BREAK IN TRANSCRIPT
Mr. TED LIEU of California. Mr. Speaker, I thank Representative Engel for yielding.
Mr. Speaker, I rise today in support of my legislation, H.R. 5433, the Hack Your State Department Act, that I co-authored with my friend, Ted Yoho of Florida.
Over the years, the State Department has faced mounting cybersecurity threats from both criminal enterprises and state-sponsored hackers. In 2014, for instance, the Department was infiltrated by Russian hackers and had to temporarily shut down its email system.
Just last week, the State Department suffered another cybersecurity breach that exposed the personal information of a number of its employees.
As an agency with a critical national security role, we must do more to protect the State Department's cybersecurity. If there is any doubt that diplomatic cables cannot be sent to Washington securely or if sensitive diplomatic subjects are revealed, it jeopardizes the whole operation.
As a recovering computer science major, I recognize that there are proven tools at our disposal to improve cybersecurity that the Department has yet to adopt. One such tool is to enlist the help of America's top security researchers to find weaknesses in our cybersecurity. This legislation will bring that tool to the State Department after it has been proven successful in both the private sector, as well as at the Pentagon.
My legislation will do two things. The first step of this bill is to establish what is called a vulnerability disclosure process, which sets clear rules of the road so that, when people outside the Department discover vulnerabilities on Department systems, they can report it in a safe, secure, and legal manner with the confidence that the Department will actually fix the problems.
We cannot afford to allow vulnerabilities discovered in the wild remain known to hackers but unknown to the Department. This should be an easy fix.
The second step is to actually pay vetted white-hat hackers to find vulnerabilities. The Department of Defense proved the success of their bug bounty program back in 2016. Over a 24-day period, the Pentagon learned of and fixed over 138 vulnerabilities in its systems.
A 2017 report to the President on Federal IT modernization stated: ``Agencies must take a layered approach to penetration testing. . . . At a bare minimum, agencies should establish vulnerability disclosure policies. . . . Agencies should also identify programs that are appropriate to place under public bug bounty programs such as those run by the Department of Defense or GSA.''
Today, with H.R. 5433, the House of Representatives is taking these recommendations to heart and helping to improve cybersecurity at the Department of State.
Mr. Speaker, I would like to thank Representative Yoho for partnering with me on this important legislation. I would like to thank Chairman Royce, Ranking Member Engel, and their staff for moving this bill through our committee.
BREAK IN TRANSCRIPT