Last week, the House voted to approve H.R. 6735, a bill that directs the Homeland Security Secretary to establish a vulnerability disclosure policy for the agency’s websites. This was a swift decision — The House Homeland Security Committee advanced this bill just last week — as well as a timely one. Crowdsourced security has been on the forefront in Washington these last few weeks with the White House’s National Cybersecurity Strategy squarely focused on adoption of this model.
“The United States Government will also promote regular testing and exercising of the cybersecurity and resilience of products and systems during development using best practices from forward-leaning industries. This includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack.”
As I mentioned in my blog post last week, these are important and necessary moves. We’ve taken a few more steps forward in addressing the enormous attack surface represented by the U.S. Government and the increasing threat from nation-state and criminal hacking groups.
We have seen some progress in this area over the last few years with the first federal CISO, Greg Touhill, appointed as part of the Cybersecurity National Action Plan of 2016. However, with that role unfilled since the the change of administration, progress has been slow.
The news over recent weeks indicates the tide is shifting, and that those tasked with speaking on behalf of the people of the United States are realizing the priority that cybersecurity deserves in governmental structure. Last week the House Oversight and Government Reform Committee also forwarded two bills Thursday aimed at upgrading and securing federal technology. Part of this would be formalizing the roles of CIO and CISO. This is incredibly important if we are to achieve the goals outlined in the National Cybersecurity Strategy, among others.
What has been a slow evolution over the last few years has caught fire over the last few months with the public sector following the mass adoption of crowdsourced security in the private sector. At Bugcrowd we work with more than 50 different industries — and adoption is accelerating every quarter.