Hearing of the Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee of the Senate Commerce Committee - Opening Statement of Rep. Nelson, Hearing on Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Secrity Researchers

Hearing

Good afternoon. Welcome to the Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee's hearing on "Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers." The Subcommittee will come to order.

Thank you all for being here today to discuss the October 2016 Uber data breach and the allegations against the company regarding impermissible payments to conceal a security incident through its bug bounty program. A bug bounty is a reward offered to someone outside of the company who identifies an error or vulnerability in a computer program or system in connection with a coordinated vulnerability disclosure program. The committee plans to examine the value of these innovative programs and other coordinated approaches to identify cyber vulnerabilities and prevent these types of incidents.

In late 2016, Uber was notified by anonymous sources that certain archived copies of its databases had been compromised. According to a letter in response to an inquiry made by this committee in partnership with the Senate Finance Committee, Uber's security team "took immediate steps to respond to and limit the impact of the incident," including identifying the parties responsible and paying $100,000 to them in exchange for assurances that the compromised data would be deleted.

An independent forensic analysis found that the exposed data included information pertaining to approximately 57 million users in total, from both drivers and riders. 25 million of those affected users were from the United States, and the driver's license numbers of about 600,000 drivers were compromised in the breach.

The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable. Additionally, my colleagues and I seek specific clarification as to what policy safeguards are currently in place to prevent bug bounty programs from being used as extortion pay-out mechanisms in the future.

These substantive concerns, however, should not completely outweigh the overall utility of this innovative, crowd-sourced approach that many industry actors have taken to proactively identify "chinks in their technological armor" through effectively administered bug bounty programs and other cyber vulnerability disclosure efforts.

As the American public becomes more and more dependent on innovative technologies to complete everyday tasks, cybersecurity vulnerabilities pose a direct threat, whether it be through a critical telehealth monitoring system, an autonomous vehicle transporting your family, or access to personally identifiable information. Cyber threats are continuously evolving with the technology we rely on.

My goal for this hearing is to find out exactly what prevented Uber from immediately notifying its users who were impacted by the 2016 breach, the specifics of the related payments and what steps Uber is taking internally to improve its notification protocols. I also want to have a larger discussion on how vulnerability disclosure programs, like bug bounties, can be used effectively to deter cyber threats from harming consumers.

It is my pleasure to introduce our panel today. Thank you all for being here.

Mr. John "Four" Flynn is the Chief Information Security Officer for Uber Technologies, Inc. He is an expert in information security with over 10 years of experience in the field, including leading infrastructure security at Facebook and managing security operations at Google.

Mr. Martin Mickos is the Chief Executive Officer of HackerOne, which is a leading bug bounty firm in the country serving a variety of government and private sector clients, including Uber, in administering their crowd-sourced vulnerability disclosure programs.

Ms. Katie Moussouris is the Founder and CEO of Luta Security, Inc., which advises its clients on vulnerability coordination programs and applicable internal company policies.

Mr. Justin Brookman is the Director for Consumer and Technology Policy for the Consumers Union, which is an independent nonprofit consumer organization. In his role, he focuses on policies related to consumer data privacy and security.

I look forward to hearing the testimonies of this expert witness panel. I now turn to my colleague Ranking Member Blumenthal for his opening remarks.

Source