Calling all white hats: Government contractors will be open for audits if this bill passes

If hunting for secret back doors in Raytheon or Deloitte’s systems sounds like your idea of a wild Friday night, you’re in luck.

A bill introduced Aug. 22 and reported on by The Messenger would require contractors that do $250,000 or more in business with the government to implement vulnerability disclosure programs (VDPs), a framework that enables well-meaning netizens to flag cyber weaknesses to the companies.

“The Federal Cybersecurity Vulnerability Reduction Act will play a crucial role in safeguarding our nation’s digital infrastructure,” bill sponsor Rep. Nancy Mace, R-SC, said in a statement. “This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information.”

There’s already a strong ecosystem around VDPs, as they’re a recognized way to ferret out security lapses in public-facing infrastructure, and government agencies are already required to run them.

Ilona Cohen, chief legal and policy officer at HackerOne, told IT Brew that the cybersecurity platform partnered with Mace on the bill because it aims to fill important security gaps.

The massive Office of Personnel Management breach in 2015—which exposed 20 million individuals’ background-check information—spurred the government to launch the then-controversial Hack the Pentagon bug bounty program and ultimately led the government to require VDPs for agencies, Cohen said. Mace’s bill shows even more progress toward shoring up federal cybersecurity, she said.

“Over time, there really has been just a huge amount of support for VDPs in the federal government,” Cohen said. “From the time when there was a bunch of hand-wringing over whether or not you should invite hackers in to ‘hack the Pentagon’ to today, we’ve really seen the full gamut there, from partial acceptance to wholehearted acceptance.”

The government and their contracting partners don’t have the best track record for not getting hacked. Aside from the OPM breach, Russian hackers hit agencies including the Department of Energy in June; a two-year Russian campaign spied on and exfiltrated data from federal defense contractors; and a single SolarWinds software update compromised a host of agencies and private companies, to name a few flubs.

If Mace’s bill becomes law, at least the good guys will have a shot at spotting cybersecurity vulnerabilities points before Russia does.

“In some ways, the work is already being done, right? Because people are already finding vulnerabilities in these systems,” Cohen said. “The difference here is, now you are creating a mechanism for allowing these ethical hackers to report.”

Mace’s office didn’t respond to IT Brew’s request for comment by publication.