DHS cyber strategy to land by mid-May
Homeland Security Secretary Kirstjen Nielsen told lawmakers the agency was looking at how to get into the bug bounty business.
The Department of Homeland Security will issue a national cybersecurity strategy in mid-May, the DHS chief told a key House committee oversight hearing.
"It will be shortly, within the next two weeks," DHS Secretary Kirstjen Nielsen told the ranking member of the House Homeland Security Committee on April 26 during a full committee hearing on the agency's fiscal 2019 budget request.
The strategy's release has been anticipated in the last month, but the official deadline has long passed. The National Defense Authorization Act in 2016 directed the DHS secretary to develop a departmental cybersecurity strategy and submit it to Congress within 90 days of the act's passage. The strategy's official due date was over a year ago.
Committee Ranking Member Rep. Bennie Thompson (D-Miss.) pressed Nielsen on a firm date for the strategy's release.
Earlier this month, Defense Department officials had said it could be released this summer. Nielsen referenced the strategy in an April 17 speech at the RSA Conference in San Francisco.
"We wanted to make sure we had stakeholders involved" in the strategy, she said. Nielsen said the strategy will rest on four pillars, including identifying risks, reducing threats, reducing vulnerabilities and mitigating consequences.
Nielsen also said DHS was also paying attention to bug bounty legislation wending its way through Congress. The Senate passed such a bill. Homeland Security Committee member Rep. James Langevin (D-R.I.) is sponsoring similar legislation.
Langevin noted that some at DHS "have criticized the idea as being premature without robust vulnerability triage processes."
Nielsen said that "a bug bounty program is a very important tool. It's not a silver bullet, but nothing is. It’s an important tool. We look forward to learning the lessons that [the Defense Department] has learned in their own [program]. We're watching the legislation that's going through Congress very closely, and we will prepare on our side the resources and planning to respond to what we find out through the bug bounty program."
Langevin also pressed Nielsen on whether the DHS was currently able to accept bug reports for vulnerabilities within DHS networks and systems.
Nielsen said she would work with Langevin and Congress to develop a vulnerability disclosure program to cover DHS systems, but she also said that National Cybersecurity and Communications Integration Center and US-CERT can field inquiries about possible DHS vulnerabilities.