding reliability and trustworthiness, current and past government bug-bounty programs have been reluctant to grant bug- bounty participants access to sensitive and classified materials.28 This Note recommends a departure from that sentiment in order to best effectuate the purpose of the SECURE Technology Act and receive the best value from the appropriated funds.

Part I of this Note presents a brief overview of past bug-bounty programs offered by the federal government and compares their application to those offered in the private sector. Part II of this Note argues that it would be a misapplication of congressionally appropriated funds to constrain bug-bounty participants to the least difficult systems because, for reasons later discussed, doing so identifies ancillary vulnerabilities without actually making infrastructures any more secure. Finally, Part III of this Note argues that Congress has little to gain from allowing the bug-bounty portion of the SECURE Technology Act to mirror its mandated bug-bounty program after past government bug-bounty offerings. To obtain the best value from the congressionally appropriated funds, the SECURE Technology Act must carve out sufficient safe harbor protections for participants and allow those participants to access sensitive security systems. The Act should clearly define its scope and require formalized reports regarding successful vulnerability discoveries and, for unsuccessful attempts, reports that indicate the nature of the attempted intrusions. Finally, in response to anticipated skepticism about the reality of its proposal, this Note posits strict criminal penalties for any participants who are found to have retained data, attempted to retain data, exceeded the government’s scope, or attempted to exceed the government’s scope.

Premium Content For:
  • Public Contract Law Section
Join - Now