Congressman McCarthy: We Need War Games for the Digital Realm
Congressman Kevin McCarthy released the following statement in support of H.R. 6735, the Public-Private Cybersecurity Cooperation Act.
"This is a bill that will make our government safer from cyber threats, while also encouraging citizens to be more involved in their government.
"Every year our military takes part in military exercises and war games, often in conjunction with our allies. We do these exercises so that we are ready for the “real thing," and so that we can anticipate weaknesses before they become tragedies.
"Military exercises are a critical aspect of our ability to deter conflict. But what about in cyberspace? The threats we face in the cyber realm are every bit as real as the threats we face in the South China Sea or in the Middle East.
"During the last administration, we learned that hackers had broken into the Office of Personnel Management and stolen the records of 21.5 million people.These hackers stole finger print records. Social Security numbers. They even got the identities of some of our spies overseas.
"The OPM hack was the largest theft of personal information in world history. It put lives at risk.
"And it wasn’t a fluke, either. It was the result of sophisticated hackers—working, we now know, for the Chinese government—who constantly probe our computer systems looking for a way in . . . Looking for a way to break into our government so that they can steal our secrets and weaken us from the inside.
"If we want to prevent the next OPM attack, then we need to harness America’s ingenuity and get serious about finding weaknesses in our computer systems.
"We need war games for the digital realm.
"Thankfully we know that these are possible—and we know that they work.
"In 2016, the Department of Defense ran a pilot program called “Hack the Pentagon. During this one-month program, the Pentagon offered to pay ordinary citizens if they could find security vulnerabilities on its public-facing websites. In short, the Pentagon challenged Americans to “hack” its systems—to find security weaknesses so that our enemies couldn’t.
"The results of this so-called “bug bounty program” were astounding.
"The first report of a vulnerability was submitted 13 minutes after the start of the program. Thirteen minutes. Within 6 hours of launch, 200 reports had been submitted. By the end of the program, the Pentagon deemed 138 reports “legitimate, unique, and eligible for a bounty.”
"Those reports included critical vulnerabilities that could have allowed hackers to inject viruses into the Pentagon’s system. Thankfully the good hackers got there first.
"And who are these good hackers?
"Some were professional security researchers, who use their talents every day to help companies and non-profits protect their data. But many others were amateurs equipped with nothing but computers and a desire to help their country.
"Case in point: The youngest person to identify a vulnerability in the Pentagon’s system was 14 years old. The total cost of the bug bounty program was roughly $150,000. But the security we gained was priceless.
"So priceless, in fact, that the Pentagon has extended the program indefinitely.
"Not long after Hack the Pentagon it created a “Vulnerability Disclosure” policy so that any person could notify the Pentagon of weaknesses they find on public-facing websites.
"Within one year of creating this policy, nearly 3,000 legitimate vulnerabilities had been reported. That included more than 100 vulnerabilities deemed “high or critical severity.”
"And the best part is: These vulnerabilities were reported for free.
"The people who helped us didn’t do it for the money; they did it because they knew they could put their talents to work for the sake of the country. That’s patriotism. That’s service.
"And it is a revolution in how we think about cybersecurity.
"The Vulnerability Disclosure policy puts the Department of Defense on the cutting edge of cybersecurity.
"According to the security website HackerOne, just 7% of the top 2,000 companies have a Vulnerability Disclosure policy so that individuals can report problems on their websites.
"It even represents a departure from past government policy. For a long time, hackers could be prosecuted under the Computer Fraud and Abuse Act for reporting security vulnerabilities in good faith. They could actually go to jail for trying to alert the government about dangerous weaknesses in its system.
"Hack the Pentagon shows a different way forward. A way that rewards citizens for putting their talents to use for the sake of the country. A way that puts our cybersecurity to the test in real-life conditions—and makes us safer in the end.
"The bipartisan bill we are considering would extend the strategy of Hack the Pentagon to another government agency that is critical to our safety: The Department of Homeland Security.
"This bill would direct DHS to create a Vulnerability Disclosure policy so that good hackers can legally identify and report weaknesses with DHS websites.
"This bill operates on the principle that there is “strength in numbers," and that the more people who test a system for weaknesses, the more weaknesses will be discovered.
"I know that this program will make America more secure. Not only that—it will open up a new avenue for public service in our country. I think we would all agree that it is noble when private citizens sacrifice their time and comfort for the sake of our country.
"Just think of volunteer firefighters, law enforcement, first responders like the so-called “Cajun Navy”—private boat owners who come to the rescue of people affected by storms like Hurricane Florence.
"This bill gives another group of citizens an outlet for vital public service. It empowers the many good hackers so they can protect us from the virtual army of bad hackers who want to do us harm.
"The OPM hack shows what is at stake if we get cybersecurity wrong.
"If we don’t allow the good hackers to find these vulnerabilities first—rest assured the bad hackers will. That is why I strongly urge my colleagues to support this bill."