Ari Schwartz, managing director of cybersecurity services at Venable, discusses a bill in Congress that would make the State Department run a “bug bounty” program, and why civilian agencies have been slow to adopt the security strategy.
A bill making its way through Congress would force the Department of State to organize “bug bounties.” These programs allow hackers to go through computer systems in order to report exploits and vulnerabilities in exchange for money. While most popular in the private sector, bug bounties have been conducted at agencies before, most notably at the Department of Defense. According to Ari Schwartz, managing director of cybersecurity services at Venable, the programs make some civilian agencies feel uneasy. “Civilian agencies are generally underfunded when it comes to cybersecurity, and there has been this effort to boost them up over the last 5 years or so. I think a lot of them feel like they are behind. They are not exactly at the cutting edge of efforts like bug bounty programs,” Schwartz told Government Matters. “One thing to realize about bug bounties is that there’s always this question, ‘are we encouraging people to hack us?’ It helps to ‘cabin’ hackers. To say to them, ‘We want you to look at our systems in this certain way and tell us what the vulnerability is.’ It’s a different type of approach and it makes some of the government lawyers feel uneasy, and the over‑staffed security folks feel a little uneasy as well.”