[Senate Hearing 115-656] [From the U.S. Government Publishing Office] S. Hrg. 115-656 DATA SECURITY AND BUG BOUNTY PROGRAMS: LESSONS LEARNED FROM THE UBER BREACH AND SECURITY RESEARCHERS ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND DATA SECURITY OF THE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION UNITED STATES SENATE ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION __________ FEBRUARY 6, 2018 __________ Printed for the use of the Committee on Commerce, Science, and Transportation [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] Available online: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 37-302 PDF WASHINGTON : 2019 -------------------------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION ONE HUNDRED FIFTEENTH CONGRESS SECOND SESSION JOHN THUNE, South Dakota, Chairman ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking ROY BLUNT, Missouri MARIA CANTWELL, Washington TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska RICHARD BLUMENTHAL, Connecticut JERRY MORAN, Kansas BRIAN SCHATZ, Hawaii DAN SULLIVAN, Alaska EDWARD MARKEY, Massachusetts DEAN HELLER, Nevada TOM UDALL, New Mexico JAMES INHOFE, Oklahoma GARY PETERS, Michigan MIKE LEE, Utah TAMMY BALDWIN, Wisconsin RON JOHNSON, Wisconsin TAMMY DUCKWORTH, Illinois SHELLEY MOORE CAPITO, West Virginia MAGGIE HASSAN, New Hampshire CORY GARDNER, Colorado CATHERINE CORTEZ MASTO, Nevada TODD YOUNG, Indiana JON TESTER, Montana Nick Rossi, Staff Director Adrian Arnakis, Deputy Staff Director Jason Van Beek, General Counsel Kim Lipsky, Democratic Staff Director Chris Day, Democratic Deputy Staff Director Renae Black, Senior Counsel ------ SUBCOMMITTEE ON CONSUMER PROTECTION, PRODUCT SAFETY, INSURANCE, AND DATA SECURITY JERRY MORAN, Kansas, Chairman RICHARD BLUMENTHAL, Connecticut, ROY BLUNT, Missouri Ranking TED CRUZ, Texas AMY KLOBUCHAR, Minnesota DEB FISCHER, Nebraska EDWARD MARKEY, Massachusetts DEAN HELLER, Nevada TOM UDALL, New Mexico JAMES INHOFE, Oklahoma TAMMY DUCKWORTH, Illinois MIKE LEE, Utah MAGGIE HASSAN, New Hampshire SHELLEY MOORE CAPITO, West Virginia CATHERINE CORTEZ MASTO, Nevada TODD YOUNG, Indiana C O N T E N T S ---------- Page Hearing held on February 6, 2018................................. 1 Statement of Senator Moran....................................... 1 Letter dated November 17, 2017 to Dara Khosrowshahi, Chief Executive Officer, Uber Technologies, Inc. from Hon. John Thune, Hon. Jerry Moran, hon. Orrin Hatch and Hon. Bill Cassidy, M.D............................................... 2 Response letter dated December 11, 2017 to Hon. John Thune, Hon. Jerry Moran, hon. Orrin Hatch and Hon. Bill Cassidy, M.D. from Dara Khosrowshahi, Chief Executive Officer, Uber Technologies, Inc.......................................... 5 Statement of Senator Blumenthal.................................. 7 Prepared statement of Kathleen McGee, Chief of the Bureau of Internet & Technology, New York State Office of the Attorney General........................................... 37 Letter dated February 5, 2018 to Hon. Jerry Moran and Hon. Richard Blumenthal from Representatives Jan Schakowsky and Ben Ray Lujan.............................................. 41 Letter dated February 5, 2018 to Senator John Thune and Senator Bill Nelson from Marc Rotenberg, President, EPIC; and Christine Bannan, Administrative Law and Policy Fellow, EPIC....................................................... 46 Statement of Senator Nelson...................................... 8 Prepared statement........................................... 9 Statement of Senator Cortez-Masto................................ 48 Statement of Senator Blunt....................................... 51 Witnesses John Flynn, Chief Information Security Officer, Uber Technologies, Inc.............................................. 10 Prepared statement........................................... 11 Marten G. Mickos, CEO, HackerOne................................. 15 Prepared statement........................................... 17 Katie Moussouris, Founder and CEO, Luta Security................. 22 Prepared statement........................................... 24 Justin Brookman, Director, Privacy and Technology Policy, Consumers Union................................................ 27 Prepared statement........................................... 28 Appendix Response to written questions submitted to John Flynn by: Hon. Jerry Moran............................................. 57 Hon. Brian Schatz............................................ 58 Response to written questions submitted to Marten G. Mickos by: Hon. Jerry Moran............................................. 63 Hon. Brian Schatz............................................ 68 Response to written questions submitted to Katie Moussouris by: Hon. Amy Klobuchar........................................... 69 Hon. Brian Schatz............................................ 69 Response to written questions submitted to Justin Brookman by: Hon. Amy Klobuchar........................................... 69 Hon. Brian Schatz............................................ 71 DATA SECURITY AND BUG BOUNTY PROGRAMS: LESSONS LEARNED FROM THE UBER BREACH AND SECURITY RESEARCHERS ---------- TUESDAY, FEBRUARY 6, 2018 U.S. Senate, Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Committee on Commerce, Science, and Transportation, Washington, DC. The Subcommittee met, pursuant to notice, at 3 p.m. in room SR-253, Russell Senate Office Building, Hon. Jerry Moran, Chairman of the Subcommittee, presiding. Present: Senators Moran [presiding], Blumenthal, Blunt, Nelson, and Cortez-Masto. OPENING STATEMENT OF HON. JERRY MORAN, U.S. SENATOR FROM KANSAS Senator Moran. Good afternoon. Welcome to the Consumer Protection Product Safety, Insurance, and Data Security Subcommittee's Hearing on ``Data Security and Bug Bounty Programs.'' The Subcommittee will come to order. Thank you all for being here today to discuss the October 2016 Uber data breach and the allegations against the company regarding impermissible payments to concealed security incident through its Bug Bounty Program. A bug bounty is a reward offered to someone outside of the company who identifies an error or vulnerability in a computer program or system in connection with the Coordinated Vulnerability Disclosure Program. The Committee plans to examine the value of these innovative programs and other coordinated approaches to identify cyber vulnerabilities and prevent the types of instances that have occurred and, unfortunately, will probably occur in the future. In late 2016, Uber was notified by anonymous sources that certain archived copies of its database had been compromised. According to a letter in response to an inquiry made by this Committee, in partnership with the Senate Finance Committee, Uber's Security Team ``took immediate steps to respond to and limit the impact of the incident,'' including identifying the parties responsible and paying a $100,000 to them in exchange for assurances that the compromised data would be deleted. I have a letter and Uber's response that I would ask unanimous consent to be submitted for the record. Without objection. [The information referred to follows:] [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] ______ Uber December 11, 2017 Hon. John Thune, Chairman, Committee on Commerce, Science, and Transportation, Washington, DC. Hon. Jerry Moran, Chairman, Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Protection, Washington, DC. Hon. Orrin Hatch, Chairman, Committee on Finance, Washington, DC. Hon. Bill Cassidy, M.D., Chairman, Subcommittee on Social Security, Pensions, and Family Policy, Washington, DC. Dear Chairmen Thune, Hatch, Moran, and Cassidy: Thank you for your letter dated November 27, 2017, requesting more information regarding the data security incident we announced on November 21, 2017. Thank you also for the interest shown and the time taken by your committee staff during our briefing on December 4, 2017. As Uber's new CEO, I am committed to setting our course for the future, which begins with building a company that everyone can trust and be proud of. For that to happen, we have to be honest and transparent as we work to repair our past mistakes. I appreciate the depth and range of interest reflected in the questions posed in your letter and at our briefings. As we described when we met with your staff, we think it is important for you to get the facts from us directly. Our work on this matter remains ongoing, but we are now able to share the information below, and we appreciate the opportunity to share more as it develops. On November 14, 2016, Uber's security team received e-mails from an anonymous individual who claimed to have accessed Uber data and demanded payment. Uber investigated and determined that the individual and another person working with him had obtained access to certain archived copies of Uber databases and files located on Uber's private cloud data storage environment on Amazon Web Services. Uber determined the means of access, shut down a compromised credential, and engaged in communications with the outside actors. To the best of Uber's knowledge, the outside actors' access began on October 13, 2016, and there was no further access by the actors to Uber's cloud storage after November 15, 2016. Uber's security team took immediate steps to respond to and limit the impact of the incident, including engaging in immediate and then ongoing communications with the original outside actor and a second individual subsequently identified to have been working with him. Uber agreed to pay the money demanded in exchange for an agreement to delete the data. Uber eventually paid $100,000 to the two individuals combined. The payment was made in December 2016 through HackerOne (www.hackerone.com), which Uber uses for its Bug Bounty program. Uber also worked to identify the real names and identities of the outside actors. It was successful in this effort, and it thereafter engaged in further communications with the two individuals using their real identities, including having them sign assurances that the data was destroyed. Although Uber mitigated damage precipitated by the breach, two of the Uber employees who led the response failed to disclose the incident to the appropriate parties. Uber does not know why these individuals failed to discharge properly their responsibility, but they were terminated as a result. Mandiant, an independent cybersecurity firm, conducted a forensic analysis of the data at issue. Mandiant found no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded. They found that the data includes:Information pertaining to approximately 57 million users (both riders and drivers) worldwide, including approximately 7.7 million drivers. Approximately 32 million of these individuals are outside the United States. Approximately 25 million users are inside the United States. For nearly all users, the downloaded files included names, e-mail addresses, and mobile phone numbers. In some cases, the files also included other information collected from or created about users by Uber, such as Uber internal user IDs (UUIDs); the UUIDs of a user who invited another user to sign-up with Uber or whom users shared rides with if they had opted into certain programs; a small number of short driver-related notes; certain one-time locational information, such as the latitude and longitude corresponding to the location where the user first signed up for the Uber service; and other account information, including user tokens and hashed and salted versions of user passwords. For approximately 600,000 of the 7.7 million drivers, the files also included a driver's license number. Virtually all of these individuals are in the United States. Uber provided individual notice to drivers with driver's license numbers in the data set starting on November 22, 2017, in most cases by mail but via e-mail if Uber has no mailing address for the individual on file. That notification offered one-year complimentary credit and identity theft protection services from Experian and provided information on how to sign up. Uber also provided information pages for riders and drivers on its website. Uber notified the United States Attorney's Offices for the Southern District of New York and for the Northern District of California, the Federal Trade Commission, the attorneys general of states with a regulator notice requirement in their data breach law, and the Dutch Autoriteit Persoonsgegevens (data protection authority, our lead regulator for user data outside the United States) on November 21, 2017. Uber is continuing to provide information as requested on an ongoing basis to regulators, law enforcement, and government entities worldwide. We note that some of your questions relate to other ongoing legal proceedings and investigations to which the company is a party, including the Federal Trade Commission's ongoing investigation, which remains open. We do not here comment on other ongoing legal proceedings and investigations. In addition to the steps taken to confirm the data taken had been destroyed, Uber has not seen evidence of fraud or misuse tied to the incident; it is monitoring the affected accounts and has flagged them for additional fraud protection. As to Uber's privacy and data security practices generally, Uber's privacy policies detail what information it collects relating to riders and drivers and how it uses and discloses that information. Uber's current privacy policy is available at https:/ /privacy.uber.com/policy, and that page also contains a link to Uber's previous policy, dated from 2015. (Uber's 2013 privacy policy is available on archive.org as well.) Uber provided notice of both the 2015 and 2017 revisions by e-mail to users. Uber's data security practices include access controls, multi-factor authentication, credential management systems, and use of encryption in transit and, where technically feasible, at rest. This particular incident (as we discussed in our recent briefings with your staff) nonetheless occurred because, unfortunately, the outside actors determined valid Uber login credentials for a particular workspace. After this incident (and well before providing notice of it in November 2017), Uber put in place several additional protections designed to mitigate the chance that the same form of intrusion could succeed today, such as adding two-factor authentication to one of the services that was involved in this incident. Thank you for the opportunity to share this information with you. Please know that we take this matter very seriously, and Uber is available to help answer any additional questions you may have. Sincerely, Dara Khosrowshahi, CEO, Uber Technologies, Inc. Senator Moran. An independent forensics analysis found that the exposed data included information pertaining to approximately 57 million users in total, both drivers and riders, 25 million of those affected users were from the United States, and driver's license numbers of about 600,000 drivers were compromised in the breach. The fact that the company took approximately a year to notify impacted users raises red flags within this committee as to what systematic issues prevented such time-sensitive information from being made available to those left vulnerable. Additionally, my colleagues and I seek specific clarification as to what policy safeguards are currently in place to prevent bug bounty programs from being used as extortion pay-out mechanisms in the future. These substantive concerns, however, should not completely outweigh the overall utility of this innovative crowd-sourced approach that many industry actors have taken to proactively identify chinks in their technological armor through effectively administered bug bounty programs and other cyber vulnerability disclosure efforts. As the American public becomes more and more dependent and dependent on innovative technologies to complete everyday tasks, cyber security vulnerabilities pose a direct threat. Whether it's through a critical telehealth monitoring system, autonomous vehicle transporting your family, or access to personally identifiable information, cyber threats are continuously evolving with the technology we rely on. My goal for this hearing is to find out exactly what prevented Uber from immediately notifying its users who are impacted by the 2016 breach, the specifics of the related payments and what steps Uber is taking internally to improve its notification protocols. I also want to have a larger discussion of how vulnerability disclosure programs, like bug bounties, can be used effectively to deter cyber threats from harming consumers. It's my pleasure to introduce our panel today and I again appreciate, as I expressed to you personally, my gratitude for your presence here today. Mr. John ``Four'' Flynn is the Chief Information Security Officer for Uber Technologies. He's an expert in information security with over 10 years' experience in the field, including leading Infrastructure Security at Facebook and managing Security Operations at Google. Mr. Marten Mickos is the Chief Executive Officer of HackerOne, which is a leading bug bounty firm in the country, serving a variety of government and private sector clients, including Uber, and administering their Crowd Source Vulnerability Disclosure Programs. Ms. Kate Moussouris is the Founder and CEO of Luta Security, Inc., which advises its clients on vulnerability coordination programs and applicable internal company policies. And, finally, Mr. Justin Brookman is the Director of Consumer and Technology Policy for the Consumers Union, which is an independent nonprofit consumer organization. In his role, he focuses on policies related to consumer data privacy security. I look forward to the testimony of these experts on our witness panel. I either now turn to the Ranking Member of the Full Committee or the Ranking Member of the Subcommittee for their opening remarks. Gentlemen. The Senator from Connecticut. STATEMENT OF HON. RICHARD BLUMENTHAL, U.S. SENATOR FROM CONNECTICUT Senator Blumenthal. Thank you. Thank you very much, Mr. Chairman, and I'd like to thank you and the Chairman as well as our Ranking Member for holding this hearing, which is truly of paramount importance to consumers in our country. There ought to be no question here that Uber's payment of this blackmail without notifying consumers who were gravely at risk was morally wrong and legally reprehensible and violated not only the law but also the norm of what should be expected. At the same time that Uber was negotiating with its blackmailers, it also was speaking with the Federal Trade Commission for a smaller 2014 breach affecting the personal information of more than a 100,000 Uber drivers. Drivers and riders were not informed of the breach that brings us here today. Neither were law enforcement authorities. It was not only kept secret but the company paid those hackers a $100,000 ransom to destroy evidence and keep quiet. In effect, it was almost a form of obstruction of justice. The Online Trust Alliance says that 93 percent of all breaches in 2017 did not stem from software vulnerabilities. They were the result of poor security protocols, like failing to update software, use e-mail authentication, and training people to recognize phishing attacks. These kinds of weaknesses are readily correctable and the industry has a responsibility for doing it. We've had repeated hearings and we ought to be demanding more action of law enforcement authorities as well as the industry over the years. In fact, we've had one hearing after another focused on data breaches. Very recently, we heard from the current and former heads of Equifax and Yahoo following their historic breach disasters. A piecemeal after-the-fact approach would be better served if the Commission, the Federal Trade Commission, were able to prescribe rules that prevent these kinds of data breaches by requiring reasonable security practices in the first place and that's why the Ranking Member and I, Ranking Member Nelson, who's here today, reintroduced the Data Security and Breach Notification Act. This bill directs the FTC to develop robust, flexible rules that require businesses to adopt reasonable security protocols to protect consumers' personal information from unauthorized access and establish strong breach notification requirements. Whether driving a ride-share or calling a ride-share, individuals expect companies collecting their sensitive personal information to do everything in their power to protect their data and their security and privacy, notify them promptly when there is a breach that endangers those consumers and riders. These kinds of expectations are not unreasonable or inflated. These expectations are realistic. They are commonsense measures that all Americans have a right to expect, and I look forward to hearing from the witnesses. Thank you, Mr. Chairman. Senator Moran. Thank you, Senator. The Senator from Florida, we're honored to have the Ranking Member of the Full Committee with us today, Senator Nelson. STATEMENT OF HON. BILL NELSON, U.S. SENATOR FROM FLORIDA Senator Nelson. Mr. Chairman, thank you very much, and what Senator Blumenthal has just said, the legislation is out there. We will continue to work with the Chairman of the Full Committee, Senator Thune, in order to try to get meaningful data security legislation, but any such bill cannot simply cater to corporate interests. A bipartisan bill must provide consumer protections that are better than is in the current law and why is this? Well, this hearing today is just the latest edition in a long history of hearings that this Full Committee has held on high-profile data breaches. Uber now joins Equifax, Yahoo, Target, Sony, and the University of Maryland, among others, as a breached entity telling a story to this committee and to Congress, and this story at this hearing only once again underscores the need for the comprehensive and strong Federal legislation to provide the protections. Currently, the FTC is the key Federal agency that's bringing enforcement actions against the breached companies that have collected and stored vast amounts of consumer data, unfortunately, with lax security standards. A myriad of state laws currently provide American consumers with a limited degree of protection. So we should not adopt Federal legislation that undercuts the FTC's existing longstanding well-established authority nor should we consider a bill that eviscerates all state legal protections and replaces them with weak Federal standards. From this Senator's standpoint and I think Senator Blumenthal's, we can support only a data security bill that provides consumers with protection that are stronger than the current ones. It would be better for Congress to pass no bill than to pass a bill that provides less protections to the consumers compared to the status quo. So thank you, Mr. Chairman, for having this hearing. [The prepared statement of Senator Nelson follows:] Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida Today's hearing is the latest edition in a long history of hearings that the Commerce Committee has held on high profile data breaches. Uber now joins Equifax, Yahoo, Target, Sony, and the University of Maryland, among others, as a breached entity telling its story to this committee and to Congress. And this story at this hearing only once again underscores the need for comprehensive and strong Federal legislation that will provide adequate protections to consumers. In this regard, Senator Blumenthal and I have once again introduced such legislation, the Data Security and Breach Notification Act, which would require companies to secure their data and to promptly notify consumers when there is a breach. The bill would also impose criminal penalties on corporate officials that willfully disguise breaches from the public, and it would provide for robust enforcement by the Federal Trade Commission and state attorneys general working together to hold companies accountable. As in previous Congresses, I will continue to work with Chairman Thune and other interested members of the committee to craft bipartisan and meaningful data security legislation. However, any such bill cannot simply cater to corporate interests. A bipartisan bill must provide consumer protections that are better than what is in current law. Currently, the FTC is the key Federal agency that is bringing enforcement actions against breached companies that collected and stored vast amounts of consumer data with lax security standards in place. And a myriad of state laws currently provide American consumers with a limited degree of protection from data breaches. We should not adopt Federal legislation that undercuts the FTC's existing, long-standing and well-established authority; nor should we consider a bill that eviscerates all state legal protections and replaces them with weak Federal standards. From my standpoint, I can only support a data security bill that provides consumers with protections that are stronger than current ones. It would be better for Congress to pass no bill at all than pass a bill that provides consumers with less protections under the status quo. Thank you again, Mr. Chairman. I look forward to hearing from our witnesses. Senator Moran. You're welcome, Senator Nelson. Thank you for joining us. We're now ready for the testimony of our witnesses, and I would call on Mr. Flynn for his opening statement. Thank you. STATEMENT OF JOHN FLYNN, CHIEF INFORMATION SECURITY OFFICER, UBER TECHNOLOGIES, INC. Mr. Flynn. Thank you, Mr. Chairman. Mr. Chairman, Ranking Member Blumenthal, and members of the Subcommittee, my name is John Flynn, and I serve as the Chief Information Security Officer of Uber. I'm grateful for the opportunity to testify today regarding bug bounty programs, the 2016 data security incident at Uber, and lessons that we have all learned from this incident. I'm honored to be here with an esteemed panel of people who have brought such an important security practice to companies worldwide. Today, I'd like to focus on three topics. First, bug bounty programs and the important role they play in the never-ending battle against cyber threats. Second, the 2016 data security incident at Uber where I worked to determined how the intrusion occurred and close the gaps that the intruders exploited. Third, the lessons learned and additional layers of protections that we've implemented. Bug bounty programs are a critically important tool. In addition to internal security efforts that are widely used as part--they are widely used as part of a comprehensive data security program. Bug bounty programs are an invitation to outside experts to search for vulnerabilities and report them. In exchange, companies offer rewards in recognition of that work. Monetary bounties can range from hundreds of dollars to hundreds of thousands of dollars. Some companies offer non- monetary rewards, including branded apparel or public recognition. Because of the security benefits of bug bounty programs, many major technology companies use them, including Uber, Google, Facebook, Microsoft, and others. The U.S. Government also has bug bounty programs, including at the Department of Defense. Since we publicly launched our program in 2016, Uber's Bug Bounty Program has assisted in resolving more than 800 vulnerabilities and paid about $1.3 million in bounties. It has achieved very significant improvements for a relatively modest expenditure, including addressing a bug in the SSH Authentication System and a remote code execution bug in one of our websites. The 2016 data security incident unfolded in a way that's entirely different than a typical bug bounty. On November 14, 2016, our Security Team received e-mails from an anonymous individual who claimed to have access to Uber data and demanded a six-figure payment. We investigated the incident and assembled an Incident Response Team. The team of technical experts, which I directed, quickly determined the means of access and shut down the compromised credentials. Specifically, our first step was to validate the intruder's claims. We determined that the data came from backup files stored in an AWS S3 bucket. We next determined the intruder gained access to AWS S3 through credentials contained within code on a private repository on GitHub. Despite the limited information, we locked down the point of entry within 24 hours. Separately, our Chief Security Officer Joe Sullivan led an effort to identify the intruders, a process we call attribution. Although I was not directly involved, I understand that the Attribution Team used various methods, including forensics, to gather further information on the intruders. It ultimately ascertained the identities of both intruders, made contact, and received assurances that the data had been destroyed. As you know, Uber paid the intruders a $100,000 through HackerOne and our Bug Bounty Program. Our primary goal in paying the intruders was to protect our customers' data. However, this was not done consistent with the way our Bug Bounty Program normally operates. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited that vulnerability in a malicious fashion to access and download data and made extortion demands. We recognize that the Bug Bounty Program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company. My written testimony contains additional details regarding the contents of the data. While the incident remains under the investigation by the company and others, I echo statements by Uber's new leadership that it was wrong to not disclose the breach earlier. We are working to make transparency and honesty core values of our company, which I am gratified to see. Thank you again for the opportunity to appear and testify today. I would be happy to answer your questions. [The prepared statement of Mr. Flynn follows:] Prepared Statement of John Flynn, Chief Information Security Officer, Uber Technologies, Inc. Mr. Chairman, Ranking Member Blumenthal, and members of the Subcommittee, my name is John Flynn. Since July 2015, I have served as the Chief Information Security Officer for Uber Technologies, Inc. I am grateful for the opportunity to testify today regarding bug bounty programs, the 2016 data security incident at Uber, and lessons that we--and the broader technology community--have learned from that incident. I am honored to be on such an esteemed panel with people who have brought such an important security practice to companies worldwide. Before addressing today's topics, I would like to tell you a little about myself. My parents were USAID diplomats and Peace Corps volunteers. After studying computer engineering at the University of Minnesota, I too joined the Peace Corps. As a Peace Corps volunteer, I served for more than two years in Belize, where I helped lead a program that ensured teachers had access to computers and I taught classes on information security. After the Peace Corps, I attended night classes to obtain a master's degree in computer science while working full time as a Security Engineer at the George Washington University here in Washington. Before joining Uber, I held positions as an Information Security Manager at Google, and as an Information Security Director at Facebook. I have spent over a decade working on highly technical data security issues, during a period in which data security has expanded dramatically as a field and as a paramount priority for the technology industry and the country. I would like to focus on three topics in my testimony today. First, I have significant experience with bug bounty programs from working for multiple companies, and will explain the important role that such programs play in the never-ending battle against cyber threats. Second, I will provide my perspective on the 2016 data security incident at Uber. My primary involvement in that matter was on the technical side, working under our chief security officer, and leading the effort to determine how the intrusion occurred and then to close the gaps that intruders exploited. While I am in a strong position to address the technical aspects of that incident, I was not actively involved in the process of identifying the intruders or interacting with the intruders once they were identified by others. Third, we learned valuable lessons from the 2016 incident, and I will describe the additional layers of protection and other enhancements that we have implemented to secure our users' data and minimize the risk of future intrusions. Importance of Bug Bounty Programs Bug bounty programs are a critically important tool and widely used as part of comprehensive data security programs. Of course, bug bounty programs do not take the place of dedicated internal security teams who work throughout the entire software development lifecycle to detect and repair vulnerabilities. At Uber, there are multiple teams of specialized experts constantly working to ensure that our systems are secure. My team consists of more than 100 people with experience in technical areas of security. Our security efforts generally involve the following: (1) controlling access to our systems and services; (2) using security by design principles during the planning process; (3) auditing and testing code during development and throughout its lifecycle; (4) monitoring for threats; and (5) managing ongoing reinforcement and patching processes to protect our systems and software from reported vulnerabilities. Bug bounty programs are a useful addition to these steps. Let me briefly explain bug bounty programs. All complex systems have ``bugs''--imperfections unintentionally written within the software's code. Sometimes these bugs create vulnerabilities, which could be exploited by an intruder to gain access to confidential data. Security teams across the industry, including those at Uber, invest heavily in preventing and identifying as many of these bugs as we can before code is updated in our products. However, due to the evolving nature of software, programmers continuously update code by augmenting, rewriting, and overwriting their prior work. That process inevitably results in unexpected errors and vulnerabilities. To help mitigate this reality, bug bounty programs allow companies to access additional skilled individuals to augment our in-house engineers. This outside perspective is also valuable in providing a fresh set of eyes and new ways of thinking to help our security teams address various challenges with innovative solutions. Typically, a bug bounty program is an invitation for outside experts (commonly referred to as ``researchers'') to search voluntarily for vulnerabilities and report them to the company or government agency that is the sponsor of the particular bug bounty program. This is supposed to be done pursuant to specific guidelines, as well as defined parameters regarding the types of systems that should be searched. For example, Uber posts a ``treasure map'' online to tell our researchers where to look for bugs in our systems. It points our researchers to the systems we care the most about. Companies typically offer rewards, or ``bounties,'' in recognition of the work performed by the researchers. Monetary bounties vary in size, from hundreds of dollars to hundreds of thousands of dollars, depending on the severity of the bug. Companies may also offer physical items, such as branded apparel, commemorating bugs that are found, as a non-monetary reward for the researcher. ``Street cred'' and public recognition also go a long way to motivate researchers, so many companies publish information about the most impressive bugs found. Not surprisingly, the security benefits of bug bounty programs have motivated many major technology companies, including Uber, Google, Facebook, Microsoft, and others, to implement bug bounty programs. Moreover, the U.S. Government also has recognized the value of bug bounty programs to protect its sensitive information technology systems. For example, the U.S. Department of Defense has bug bounty programs such as ``Hack the Pentagon'' and ``Hack the Air Force,'' which the Department has operated with great success. In addition, last July, the Computer Crime and Intellectual Property Section of the U.S. Department of Justice issued A Framework for a Vulnerability Disclosure Program for Online Systems, which provides helpful guidance on how to design and operate a bug bounty program. In 2015, when I joined the company, one of the first things we did to improve security was launch a bug bounty program. This was a private ``beta'' program and included about two hundred researchers who helped us identify and remediate nearly 100 bugs. Following the success of our beta program, we launched a public bug bounty program in March 2016. Our current program, hosted by HackerOne, offers a combination of public recognition and monetary bounties as incentives for researchers to search our products and websites for potential bugs. Since its initial launch, this bug bounty program has assisted Uber in resolving more than 800 system vulnerabilities. The program's monetary payout stands at approximately $1.3 million in total. For us, this bug bounty program has been incredibly valuable, achieving very significant improvements in our data security posture for a relatively modest expenditure. I believe many other companies and agencies have had a similar experience with bug bounty programs. Our bounties typically range from a few hundred dollars to several thousand dollars--depending on the impact and severity of the bug. Given the large number of companies with bug bounty programs, monetary payments can help incentivize bug hunters to focus on Uber's bugs. That is, companies compete for the time and attention of these outside researchers, and relatively modest monetary incentives help ensure that researchers focus their attention on our software. Again, I think many companies and agencies have reached this same view. The vulnerabilities found by our researchers demonstrate the concrete value of bug bounty programs. As we have publicly shared, one researcher discovered a bug in the SSH authentication system used between different internal services. If exploited, the bug could have allowed escalation of internal privileges. This would have allowed people to access systems they did not have privileges to access. Another researcher who participated in our public bug bounty program found a ``remote code execution'' bug on one of our websites. This was an important issue because remote code execution gives attackers the ability to run commands on a target computer. In this case, the researcher demonstrated the ability to execute commands on a system within our data center. Potentially, a malicious attacker could have used this vulnerability to access sensitive user data. Uber's bug bounty program unquestionably has increased the scale and speed at which we are able to identify and eliminate cybersecurity threats. We are constantly refining our tools to prevent the bugs that are found from being written into our code in the first place. Over the nearly three years we have been running this program, more than 500 researchers have participated. Through our bug bounty program, we can benefit from a vast, diverse, worldwide pool of talent, often beyond our ability to hire. Of course, operating a bug bounty program is not without its challenges. Security researchers can be an eccentric group, and within this community there are individuals with varying degrees of technical experience and professionalism who engage through bug bounty programs. Researchers sometimes express concern with the amount of the bounty that is paid, believing that their discovery may be worth more than we determine was appropriate, based on our program guidelines. Other times, a researcher may identify a bug that we already know and are working to fix. The researcher sometimes takes issue with not receiving a monetary reward for those already identified bugs. Occasionally, a person may contact the company to report a vulnerability (without exploiting it), completely unaware of our bug bounty program, and make a demand for compensation. We try to work with such persons to submit their report through the bug bounty program in exchange for a fair reward under the program guidelines. 2016 Uber Data Security Incident The 2016 data security incident unfolded in a way that is entirely different from the typical bug bounty program scenario. On November 14, 2016, Uber's security team received e-mails from an anonymous individual who claimed to have accessed Uber data and demanded a six- figure payment. Uber investigated and determined that the individual and another person working with him had obtained access to certain archived copies of Uber databases and files located on Uber's private cloud data storage environment on Amazon Web Services (``AWS''). In line with standard protocol, Uber assembled an incident response team. This team included technical experts whom I directed, and we worked quickly to determine the means of access, shut down the compromised credential, and take various steps to secure our systems against a further attack. To the best of Uber's knowledge, the intruders' access began on October 13, 2016, and there was no further access by the intruders after November 15, 2016. For the Subcommittee's information, I would like to explain in greater detail how Uber responded to this security incident. As with any security incident, the first step was to validate the claims that the intruder had made. Very often these situations are hoaxes. The Uber security team requested data from the intruder, which he provided, and then confirmed that the data were Uber's. With that validation, we initiated an incident response procedure. Incident response to any data incident is an orchestrated affair. The first steps involve fast, intense work with limited information and a very short time to eliminate the threat. We set up a command center where members of the team could work in parallel and discuss issues in real time. The overall effort was led by our former Chief Security Officer, Joe Sullivan, to whom I reported. I led the technical work to identify how the intrusion occurred and remove the vulnerability. Joe Sullivan and others led what we call ``attribution''--the process of identifying the intruders. During the technical effort, we immediately began the process of determining where the data at issue resided and how the intruder gained access. Within 24 hours, we determined that the data came from back-up files stored in an AWS S3 bucket. S3 stands for ``simple storage service.'' The next step of the investigation for my team was to determine how the intruder gained access to the AWS S3 bucket, which requires access credentials. We learned that the intruder found the credential contained within code on a private repository for Uber engineers on GitHub, which is a third party site that allows people to collaborate on code. We immediately took steps to implement multifactor authentication for GitHub and rotated the AWS credential used by the intruder. Despite the complexity of the issue and the limited information with which we started, we were able to lock down the point of entry within 24 hours. Subsequently, we did a thorough review of our GitHub repositories. My technical team initiated the process of removing additional code from GitHub that could be considered sensitive, and confirming rotation of keys. We ceased using GitHub except for items like open source code. The incident response team also worked to identify the type of data downloaded to assess the risk. In addition to the technical response, another team worked on attribution. Although I was not directly involved, I understand that the attribution team used various methods, including forensics, to gather further information on the intruders. This was a challenging endeavor because the intruders were extremely adept at covering their tracks. Ultimately, the attribution team ascertained the real identity of both the original individual who contacted the company, and the second person working with him. I understand that the original individual was located in Canada, and that his partner, who actually obtained the data, was in Florida. I further understand that the attribution team made contact with both individuals and received assurances that the data had been destroyed. As you know, Uber paid the intruders $100,000 through HackerOne and our bug bounty program. Our primary goal in paying the intruders was to protect our consumers' data. This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data. In 2017, after learning about the incident, new company leadership at Uber asked an independent cybersecurity firm, Mandiant, to conduct a thorough analysis of the data at issue. Mandiant's analysis showed that the data included information pertaining to approximately 57 million users worldwide, including approximately 25 million users in the United States. Of these, approximately 4.1 million users in the United States were drivers. For nearly all users, the downloaded files included names, e-mail addresses and phone numbers. In some cases, the information also included information collected from or created about users by Uber, such as Uber user IDs, certain one-time locational information (e.g., the latitude and longitude corresponding to the location where the user first signed up for the Uber service), user tokens, and passwords encrypted using hashing and salting techniques. Of the driver accounts, approximately 600,000 thousand included driver's license numbers. In their independent analysis, Mandiant found no indication that trip location history, credit card numbers, bank account numbers, Social Security numbers, or dates of birth were compromised. Lessons Learned and Data Security Enhancements at Uber While the circumstances surrounding the 2016 security incident remain under investigation by the company and multiple regulators, and I am not privy to the details of those ongoing investigations, there are a number of lessons learned that I would like to highlight today. First, I would like to echo statements made by new leadership, and state publicly that it was wrong not to disclose the breach earlier. The breach should have been disclosed in a timely manner. The company is taking steps to ensure that an incident like this does not happen again, with personnel changes and additional remedial actions. We are working to make transparency and honesty core values of our company. I would add that this is a change that I personally am gratified to see and wholeheartedly support. Although we regret that we did not publicly report the incident in 2016, we did at that time take numerous steps internally to improve our security posture in response to the incident. As I noted previously, we immediately instituted multifactor authentication on Github. We then subsequently ceased using GitHub except for items like open source code. As to AWS, we were already using multifactor authentication for individual access accounts--which these intruders did not compromise. After the incident we expanded the use of multifactor authentication protocols for AWS service accounts using techniques such as IP restrictions, commonly referred to as ``white listing.'' We have also taken other steps to enhance security for AWS data storage, such as refining Identity & Assessment Management permissions, improving our ability to authenticate someone before granting access to these systems and to confirm whether they are authorized to access them. We also added auto-expiring credentials to protect further against attacks using exposed, lost, or shared credentials. We continue to look to Amazon's evolving best practices and guidance to protect our AWS system. We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company. The approach that these intruders took was separate and distinct from those of the researchers in the security community for whom bug bounty programs are designed. While the use of the bug bounty program assisted in the effort to gain attribution and, ultimately, assurances that our users' data were secure, at the end of the day, these intruders were fundamentally different from legitimate bug bounty recipients. Going forward, Uber is revisiting its incident response approach in circumstances such as these. We have hired Matt Olsen, a former general counsel of the National Security Agency and director of the National Counterterrorism Center, to help structure the security team and guide new processes going forward. I have already seen some of these changes take place, such as more stakeholders involved in the decision-making process for how to handle security incidents, and informing law enforcement of potential security incidents right away. I would like to conclude by stating that we strongly support a unified, national approach to data security and breach standards. We are proactively engaged in the many conversations in both the technical and policy communities to help identify what the critical components of federal data breach legislation should be, and are pleased to see this robust conversation taking place with various Members of Congress and your staff. We welcome the opportunity to be at the table to help all stakeholders understand the best practices. * * * Thank you again for the opportunity to appear and testify today. I would be happy to answer your questions. Senator Moran. Thank you. Mr. Mickos. STATEMENT OF MARTEN G. MICKOS, CEO, HACKERONE Mr. Mickos. Chairman Moran, Senator Blumenthal, Ranking Member Nelson, and members of the Subcommittee, thank you for inviting me to testify today. I look forward to providing you with my perspective on data security and bug bounty programs. Mr. Chairman, a brief note. As I have informed your staff, there are legal proceedings with respect to the Uber incident. We are cooperating fully and eagerly in those proceedings. As a result of these proceedings, however, I will unfortunately not be able to discuss many aspects of that incident. I am the Chief Executive Officer of HackerOne, the world's leading provider of hacker-powered security. HackerOne operates bug bounty programs that connect companies and governments with the world's best white hat hackers to find and fix vulnerabilities before malicious actors exploit them. It all starts with the vulnerability disclosure program, which is essentially a neighborhood watch for software. When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program becomes a bug bounty program. Such programs are useful for organizations large and small, in the private and in the public sector. Examples include: Adobe Systems, GSA, General Motors, Qualcomm, Starbucks, United Airlines, and many more. Some of them run their own homegrown programs, others will run their program on a platform, such as HackerOne. The nature of HackerOne's business is preventative. We are not in the incident response business. We are in the data breach prevention business. Through HackerOne's service alone, over 63,000 vulnerabilities have been found and fixed. The average bounty is approximately $500 and the current maximum bounty listed on HackerOne is $250,000. No other method has been shown to produce similar results with such favorable economics. Organizations signing up with HackerOne typically start with an invitation-only program. Later, the program can be made public, in which case any hacker is allowed to submit reports. It is the customer who decides on the bounties. To receive any form of payment by a HackerOne, the hacker must submit identifying information and the appropriate tax forms. HackerOne is committed to compliance with all relevant rules and regulations. Additionally, we have internal guidelines and specific terms and conditions that apply to hackers and to customers, respectively. The Federal Government is an innovator in this area. The U.S. Department of Defense and HackerOne pioneered the first Federal Government Bug Bounty Program called ``Hack the Pentagon.'' Since the program's inception, more than 3,600 security vulnerabilities have been safely resolved in critical DoD assets. FTC, NTIA, FDA, NHTSA, and the Department of Justice have declared vulnerability disclosure programs as cyber security best practice. These agencies recognized the critical role that hackers play in securing technology and protecting consumers. For instance, in July 2017, the Department of Justice published a framework for vulnerability disclosure program for online systems to provide guidance to entities on setting up a program. Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security, and that in turn requires a safe legal environment encouraging all individuals to come forward with vulnerability information, no matter the circumstances. I would like to offer three recommendations. First, I encourage you to support CFAA reform that removes criminal penalties on actions that do no harm, protecting individuals that act in good faith to identify and report potential vulnerabilities. Second, I encourage you to support a harmonized and unambiguous breach notification law governing all consumer- facing entities. Those who in good faith operate or participate in a vulnerability disclosure policy should not be legally exposed. Third, Congress should encourage data security best practices that require all companies responsible for safeguarding consumer data to implement a vulnerability disclosure policy. In summary, Mr. Chairman, we need hackers. Ethical hacking may be the only force that can stop criminal hacking. Hundreds of thousands of security vulnerabilities have already been found and remediated. Hacker-powered security does not only protect consumers, it also creates opportunity for aspiring hackers across the country. With this, thank you for the opportunity to testify on this important issue, and I look forward to any questions you may have. [The prepared statement of Mr. Mickos follows:] Prepared Statement of Marten G. Mickos, Chief Executive Officer, HackerOne Introduction Chairman Moran, Ranking Member Blumenthal, and Members of the Subcommittee, thank you for inviting me to testify today. I look forward to providing you with my perspective on Data Security and Bug Bounty Programs. I am Chief Executive Officer of San Francisco-based HackerOne, the world's leading provider of hacker-powered security. I have spent my entire 30-year career in software, including as Senior Vice President at both Hewlett-Packard and Sun Microsystems, and prior to that as CEO of MySQL. In addition, I served on the Board of Directors of Nokia Corporation. HackerOne operates bug bounty programs that connect companies and governments with the best white hat hackers in the world to find and fix vulnerabilities before malicious actors exploit them. As of January 2018, over 160,000 white hat hackers have registered with HackerOne to defend customers, among them the United States Department of Defense, removing over 60,000 vulnerabilities and preventing an untold number of breaches in the process. The Threat of Weak Cybersecurity Today's cybersecurity practices are severely outdated in contrast to the cyber threats that society faces. When exploited for criminal purposes, even just one single and relatively unremarkable security vulnerability can create havoc, as the Equifax data breach \1\ grossly reminded us of in 2017. --------------------------------------------------------------------------- \1\ https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach- what-do --------------------------------------------------------------------------- Unfortunately it is only a question of time before cybercrime causes physical damage to structures or, worse, physical harm to humans. Citizens in general and consumers in particular are exposed to risks that they cannot possibly deal with themselves. Privacy is threatened. Consumer protection against faulty and vulnerable software- based products is presently inadequate. The economic repercussions are enormous, and we are only now starting to see the true costs of lax cyber hygiene. When data breaches occur, corporations lose millions of dollars. These costs are often passed along to consumers who additionally face unquantifiable burdens associated with the breaches, including compromise of privacy. It is an unfortunate fact that in the digital realm, society is currently failing to provide its citizens with what societies were established for: safety and security. Hacker-Powered Security Offers a Solution Whatever protections and defenses we build into our digital assets--and we should build a lot of them--there is one practice that covers every possible cause of cyber breach. There is an ``immune system'' \2\ that will approach the digital assets from the same direction as adversaries and criminals do--from the outside. There is a mechanism that at scale has the opportunity to ultimately detect every hole, every weakness and every security vulnerability in a system or product built by humans. --------------------------------------------------------------------------- \2\ https://www.ted.com/talks/ keren_elazari_hackers_the_internet_s_immune_system --------------------------------------------------------------------------- This practice is often called ``Hacker-Powered Security.'' It is a mechanism that turns the asymmetry that favors the attacker into an asymmetry that favors the collaborating defenders. It is a collective effort that relentlessly looks for more vulnerabilities. Its outstanding success metrics are a result of stochastic probability: the more attempts there are at finding vulnerabilities, the higher the likelihood that these will be found. Over time the result improves asymptotically towards 100 percent. Hacker-powered security is a model that invites external and independent security researchers and ethical hackers--we will here simply call them ``hackers''--to hunt for vulnerabilities in computerized systems. Today there are over one hundred thousand white hat hackers in the world. These are individual experts who have signed up to help corporations and organizations to detect and fix their security weaknesses. These hackers are motivated by the challenge, by the opportunity to do good and by peer recognition. They are rewarded for their finds with bounties. They are bug bounty hunters. How Hacker-Powered Security Works Hacker-Powered Security covers any cybersecurity-enhancing services and automations that are partially or wholly produced by independently operating security experts outside the company or organization in question. The most fundamental function of hacker-powered security is a Vulnerability Disclosure Program, also called Responsible Disclosure or Coordinated Vulnerability Disclosure. A vulnerability disclosure program is essentially a neighborhood watch for software. The motto is ``If you see something, say something.'' Concretely, if and when an ethical hacker finds a security vulnerability in and company or government organization's website or mobile app or other computer system, this person will be invited to disclose the vulnerability found to the system's owner. Most human beings are ready to help their neighbor, so the impetus for vulnerability disclosure is enormous. Issues of legality and trust, however, make vulnerability disclosure more complicated than a regular neighborhood watch. To solve this issue, leading companies have created their own policy frameworks for the disclosure of vulnerabilities to them, and others turn to companies such as HackerOne to organize and coordinate such programs. When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program is called a Bug Bounty Program. Bug bounty programs have existed at least since 1983.\3\ The practice was perfected by Google, Facebook and Microsoft over the past half-dozen years. Around the same time, companies such as HackerOne emerged for the purpose of bringing this powerful method within reach of any organization that owns and operates a digital asset (meaning a computer system, a website, a mobile application, an Internet-of-Things device, or some other digital product). --------------------------------------------------------------------------- \3\ Hunter & Ready ran a campaign in 1983 called ``Get a bug if you find a bug'', offering a VW beetle as reward for bugs found in their real-time operating system. Netscape launched a bug bounty program in 1995. --------------------------------------------------------------------------- Proven Effectiveness Hacker-powered security programs have demonstrated their effectiveness compared to other methods for vulnerability detection. Hiring full-time employees or external service or product vendors to test for vulnerabilities is more expensive. Through HackerOne's service alone, over 63,000 security vulnerabilities have been found and fixed. The current maximum bounty listed on HackerOne is $250,000. No other method for validating software or manufactured products that are in use by consumers has been shown to produce similar results at such a favorable economic unit price. Hacker-powered security is a model that scales. Today there are over 160,000 registered ethical hackers, and over the coming years this number is likely to grow to over a million. This army of hackers will be able to take on the work of the entire digital realm of our society. Thanks to the diversity and scale of the hacker community, hacker- powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not find. Existing models are good at finding predictable security vulnerabilities, but even more important is to find the unpredictable ones--the unknown unknowns. Given a large enough hacker community and enough time, such vulnerabilities will be identified. Vast and Diverse Clientele Hacker-powered security emanated over the past decade as a best practice among Silicon Valley tech companies. Today, the model has matured and became applicable to all types of businesses. Any company, corporation, association or public sector agency that develops and deploys software (in whatever form, such as embedded in hardware) can benefit from hacker-powered security. The vendors providing hacker-powered services have established communities of ethical hackers for whom they keep track of skill profiles and performance metrics. Bug bounty programs may be self- managed by the customer, or fully managed by the vendor. In the latter scenario, customers save both time and money while being presented with valid security vulnerabilities on a continuous basis. In either scenario, it is up to the customer to remediate the vulnerability once found. Entities that operate such vulnerability disclosure and/or bug bounty programs include: Adobe, AT&T, CERT Coordination Center, U.S. Department of Defense, Dropbox, Facebook, Fiat Chrysler, U.S. General Service Administration, General Motors, GitHub, Google, LendingClub, Microsoft, Nintendo, Panasonic Avionics, Qualcomm, Snapchat, Starbucks, Spotify, Twitter, and United Airlines. Hacker-powered security is useful and accessible for organizations both large and small, technology-focused or not, in the private or public sector. The model is suitable for all entities that develop and deploy software. Who are the Hackers? The original experts at the Massachusetts Institute of Technology (MIT) defined themselves as ``one who enjoys the intellectual challenge of creatively overcoming limitations.'' Security experts may be described using a variety of titles including ``ethical hacker'', ``white hat'', ``security researcher'', ``bug hunter'', and ``finder.'' One title is conspicuously absent: Criminal. Hackers are not criminals. Specifically, bug bounty platforms offer no benefit to someone with criminal intent. On the contrary, HackerOne will record data about every hacker on the platform and only reward actions that follow the rules. For these reasons, criminals go elsewhere. Hackers are driven by a variety of motivations, many of which altruistic. The security advocacy organization I Am The Calvary summarizes these motivations \4\ as: Protect (make the world a safer place), Puzzle (tinker out of curiosity), Prestige (seek pride and notability), Profit (to earn money), and Protest/Patriotism (ideological and principled). --------------------------------------------------------------------------- \4\ https://www.iamthecavalry.org/motivations --------------------------------------------------------------------------- The HackerOne 2018 Hacker Report \5\--a survey of over 1,000 hackers--revealed that profit was only the fourth most common motivation for why hackers do their work. Before that came the desire to learn, be challenged, and have fun. To protect and defend is also a central motivation for hackers. A 2016 study by the National Telecommunications and Information Administration (NTIA) within the Department of Commerce found that only 15 percent of security researchers expect financial compensation in response to a vulnerability disclosure.\6\ --------------------------------------------------------------------------- \5\ https://www.hackerone.com/sites/default/files/2018-01/ 2018_Hacker_Report.pdf \6\ https://www.ntia.doc.gov/files/ntia/publications/ 2016_ntia_a_a_vulnerability_disclosure _insights_report.p --------------------------------------------------------------------------- Hacker-powered security does not only improve security. The model democratizes opportunity and offers meaningful work to anyone with the inclination and drive to be a useful ethical hacker. Many hackers are young adults. They can do their work from anywhere. The money hackers make is used to support their families, pay for education, and catapult them into successful professional careers. Hacking brings meaning and mandate to enterprising people irrespective of their location. Hacking brings positive societal impact across the Nation. Case Studies The U.S. Department of Defense (DoD) and HackerOne pioneered the first Federal government bug bounty program. Since the program's inception, more than 3,600 security vulnerabilities have been safely resolved in DoD critical assets with hacker-powered security. While the majority of the vulnerabilities reported through the DoD vulnerability disclosure policy were without financial compensation, hackers have been awarded hundreds of thousands of dollars in bug bounty payments by DoD. ``Hack the Pentagon'' was initially launched as a pilot program under the leadership of Secretary of Defense Ash Carter. This pilot ran from April 18 to May 12, 2016. During that short time more than 250 vetted ethical hacker participants submitted vulnerability reports. A total of 138 valid vulnerabilities were found and remediated. ``We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,'' said Secretary Carter of Hack the Pentagon.\7\ ``What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference-- hackers who want to help keep our people and nation safer.'' --------------------------------------------------------------------------- \7\ https://www.defense.gov/News/News-Releases/News-Release-View/ Article/802929/defense-secretary-ash-carter-releases-hack-the-pentagon- results/ --------------------------------------------------------------------------- ``It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,'' \8\ Carter said of the $150,000 pilot program. --------------------------------------------------------------------------- \8\ https://www.defense.gov/News/Article/Article/802828/carter- announces-hack-the-pentagon-program-results/ --------------------------------------------------------------------------- The Pentagon announced it would continue Hack the Pentagon program and bring this successful model to other agencies. Hack the Army The ``Hack the Army'' Bug Bounty program \9\ ran from November to December 2016 with 371 registered, vetted and eligible participants. Of those who participated 25 were government employees including 17 military personnel. Of the 416 vulnerability reports submitted by hackers, 118 were unique, valid and actionable. The first one was filed within 5 minutes of the launch of the program. --------------------------------------------------------------------------- \9\ https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In --------------------------------------------------------------------------- While bug bounties are a way for the DoD to tap into private sector talent, sometimes the cybersecurity talent is already within their ranks. One of the researchers that successfully hacked the U.S. Army was an Army Captain presently in school at the Army's Cyber Center of Excellence at Fort Gordon, Georgia. In addition to having a full-time job and family, this officer registered for Hack the Army to get real, operational hands-on training in addition to his extensive schooling. Hack the Air Force It took just under one minute for hackers to report the first security vulnerability to the U.S. Air Force. Within the first 24 hours, 70 reports were submitted, 23 of which were valid. During the ``Hack the Air Force'' bug bounty challenge, 207 valid vulnerabilities were discovered. Nearly 300 vetted individuals had registered to participate in the Hack the Air Force bug bounty challenge and more than 50 earned bounties. ``Adversaries are constantly attempting to attack our websites, so we welcome a second opinion--and in this case, hundreds of second opinions--on the health and security of our online infrastructure,'' \10\ said Peter Kim, the Air Force Chief Information Security Officer. ``By engaging a global army of security researchers, we're better able to assess our vulnerabilities and protect the Air Force's efforts in the skies, on the ground and online.'' --------------------------------------------------------------------------- \10\ http://www.af.mil/News/Article-Display/Article/1274518/hack- the-air-force-results-released/ --------------------------------------------------------------------------- Two of the Hack the Air Force participants were military personnel opting to help as an act of patriotism despite being ineligible for bounties, and 33 participants came from outside the U.S. Some of the top participating hackers were under 20 years old, including a 17 year- old from Chicago who earned the largest bounty sum for 30 separate discoveries. The Hack the Air Force bug bounty challenge was so successful that the Air Force ran a second bug bounty challenge--Hack the Air Force 2.0--in December 2017. Consistency with Existing Laws & Best Practices Federal regulatory agencies responsible for consumer safety have acknowledged and adopted vulnerability disclosure programs as a cybersecurity best practice. These agencies recognize the critical role that hackers play in securing technology and protecting consumers. In June 2015, the Federal Trade Commission (FTC) published security guidance for businesses summarizing security best practices from the agency's 50+ data security settlements.\11\ One common cause for complaint against an organization's security practices was the lack of a vulnerability disclosure process. For example: ``FTC charged that the company didn't have a process for receiving and addressing reports about security vulnerabilities. HTC's alleged delay in responding to warnings meant that the vulnerabilities found their way onto even more devices across multiple operating system versions.'' --------------------------------------------------------------------------- \11\ https://www.ftc.gov/tips-advice/business-center/guidance/ start-security-guide-business# current --------------------------------------------------------------------------- In later comments made by the FTC to the NTIA Safety Working Group,\12\ the commission reaffirmed the importance of this practice: ``[FTC] staff highlighted the important role that vulnerability reports play in ensuring product security, and recommended that businesses implement reasonable vulnerability disclosure processes to facilitate communication with the research community.'' --------------------------------------------------------------------------- \12\ https://www.ftc.gov/system/files/documents/advocacy_documents/ ftc-staff-comment-national-telecommunications-information- administration-regarding-safety-working/170215ntia comment.pdf --------------------------------------------------------------------------- In October 2016, the National Highway Traffic Safety Administration (NHTSA) published Cybersecurity Best Practices for Modern Vehicles.\13\ It states: ``Automotive industry members should consider creating their own vulnerability reporting/disclosure policies, or adopting policies used in other sectors or in technical standards. Such policies would provide any external cybersecurity researcher with guidance on how to disclose vulnerabilities to organizations that manufacture and design vehicle systems.'' Major automakers, including General Motors \14\ and Tesla,\15\ have adopted policies for encouraging hackers to identify and disclose vulnerabilities in their connected automobiles. --------------------------------------------------------------------------- \13\ https://www.nhtsa.gov/staticfiles/nvs/pdf/ 812333_CybersecurityForModernVehicles.pdf \14\ https://hackerone.com/gm \15\ https://www.tesla.com/about/security --------------------------------------------------------------------------- In December 2016, the Food and Drug Administration published Postmarket Management of Cybersecurity in Medical Devices,\16\ noting that ``. . .cybersecurity information may originate from an array of sources including independent security researchers..'' and described ``Adopting a coordinated vulnerability disclosure policy and practice'' as a critical component of any medical device manufacturer cybersecurity program. --------------------------------------------------------------------------- \16\ https://www.fda.gov/downloads/medicaldevices/ deviceregulationandguidance/guidance documents/ucm482022.pdf --------------------------------------------------------------------------- In July 2017, the Department of Justice (DoJ) Criminal Division's Cybersecurity Unit published ``A Framework for a Vulnerability Disclosure Program''.\17\ The DoJ observes ``[organizations are] adopting vulnerability disclosure programs to improve their ability to detect security issues on their networks that could lead to the compromise of sensitive data'' and goes on to provide guidance for operating these programs in a manner consistent with existing cybercrime laws. --------------------------------------------------------------------------- \17\ https://www.justice.gov/criminal-ccips/page/file/983996/ download --------------------------------------------------------------------------- In October 2017, deputy attorney general Rod Rosenstein made this public statement:\18\ ``All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities. The U.S. Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises.'' --------------------------------------------------------------------------- \18\ https://www.justice.gov/opa/speech/deputy-attorney-general- rod-j-rosenstein-delivers-remarks-global-cyber-security-summit --------------------------------------------------------------------------- These Federal agencies have recognized the critical role that ethical hackers play in enabling public and private sector organizations to provide secure services that are resilient to cybersecurity vulnerabilities. Conclusion and recommendation We need hackers. Our goal must be an Internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security. Hackers are truly the immune system of the internet. They are a positive power in society. We must enable and encourage them to make their best security contributions. This requires a safe legal environment encouraging all individuals to come forward with vulnerability information, no matter the circumstances. I provide you with the following recommendations: First, the Computer Fraud and Abuse Act (CFAA), enacted in 1984, contains vague wording that has not kept pace with the proliferation of the internet. The act is in need of modernization. I encourage the members of the committee to support CFAA reform \19\ to remove imposed criminal penalties on actions that do no harm to consumers. Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed. --------------------------------------------------------------------------- \19\ https://www.eff.org/document/letter-def-con-cfaa-reform --------------------------------------------------------------------------- Second, the patchwork of breach notification laws enacted primarily at the state level may create uncertainty and perverse incentives for those who safeguard consumer data. I encourage this subcommittee to support a harmonized and unambiguous breach notification law governing all U.S. companies and consumers. It is important that such a law provide clarity on the definition of a data breach to ensure that those who operate or participate in a good faith vulnerability disclosure policy are not legally exposed. Third, I repeat the words of numerous experts that a ubiquitous ``See something, Say something'' practice for vulnerabilities is a vital and critical step towards improving cybersecurity for consumers. The absence of a formal channel to receive vulnerability reports reduces a vendor's security posture and introduces unnecessary risk. Corporations should welcome input from external parties regarding potential security vulnerabilities and Congress should encourage that behavior. As Jeff Massimilla, Vice President for Vehicle Safety and Product Cybersecurity at General Motors, stated: ``To improve the security of their connected systems, every corporation should have a vulnerability disclosure policy that allows them to receive security submissions from the outside world.'' \20\ --------------------------------------------------------------------------- \20\ https://www.cnet.com/roadshow/news/general-motors- cybersecurity/ --------------------------------------------------------------------------- Hacker-powered security has matured as a model to be ready to help society solve one of its most pressing problems: cyber threats. Pioneering entities have perfected the practice of hacker-powered security. Hundreds of thousands of security vulnerabilities have already been found and remediated. The vast community of hackers stands ready. The hackers are not asking what society can do for them. They are asking what they can do for society. Ethical hacking may be the only force that can stop criminal hacking. The asymmetry of digital threats can be turned around with pooled defense. Together we hit harder against cybercrime. Thank you for the opportunity to testify on this important issue. Senator Moran. Thank you for joining us. Ms. Moussouris. STATEMENT OF KATIE MOUSSOURIS, FOUNDER AND CEO, LUTA SECURITY Ms. Moussouris. Chairman Moran, Ranking Member Blumenthal, and distinguished members of the Committee, thank you for the opportunity to testify at this hearing on behalf of Luta Security and the security research community. We commend the Committee for holding this open hearing to help understand, clarify, and differentiate between defensive security research and vulnerability disclosure activities which may or may not include bug bounties versus internet-enabled crimes which may include extortion for unauthorized access to consumer data. I'm the Founder and CEO of Luta Security, working with governments and complex organizations on multi-party supply chain vulnerability coordination to create mature, robust, and sustainable vulnerability coordination and disclosure programs. We base these programs on the Industry International Standards, ISO 29147, Vulnerability Disclosure, and ISO 30111, Vulnerability Handling Processes, and our own Vulnerability Coordination Maturity Model. I am the co-author and co-editor of these international standards, was Co-chair of the NTIA's Multi-stakeholder Vulnerability Disclosure Working Group Subcommittee of Multiparty Vulnerability Coordination, and I have over 20 years of professional, technical, and strategic work in technology and information security as a former penetration tester or ethical hacker for hire at the company called @stake to creating Microsoft vulnerability research, the first Microsoft bug bounties, and advising the U.S. Department of Defense for several years resulting in the launch of the ``Hack the Pentagon'' Program. But today, I'm here as a witness to talk about the defense market for bugs, the role of bug bounties and other security research, and the role of the defensive ecosystem to shape these new markets. When I was a teenager learning to hack in the late 1980s, there was no broadly recognized and accessible defense market for hacking skills. There were no online banks or e-commerce sites to hire us to test their internet-facing systems for holes, and there certainly weren't any bug bounty programs. Even the U.S. Government had only a few years earlier become aware of threats to national security across the burgeoning early internet through Hollywood films, such as War Games. Only in the past five to eight years have we seen any major acceptance by governments and companies working cooperatively and openly with hackers. However, there is still a great fear among many organizations that opening a front door for hackers to report security holes will cause damage from disruption of operations, intellectual property theft, fraud, reputational damage, and, of course, data breaches. In 2015, 94 percent of the Forbes Global 2000 had no published way to report a security hold to them. If you saw something, it was very difficult and risky to say something. So while the Computer Fraud and Abuse Act hasn't materially changed over the past 34 years to grant security researchers safe harbor, in July 2017, the Department of Justice issued ``Framework for Vulnerability Disclosure Program for Online Systems'' and this guide is meant as a way to help organizations think through important scoping issues around protected classes of data and systems when creating vulnerability disclosure programs with or without cash incentives. The main premises are: decide whether sensitive systems and data are in scope for discovery; encourage the use of test accounts whenever possible to avoid the unnecessary compromise of other users' privacy and data without their permission; make it clear that only the minimum necessary proof is required to prove that a vulnerability exists and no further access or exploitation past that point is authorized. Further, define how any deliberately or accidentally, because ``hackidents'' happen, accidentally accessed private data should be stored and transmitted and specify the manner in which the proof of the hack is conveyed, perhaps using a screen capture so as to not further transmit unauthorized accessed data. So this is to protect both the well-intentioned researchers from ambiguity and accidental overstepping as well as to protect consumers whose data may be subject to access. And, finally, as a creator and advisor to some of the major new bug bounty programs in the past several years, I want to point out that the ecosystem for reward bug hunting is skewing the markets toward more bug hunters but not necessarily more bug fixers. This imbalance that's being created in these markets may very well shift the ecosystem toward rewarding more data theft than bug hunting. Already we are facing a global shortage of talent in cyber security and an overall workforce creation is necessary in defense. We have got over 350,000 unfilled cyber security positions in the United States that are open and, according to a 2016 study, none of the top 10 U.S. computer science programs required a cyber security course for graduation and three of the top 10 universities don't even offer an elective course in cyber security. The defense market for bugs that we are creating needs to be focused. Markets are not inevitable. They are actively created. If I were to recommend three practices, it would be funding for increased education in security to be set for all grades, setting forth requirements that all college majors in computer science understand secure coding and organizational cyber risk management, and a reflection on fewer ``hack the X'' bills being introduced without proper assessment of sustainable defensive capabilities in each government agency considering a bug bounty. Thank you for the opportunity of testifying. I welcome your questions and comments. [The prepared statement of Ms. Moussouris follows:] Statement of Katie Moussouris for the hearing entitled, ``Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers'' for the Senate Committee on Commerce, Science, and Transportation's Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security \1\ on Tuesday, February 6, 2018 --------------------------------------------------------------------------- \1\ https://www.commerce.senate.gov/public/index.cfm/2018/2/data- security-and-bug-bounty-programs-lessons-learned-from-the-uber-breach- and-security-researchers --------------------------------------------------------------------------- Chairman Moran, Ranking Member Blumenthal, and distinguished members of the Committee, thank you for the opportunity to testify at this hearing on behalf of Luta Security and the security research community. We commend the Committee for holding this open hearing to help understand, clarify, and differentiate between defensive security research and vulnerability disclosure activities, which may or may not include bug bounties, versus Internet-enabled crimes, which may include extortion for unauthorized access to consumer data. I am the founder and CEO of Luta Security, working with governments and complex organizations on multi-party supply chain vulnerability coordination to create mature, robust, sustainable vulnerability coordination and disclosure programs. We base these programs on the industry international standards ISO/IEC 29147 Vulnerability disclosure,\2\ ISO/IEC 30111 Vulnerability handling processes,\3\ and our Vulnerability Coordination Maturity Model. --------------------------------------------------------------------------- \2\ http://standards.iso.org/ittf/PubliclyAvailableStandards/ c045170_ISO_IEC_29147 \3\ https://www.iso.org/standard/53231.html --------------------------------------------------------------------------- I am the co-author & co-editor of these international standards, was co-chair of the NTIA's multi-stakeholder vulnerability disclosure working group subcommittee of multi-party vulnerability coordination,\4\ with over 20 years of professional technical and strategic work in technology and information security, as a former penetration tester at @stake,\5\ to creating Microsoft Vulnerability Research, the first Microsoft bug bounties, and advising the U.S. Department of Defense for years, resulting in the launch of the Hack- the-Pentagon program. I am also one of two private industry official delegates of the U.S. technical experts working group to renegotiate the Wassenaar Arrangement,\6\ successfully helping clarify exemptions for vulnerability disclosure and incident response in export controls.\7\ I served as an expert witness for European Parliament's consideration of dual-use export control reform in the context of vulnerability disclosure and bug bounty programs.\8\ --------------------------------------------------------------------------- \4\ https://www.first.org/global/sigs/vulnerability-coordination/ multiparty/FIRST-Multiparty-Vulnerability-Coordination-draft.pdf \5\ https://en.wikipedia.org/wiki/@stake \6\ https://langevin.house.gov/press-release/langevin-statement- wassenaar-arrangement-plenary-session \7\ http://thehill.com/opinion/cybersecurity/365352-serious- progress-made-on-the-wassenaar-arrangement-for-global \8\ https://www.youtube.com/watch?v=kDJxAm-AVNA&feature=youtu.be --------------------------------------------------------------------------- Today, I'm here as a witness to talk about the defense market for bugs, the role of bug bounties and other security research, and the role of the defensive ecosystem to shape these new markets. When I was a teen learning to hack in the late `80s, there was no broadly-recognized and accessible defensive market for hacking skills, no online banks or e-commerce sites to hire us to test their Internet- facing systems for holes, no bug bounty programs, and even the United States government had only a few years earlier become aware of threats to national security across the burgeoning early Internet--through Hollywood films such as War Games. This awareness of the power of hackers had prompted not job offers or viable legal career paths, but legislation that made hacking a criminal offense.\9\ This law not only gave prosecutors the necessary legal tools to go after nation state actors and criminals, but to this day has caused a chilling effect on security research for defensive purposes. This chilling effect on researchers has also been reflected in the reluctance of governments and organizations to engage with hackers, further complicated by recent data breaches under the mis- applied term ``bug bounty''. --------------------------------------------------------------------------- \9\ https://www.nytimes.com/2016/02/21/movies/wargames-and- cybersecuritys-debt-to-a-hollywood-hack.html --------------------------------------------------------------------------- Only in the past 5 to 8 years have we seen any major acceptance by governments and companies working cooperatively and openly with hackers. However, there is still a great fear among many organizations that opening a front door for hackers to report security holes will cause damage from disruption of operations, intellectual property theft, fraud, reputational damage, and data breaches. In 2015, 94 percent of the Forbes Global 2000 had no published way to report a security hole to them. If you saw something, it was difficult to say something. It was even a risk to your freedom, if the organization chose to pursue legal action against you under the Computer Fraud and Abuse Act (CFAA). While the CFAA hasn't materially changed over the past 34 years to grant security researchers safe harbor for helping to point out security bugs, in July of 2017, the Department of Justice issued ``A Framework for a Vulnerability Disclosure Program for Online Systems.'' \10\ This guide is meant as a way to help organizations think through important scoping issues around protected classes of data and systems when creating vulnerability disclosure programs, with or without cash incentives or bug bounties. --------------------------------------------------------------------------- \10\ https://www.justice.gov/criminal-ccips/page/file/983996/ download --------------------------------------------------------------------------- The main premises to help create robust vulnerability disclosure or bug bounty programs are straightforward in the DoJ framework, with a summary of the key aspects as follows: 1. Decide whether sensitive systems and data are in scope for discovery and reporting by external helpful hackers. 2. Encourage the use of test accounts whenever possible to avoid the unnecessary compromise of other users' privacy and data without their permission. 3. Make it clear that only the minimum necessary proof is required to prove that a vulnerability exists, and that no further access or exploitation past that point is authorized. 4. Further define how any deliberately or accidentally accessed private data should be stored and transmitted. 5. Specify the manner in which proof of the hack is conveyed, perhaps using a screen capture to avoid further transmitting the protected data. 6. Decide whether to include the requirement to destroy any copies of data once the report is delivered. To protect both well-intentioned researchers from ambiguity and accidental overstepping the intended scope, as well as to protect consumers whose data may be subject to access, transmission, and storage without their consent, it is important to define these parameters as clearly as possible. This applies in vulnerability disclosure programs as well as bug bounties. Finally, as a creator and advisor of some of the major new bug bounty programs in the past several years, I want to point out that the ecosystem for rewarding bug hunting is skewing the markets toward more bug hunters, but not necessarily more bug fixers. This imbalance that is being created in these markets may very well shift the ecosystem towards rewarding more data theft than bug hunting. There is a difference between paying $10,000 for a bug and paying $100,000 for a breach. If the legal market for bugs becomes muddied with extortion payments that are exponentially higher, we will be building the wrong kind of market, and consumers will be the victims instead of the beneficiaries of enhanced work with hackers. Already, we are facing a global shortage of talent in cyber security, and while more legal ways to report bugs is good, the creation of an overall defense workforce is necessary, in the United States and worldwide. ``In 2017, the U.S. employs nearly 780,000 people in cybersecurity positions, with approximately 350,000 current cybersecurity openings. . .'' ``With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys. One way to close the gap is through automation, but we also need to train developers, at the very earliest stage of their education, to bake security into all new code. It's not good enough to tack cybersecurity on as an afterthought anymore. This is especially true as more smart devices become Internet accessible and therefore potential avenues for threats.'' According to a 2016 study, ``none of the top 10 U.S. computer science programs required a cybersecurity course for graduation, and 3 of the top 10 university programs don't even offer an elective course in cybersecurity.'' \11\ --------------------------------------------------------------------------- \11\ https://www.cloudpassage.com/company/press-releases/ cloudpassage-study-finds-u-s-universities-failing-cybersecurity- education/ --------------------------------------------------------------------------- Much like in Star Wars, The Force for finding vulnerabilities has a dark side as well as a light side, but they are two sides of the same coin, representing indistinguishable skill sets. We are creating more of an imbalance in The Force, weighted against defenders. As a visiting scholar with MIT Sloan School helping to study the vulnerability economy and exploit markets, I helped clarify the differences in the offense and defense markets for bugs. The offense market is characterized by nation states and criminals buying bugs and exploits at high prices to keep them from being fixed as long as possible to prolong their use in attacks. The defense market is typically paying lower amounts than the offense market, but doesn't traditionally require the bug hunter to stay silent about their find, once it is fixed, providing the finder with recognition and further opportunities for their career in other ways. The defense market for bugs cannot compete directly with the offense market on price. Very quickly, we would run out of willing software developers and testers, and the markets are already taking that direction in the way that bug bounties are being used today. Bug bounty hunters worldwide are on average able to make more than being a software developer in many countries. Perverse incentives include overpaying for bugs on the defense market, as well as the rewarding of data theft with much higher prices than an honest bug hunter would get for adhering to the rules. The entire defensive bug hunting ecosystem has a responsibility to help uphold the law & guide the creation of programs that will not breach ethical or legal standards. We have a responsibility to the current and next generation of hackers to demonstrate best practices in bug bounties as well as the broader vulnerability disclosure picture. ``Focusing on the labor market opens new productive avenues for conversation and future research: It suggests linkages between research on vulnerability markets and a larger body of work rooted in the tradition of economic sociology. These efforts consider markets not only or, at times, not even primarily--as engines of efficient resource allocation, but move to address pressing descriptive questions related to the contingent and historical specificity of the construction of markets. Markets are not inevitable. They are always actively created.'' \12\ --------------------------------------------------------------------------- \12\ Ryan Ellis, Keman Huang, Michael Siegel, Katie Moussouris, and James Houghton. ``Fixing a Hole: The Labor Market for Bugs.'' New Solutions for Cybersecurity. Howard Shrobe, David L. Shrier, and Alex Pentland, eds. Cambridge: MIT Press. In Press. ISBN: 9780262535373 https://mitpress.mit.edu/books/new-solutions-cybersecurity --------------------------------------------------------------------------- If Congress were to act to help clarify the role of defensive security research, and encourage the growth of the defense market for bugs, as well as the United States labor workforce in cybersecurity defender roles, I would ask that: 1. Funding for increased education in security be set for all grades (K-12), to begin finding early security talent and recruiting for defense 2. Setting forth requirements that all college majors in computer science understand secure coding and organizational cyber risk management 3. Fewer ``Hack the x'' bills be introduced without proper assessment of sustainable defensive capabilities in each government agency considering launching a bug bounty. Again, I'd like to thank you for the opportunity of testifying today. I welcome your questions and comments. Senator Moran. Thank you for your testimony. Mr. Brookman. STATEMENT OF JUSTIN BROOKMAN, DIRECTOR. PRIVACY AND TECHNOLOGY POLICY, CONSUMERS UNION Mr. Brookman. Chairman Moran, Members of the Subcommittee, thank you very much for the opportunity to testify here today. I am here today on behalf of Consumers Union, the advocacy division of Consumer Reports. We are the world's largest independent testing organization and we use our ratings content and advocacy to create a fair, safer, and healthier world. Let me start out by saying the Consumers Union is a strong proponent of bug bounty programs. We believe they play a crucial role in a data security ecosystem that has failed consumers far too often. The 2016 Uber incident, however, highlights the practices are still developing in this area and we don't always have clear expectations about how these programs should work. While bug bounty programs are one useful tool in maintaining reasonable security, they are not a magic bullet. Ultimately, in order to fix the poor state of modern security, incentives need to change and that is why we urge Congress to update consumer protection laws to establish reasonable data security requirements and to hold companies accountable for bad practices, and this premise that poor data security practices are widespread is, I hope, not controversial. We've seen a never-ending torrent of major data breaches punctuated by the exposure of a 145 million social security numbers in last year's Equifax breach. We are connecting more and more smart devices to the internet but they're not always developed with security in mind. Many never get security updates or even have the ability to get updated. Bug bounty programs represent an innovative approach to data security by leveraging a diverse third-party ecosystem to identify vulnerabilities before they can be taken advantage of by malicious actors. Last year, Consumer Reports released a document that we called The Digital Standard. It's an open-sourced collaboration designed to articulate best practices in privacy and security and related values, such as repairability and interoperability, and in this document, we specifically identify having a bug bounty program as an indicator of good security practices at the company. Moreover, we identified a commitment not to pursue legal action against security researchers as another indicator of good security practices, the rationale being that this provides a strong disincentive certainly for outsiders to try to improve any particular company's practices but also to security research more generally. The 2016 Uber incident raises challenging questions about how best to manage bug bounty programs. While I think Uber had a duty to notify its driver's license numbers had been compromised, the case highlights the potential tension between breach notification laws and bug bounty programs and raises other questions. When should discovery of vulnerability by a third party trigger breach notification to consumers? How can researchers test for bugs without ever touching consumer data? When, if ever, should bounties be negotiable? And we certainly have concerns about the use of non- disclosure agreements to prohibit discussion of vulnerability, even after it had been remediated. These are just some of the important questions raised by the case and I applaud the Committee for holding this hearing to explore these and other issues. Bug bounty programs should and will continue to play an important role in improving data security but they're just one piece. Fundamentally, companies need to have a legal responsibility to use reasonable security to protect personal information and that is why Congress needs to act to update legal protections for consumers to reflect the extremely real threat posed by poor data security. There are a few things I think Congress can do. One, empower the Federal Trade Commission. The FTC has a long bipartisan history of responding to constantly changing array of threats on behalf of the American people, but they're understaffed and they typically can't get penalties from wrongdoers when they break the law. That should change. Second, Congress should pass legislation requiring companies to use reasonable data security. The FTC has interpreted its Section 5 authority to require reasonable security but they have been challenged in court and it's difficult, if not impossible, to attribute instances of harm to individual data breaches. We should have rules requiring reasonable security. And, last, don't block the states from protecting their own citizens. Some level of preemption may be appropriate in a bill but states have to be allowed to pass protections for what a Federal bill doesn't cover. The states have been leaders on data security, passing the first breach notification laws, starting in 2002, and they have kept updating those laws over time so they don't just cover financial information, they cover other sensitive categories, like health data and e-mail and photo storage accounts. States need to be empowered to step in and protect their citizens when Federal protections are missing. Thank you very much for inviting me to discuss these important issues. I look forward to answering any questions I can. [The prepared statement of Mr. Brookman follows:] Prepared Statement of Justin Brookman, Director, Privacy and Technology Policy, Consumers Union On behalf of Consumers Union, I want to thank you for the opportunity to testify today. We appreciate the leadership of Chairman Moran and Ranking Member Blumenthal in holding today's hearing to explore the still-developing field of bug bounty programs, and how they can best be implemented to promote data security for American consumers. I appear here today on behalf of Consumers Union, the advocacy division of Consumer Reports, an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world.\1\ --------------------------------------------------------------------------- \1\ As the world's largest independent product-testing organization, Consumer Reports uses its more than 50 labs, auto test center, and survey research center to rate thousands of products and services annually. Founded in 1936, Consumer Reports has over 7 million subscribers to its magazine, website, and other publications. --------------------------------------------------------------------------- Consumers Union is a strong proponent of bug bounty programs, and believes that they play a crucial role in a data security ecosystem that has failed consumers far too often. Used properly, bug bounty programs enable companies to learn of breaches and vulnerabilities, in service to the larger goals of protecting consumer data and alerting consumers to threats as warranted and/or required by law. In the case of the 2016 Uber security incident, we believe the company should have disclosed the event earlier, not only because a hacker had accessed sensitive data, but because it appears credentials to that data had been publicly accessible for some time. This incident illustrates the continuing need for Congress to pass legislation providing stronger incentives for companies to deploy reasonable safeguards for personal data. I. The Poor State of Modern Data Security and the Importance of Bug Bounty Programs As this Committee well knows, the story of data security in recent years is not a pretty one. Massive data breaches have become commonplace, as companies accumulate vast troves of valuable consumer data but frequently fail to put adequate systems in place to protect it. The Target data breach of 2013 compromised the information of an estimated 110 million people, including the payment card information of about 40 million consumers.\2\ Hackers obtained the data of about 80 million people in the Anthem data breach of 2015.\3\ And last year, criminals took advantage of well-known vulnerabilities in software used by Equifax to access the Social Security numbers of over 145 million people.\4\ Targeted companies often have the opportunity to head off a breach but neglect to take action. For example, the software vulnerabilities that made Equifax a ripe target for attackers had been public for months, but Equifax failed to address them before the breach.\5\ --------------------------------------------------------------------------- \2\ Rachel Abrams, Target to Pay $18.5 Million to 47 States in Security Breach Settlement, N.Y. Times, (May 23, 2017), https:// www.nytimes.com/2017/05/23/business/target-security-breach- settlement.html. \3\ Brendan Pierson, Anthem to Pay Record $115 Million to Settle U.S. Lawsuits over Data Breach, Reuters (Jun. 23, 2017), https:// www.reuters.com/article/us-anthem-cyber-settlement/anthem-to-pay- record-115-million-to-settle-u-s-lawsuits-over-data-breach- idUSKBN19E2ML. \4\ Equifax Announces Cybersecurity Firm Has Concluded Forensic Investigation of Cybersecurity Incident, Equifax.com (Oct. 2, 2017), https://www.equifaxsecurity2017.com/2017/10/02/equifax-announces- cybersecurity-firm-concluded-forensic-investigation-cybersecurity- incident/. \5\ Lily Hay Newman, Equifax Officially Has No Excuse, Wired (Sep. 14, 2017), https://www.wired.com/story/equifax-breach-no-excuse/. --------------------------------------------------------------------------- Bug bounty programs represent a novel and innovative approach to identifying vulnerabilities before they can be taken advantage of by malicious actors. These programs incentivize a diverse third-party ecosystem to probe systems for potential failures. They also provide an alternative to sale of exploits on the black market where they can fetch several hundred thousand dollars--or more.\6\ By offering to pay for information directly, companies can offer white- and grey-hat hackers a legal way to monetize their skills, with a far better outcome for companies and consumers. The rapid rise of these programs is evidence of their success. In 2016, Google paid out over $3 million under its bug bounty program for vulnerabilities in products such as Android and Chrome.\7\ Last year it partnered with HackerOne to expand the program to cover popular third-party apps in its Google Play Store.\8\ --------------------------------------------------------------------------- \6\ Kif Leswig, Here's what Apple thinks about the black market for $1 million iPhone hacks, Business Insider, (Jul. 4, 2016), http:// www.businessinsider.com/apple-addresses-black-market-for-software- vulnerabilities-2016-6 \7\ Taylor Hatmaker, Google's bug bounty program pays out $3 million, mostly for Android and Chrome exploits, Techcrunch, (Jan. 31, 2017), https://techcrunch.com/2017/01/31/googles-bug-bounty-2016/. \8\ Liam Tung, Android Security: Google will pay $1000 for holes in these top apps, ZDnet, (Oct. 20, 2017), http://www.zdnet.com/article/ android-security-google-will-pay-1000-for-holes-in-these-top-apps/. --------------------------------------------------------------------------- Consumers Union strongly supports the development of bug bounty programs, not just by large tech companies, but for any company that stores sensitive consumer data that could lead to identity theft, harm, or embarrassment if exposed. In fact, bug bounty programs are identified as an indicator of good data security in the Digital Standard--an open source effort led by Consumer Reports to articulate best practices for privacy, security, ownership, and governance in an increasingly connected world.\9\ We launched the Digital Standard with our partners Ranking Digital Rights, Disconnect, and the Cyber Independent Testing Lab in March of last year as part of a strategic shift to start evaluating products for these values as part of our core reviews and ratings service.\10\ In addition to highlighting the value of bug bounty programs, the Digital Standard defines as best practices ``disclos[ing] the time-frame in which it will review reports of vulnerabilities'' and--notable for this hearing--``commit[ting] not to pursue legal action against security researchers.'' \11\ --------------------------------------------------------------------------- \9\ The Digital Standard, https://www.thedigitalstandard.org/. \10\ Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Security, Consumer Reports, (Mar. 6, 2017), https:// www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating- products-services-for-privacy-and-data-security/ \11\ The Digital Standard, Data Security, Vulnerability disclosure program, https://www .thedigitalstandard.org/the-standard. --------------------------------------------------------------------------- II. ``John Doughs'' and the Uber Bug Bounty Program Although open source software development has always depended on external support to identify errors and weaknesses in code, formal bug bounty programs within major technology companies are still a relatively new phenomenon. As such, it is understandable that expectations, norms, and best practices are still developing in this area. In 2016, a hacker calling himself ``John Doughs'' e-mailed Uber's chief security officer Joe Sullivan that he had discovered a ``major vulnerability'' in Uber's systems.\12\ In subsequent conversations with the hacker, Uber discovered that company engineers had posted credentials to Uber's servers on the code management portal GitHub, and that Doughs had used the credentials to access information about Uber's 57 million user and driver accounts, including sensitive data such as driver's license numbers. Although Uber told Doughs that its maximum bug bounty payout was $10,000, the hacker insisted that he expected ``six digits'' for his information. Eventually, Uber decided to pay Doughs $100,000, and required him to agree to delete the compromised data. --------------------------------------------------------------------------- \12\ Nicole Perlroth and Mike Isaac, Inside Uber's $100,000 Payment to a Hacker, and the Fallout, N.Y. Times, (Jan. 12, 2018), https:// www.nytimes.com/2018/01/12/technology/uber-hacker-payment-100000.html. --------------------------------------------------------------------------- In general, we believe it is counterproductive to report participants in bug bounty programs to law enforcement absent a strong indication of malicious intent. We are not convinced there is anything wrong per se with a hacker asking for more money than is originally offered for information on a vulnerability. A hacker may reasonably believe that the value of the information and the time invested in uncovering it merit a higher payment. In the past, others have criticized Uber's bug bounty program for failing to provide reasonable payments for identifying exploitable holes in their code.\13\ At some point, a request for more money may convey an implicit--or explicit-- threat to sell the exploit or compromised data elsewhere if the demands are not met. However, from the publicly reported facts, it is not clear that that happened in this case. In any event, Uber had invited persons such as Doughs to look for precisely the type of vulnerabilities that he eventually found. If security researchers have to worry that looking for bugs in code will lead to criminal referral, the efficacy of bug bounty programs will dramatically decrease. --------------------------------------------------------------------------- \13\ Gregory Perry, How I Got Paid $0 From the Uber Security Bug Bounty, Medium, (Dec. 24, 2017), https://medium.com/bread-and-circuses/ how-i-got-paid-0-from-the-uber-security-bug-bounty-aa9646aa103f --------------------------------------------------------------------------- Nevertheless, Uber had an ethical--and legal--obligation to be more forthcoming with its users after it was made aware of its security lapse. Forty-eight states--as well as the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands have laws mandating disclosure to consumers when their personal information is jeopardized in a security breach.\14\ Drivers' license information--which was compromised in this incident--is typically included within such laws. While breach notification triggers vary significantly among the states, it seems quite likely that at least some state laws mandated disclosure to Uber drivers about the incident. For example, California law requires breach notification when ``unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.'' While many other states only require notification upon a determination that no harm was likely to have occurred, it is not clear how Uber could have reasonably come to this conclusion. Even if Uber felt it could trust that John Doughs had not sold or copied the data, Uber knew that credentials to its servers had been publicly accessible in Github and could have been used by others to access sensitive personal information.\15\ Uber is in constant communication with its drivers and could easily have told them about the potential exposure of their information; instead they decided to say nothing. --------------------------------------------------------------------------- \14\ Security Breach Notification Laws, National Conference of State Legislatures, (Apr. 12, 2017), http://www.ncsl.org/research/ telecommunications-and-information-technology/security-breach- notification-laws.aspx. \15\ Jeremy Kahn, Uber Hack Shows Vulnerability of Software Code- Sharing Services, Bloomberg, (Nov. 22, 2017), https:// www.bloomberg.com/news/articles/2017-11-22/uber-hack-shows- vulnerability-of-software-code-sharing-services. This was not the first time Uber credentials posted to GitHub led to a data security incident; in 2014, credentials posted in a publicly available GitHub repository compromised the data of 50,000 users. Id. --------------------------------------------------------------------------- State data breach notification laws were first passed starting in 2002, and were clearly not written with bug bounty programs in mind. Notification laws and bug bounty programs both play an important role in protecting consumers, but there is a potential conflict between the two that needs to be reconciled. Indeed, notifying consumers of breaches created by ethical hacking pursuant to bug bounty programs could unnecessarily alarm consumers without providing any clear benefit.\16\ Lawmakers seeking to update these protections must be extremely careful to balance the security benefits provided by external hacking with the right of consumers to know when their information is truly at risk, perhaps by developing general standards to govern the legitimate use of these programs. In any event, Uber was not entitled to simply decide not to follow consumer protection (and other) laws it believed to be onerous or unnecessary. Uber previously took over six months to announce a different data breach in 2015, making the delay in announcing the 2016 breach all the more difficult to justify.\17\ Further, if in fact a condition of the payment to Doughs was that he could not disclose the incident--even after the vulnerability had been remedied so no one could exploit it--then the lack of transparency from Uber is still more concerning.\18\ --------------------------------------------------------------------------- \16\ Similarly, security researchers have called for modifications to the Wassenaar anti-proliferation agreement to allow for cross-border communications about security vulnerabilities and the effective management of bug bounty programs. See James Sanders, How the Wassenaar Arrangement threatens responsible vulnerability disclosures, TechRepublic, (Jul. 7, 2015), https://www.techrepublic.com/article/how- the-wassenaar-arrangement-threatens-responsible-security-vulnerability- disclosures/. \17\ Dave Lewis, Uber Suffers Data Breach Affecting 50,000, Forbes, (Feb. 28, 2015), https://www.forbes.com/sites/davelewis/2015/02/28/ uber-suffers-data-breach-affecting-50000/#5e59102c2db1. \18\ Mike Isaac, Katie Brenner, and Sheera Frankel, Uber Hid 2016 Data Breach, Paying Hackers to Delete Stolen Data, N.Y. Times, (Nov. 21, 2017), https://www.nytimes.com/2017/11/21/technology/uber- hack.html. Even today, Uber and HackerOne, despite publishing statistics about the bug bounty program, appear to be omitting inclusion of this incident. The bounty program's webpage states that its top bounties range between $4,400 and $20,000, despite reports that John Doughs was paid over $100,000 for information about this security vulnerability. See Uber: Bug Bounty Program, Uber, https:// hackerone.com/uber. This is despite the site denoting ``AWS credential exposure resulting in access to driver documents'' as an example of in- scope vulnerability class examples--precisely the vulnerability exposed by Doughs. --------------------------------------------------------------------------- III. New Laws are Needed to Provide for Better Security Incentives Bug bounty programs should continue to play an important role in safeguarding consumers personal information. And Consumer Reports is committed to providing more information to the marketplace about which companies perform best under the Digital Standard, including which companies have the best security practices. However, due to a misalignment of incentives, most companies today do not adequately invest in cybersecurity. Many breaches are not detected or publicly disclosed. The likelihood of law enforcement under the current regulatory scheme is low. The potential profits from using consumer data far outweigh any penalties that can be assessed for violations, incentivizing carelessness and misuse. And companies that experience a data breach bear only a portion of the cost--much of that instead is laid on consumers. As such, we need a much stronger data security law in the United States. Americans lost an estimated $16 billion to identity theft in 2016, up almost $1 billion from the year prior.\19\ Department of Justice data reveals that about 7 percent of Americans over the age of 16 experienced identity theft in 2014.\20\ About 9 percent spent a month or more repairing their accounts or credit histories.\21\ Tax identity theft--when identity thieves use compromised social security numbers to file taxes and collect the refund--is a significant concern as well. In Fiscal Year 2016, the Internal Revenue Service discovered fraudulent returns filed for nearly 1 million people, totaling $6.5 billion.\22\ And because consumers often cannot reliably attribute these losses to particular companies, those companies typically can't be held responsible in court for consumers' losses. --------------------------------------------------------------------------- \19\ Identity Fraud Hits Record High with 15.4 Million U.S. Victims in 2016, Up 16 Percent According to New Javelin Strategy & Research Study, Javelin (Feb. 1, 2017), https://www.javelinstrategy.com/press- release/identity-fraudhits-record-high-154-million-us-victims-2016-16- percent-according-new. \20\ U.S. Dep't of Justice, Victims of Identity Theft, 2014 1 (Sep. 2015), https://www.bjs.gov/content/pub/pdf/vit14.pdf. \21\ Id. at 10. \22\ Written Testimony of John A. Koskinen Before the Senate Finance Committee on the 2017 Filing Season and IRS Operations, Internal Revenue Serv. (Apr. 6, 2017), https://www .irs.gov/newsroom/writtentestimony-of-john-a-koskinen-before-the- senate-finance-committee-on-the-2017-filing-season-and-irs- operationsapril-6-2017. --------------------------------------------------------------------------- Congress needs to act to update consumer protections to reflect the extremely real threats poses to consumers by poor security practices. First, lawmakers should give the Federal Trade Commission (FTC) \23\ stronger resources and tools to protect consumers. The FTC has a long, bipartisan history of responding to an ever-changing array of threats on behalf of the American people. However, the agency does not have sufficient resources to police the marketplace as it should, and there are gaps in its authority to address privacy and data security lapses in various sectors. For example, it currently lacks the authority to take action against nonprofit entities and ``common carriers.'' \24\ Moreover, when it does bring a case against a bad actor, it typically lacks the authority to obtain civil penalties to deter potential wrongdoers from similar behavior. As such, deceptive or unfair business practices can be rationalized by companies as a (fairly low) cost of doing business. --------------------------------------------------------------------------- \23\ From August 2015 to August 2017, I served as Policy Director of the FTC's Office of Technology, Research, and Investigation. \24\ Oral Statement of Commissioner Terrell McSweeny before the House Judiciary Committee, (Nov. 21, 2017), https://www.ftc.gov/system/ files/documents/public_statements/1268963/ mcsweeny_oral_testimony_to_us_house_of_representatives_committee_on_the_ judiciary_11-1-17_.pdf. --------------------------------------------------------------------------- Second, Congress should pass legislation requiring companies that have access to sensitive personal information to use reasonable security to safeguard it. Despite the FTC's long-standing use of the FTC Act to address data security lapses, some companies continue to challenge it.\25\ The FTC to date has brought over 60 cases challenging shoddy data security practices, but given the uncertainties in application, challenges in attributing harm to specific incidents, and the lack of penalties, the market has yet to internalize the risks posed to consumers by potential data breaches. --------------------------------------------------------------------------- \25\ E.g., Mallory Locklear, FTC lawsuit over D-Link's lax router security just took a big hit, Engadget, (Sep. 21, 2017), https:// www.engadget.com/2017/09/21/ftc-lawsuit-d-link-lax-router-security- took-hit/. --------------------------------------------------------------------------- Finally, while the vast majority of American citizens are protected by state data breach notification laws today, a Federal standard has the potential to strengthen these requirements and impose stronger penalties. However, the goal of any Federal breach notification law must be to strengthen consumer protections, not weaken the already inadequate incentives in place today. As a result, any such bill should include the resources and stronger authority for the FTC discussed above. Further, it must not broadly preempt state breach and security laws that cover information outside the scope of a Federal law. Indeed, states must be allowed and encouraged to continue to innovate to protect their citizens. States have been the leaders in passing and revising data breach notification legislation over the years. At first, these laws primarily covered financial information such as Social Security numbers and credit card account numbers. However, over time, several states have extended these laws to cover new categories of information that, if compromised, pose risks to consumers. For instance, some states have extended breach notification protections to e-mail and photo storage accounts, recognizing that those databases contain incredibly personal information, and could be leveraged for new types of damaging identity theft.\26\ States must be allowed to iterate over time to protect their citizens from new and emerging security threats. --------------------------------------------------------------------------- \26\ E.g., Delaware Amends Its Data Breach Notification Law, Mayer Brown, (Aug. 29, 2017), https://www.mayerbrown.com/delaware-amends-its- data-breach-notification-law-08-29-2017/. --------------------------------------------------------------------------- Conclusion Thank you again for the opportunity to testify here today about the challenges of implementing bug bounty programs to best safeguard personal information. We believe that these programs play a vital role in uncovering vulnerabilities in code before they can be exploited by malicious actors. However, in order to incentivize companies to deploy these and other data protection safeguards, Congress must update consumer protection laws for the modern age to account for the unprecedented threats to our personal data. I look forward to answering the Committee's questions. Senator Moran. Thank you very much. Thank you all. Let me start with some questions and I don't know whether we'll have time for a second round or not. So if we can have relatively brief answers, I'll try to have relatively brief questions. First of all, for you, Mr. Flynn, what's the justification that there apparently was no, in the view of Uber, legal or other obligation to notify the victims of the hack? Mr. Flynn. Senator, there's no justification for that. We should have notified our customers at the time when this did occur and it was a mistake not to do so. Senator Moran. So Uber does not take the position that the law is unclear? Mr. Flynn. I do believe that the patchwork laws that are per state are a challenge for all companies and defenders to contend with. I do believe that is the case, but in this case, I think the real issue was that we didn't have all the right people in the room making that evaluation and making the right decision and making right by our customers. Senator Moran. Thank you for that honest answer. Perhaps this is Mr. Mickos or Ms. Moussouris. Excuse me. Ms. Moussouris. Like a dinosaur, Moussouris. Senator Moran. Moussouris. Thank you. That's very helpful. I'll be sitting here thinking if I get it right what dinosaur was that. So what determines the price for which a hacker is paid for the return of the information? Is that a negotiated item and what are the factors that are determined, in this case a $100,000 being apparently appropriate? Mr. Mickos. Mr. Chairman, by now the world has paid tens of thousands of bounties. So there starts to be a typical pricing for any sort of vulnerability. So you can compare to other companies and you can set your bounties in accordance with common practices. But the bounty decision is always a decision for the company who's receiving the vulnerability and the main influencing factor is the severity of the vulnerability, i.e., how bad would it be if indeed a criminal abused the vulnerability, and that is why in my opening statement I said the average over all these bounties is only about $500 per vulnerability, but the highest bounties offered are $250,000. So it's mathematically a question of a power law distributed set where there are very few extremely valuable vulnerabilities that will catch a very high price all the way up today to $250,000 whereas the majority of the regular day-to-day bug bounty program operates in the range of hundreds or thousands of dollars. Senator Moran. What's the obligation to report the payment or the breach to law enforcement and once a bounty is paid, is that obligation changed? Is that part of the agreement? Mr. Mickos. Mr. Chairman, the business, the bug bounty program is a preventative service and it is not the function of incident response. Senator Moran. So in the case of your client, Uber, did you work for them? You were performing services for them prior to the incident of 2016? Mr. Mickos. Uber became a customer of HackerOne in 2015 and they operate their Bug Bounty Program on our platform, yes. Senator Moran. And so you did not determine a vulnerability prior to the realization that there was a problem in 2016? Mr. Mickos. The way we deal with it, the vulnerability gets reported through our platform. We do not see the contents of the report. It goes to the customer and the customer takes action and may come back to HackerOne and say this was a valid vulnerability report, please pay the following bounty to this hacker, and that is how we deal with any of these bounties when they come from any of our customers. Senator Moran. What are the other techniques, besides bug bounties? I said it in my opening statement, but I think you indicated, Ms.---- Ms. Moussouris. Moussouris. Senator Moran.--Moussouris--thank you so much for the reminder. Defensive hack ecosystem. So we've been focused on bug bounties, but there apparently are other techniques that we ought to be aware of? Ms. Moussouris. Yes, of course. If I could answer your previous question about bounty price? Senator Moran. Please. Ms. Moussouris. That is actually something that is very important in terms of the defense market. There is a defense market for bugs and exploits and there is an offense market for bugs and exploits and they're characterized not just in price. There's a huge price differential, but they're characterized differently when it comes to what their objective is. So the offense market for bugs is buying bugs and exploits that are fairly reliable and much higher priced in order to keep them secret and usable for attack purposes. They could be bought for regular law enforcement or used by nation states. They could be bought by criminal organizations. Defensive bounty prices, which regular bug bounties are a part of the defensive market, there is a logical ceiling above which those defensive market prices cannot exceed. You cannot compete directly with the offense market. The reason for that is you will create a perverse set of incentives where you might, you know, essentially incent some developers inside of an organization to collude with a member of the outside to write bugs into the code. You may create an environment where it's much more lucrative to spend your time hunting for bugs than it is to develop fixes or even develop new code. So we're already seeing a skew in the market right now where the way that the bug bounties are being used and applied, where it is actually much more lucrative. I think HackerOne just released a report talking about how much more lucrative it is to be a bug bounty hunter than it is to be a developer and that's including in the United States. So we do have to be mindful of this market that we're creating here and make sure that we're not over-skewing and over-rewarding the pointing out of flaws without creation of an ability to catch these bugs and deal with them appropriately and building that workforce. So back to your---- Senator Moran. Excuse me one moment. Ms. Moussouris. Yes. Senator Moran. So I want to make sure I understand something because this is at least useful to me. It's not a question of whether you pay the consequences of the breach versus the amount of money that the bounty would be. It seems to me that when Mr. Mickos says the maximum is $250,000, that's the compensation for finding the problem. It's not a competition between how much money I'm going to pay to find the problem after there has already been a problem because the consequences of the hack will be much more expensive than the $250,000 maximum that Mr. Mickos--do I understand something here? Ms. Moussouris. Well, it is hard to estimate the overall cost of a breach. It's hard to estimate it to the company involved, to the users whose data may be compromised, and to other, you know, affected and related systems. So there should not actually be a direct correlation between the resulting potential harm and a defensive market price. It is much more of a token of appreciation, even if it is a six-figure payout, and I created Microsoft's Vulnerability, you know, Bug Bounty Program at $100,000 but it was for a technique. That is something that's sufficiently rare that it wasn't creating these perverse incentives where, you know, people could quit working at Microsoft, stop working on platform mitigations, and instead go off and, you know, supply these. Whereas the damage that, you know, potential new exploitation technique could cause in the ecosystem is certainly much more multiple millions of dollars. It is the idea of setting these incentives at an appropriate level where you are drawing out interest and creativity of the hacker community to work with you, but not setting them so high for something that is not sufficiently rare enough that you're not creating this much more lucrative business. And in the case of these breaches, what I'm concerned about as, you know, a concerned member of the defensive economy here is that why would a hacker turn in a bug and follow the rules for $10,000 when the term ``bug bounty'' has been muddied to include downloading 57 million records and getting paid a $100,000 for that data theft? I think that is a line that we should be very, very clear that bounties should not be negotiable in that way. You had asked that question. Should they be negotiable? I think not. They are about setting what you think is a reasonable price, such that you're below that, you know, perverse incentive mark of inciting some bad actors and some bad activities and really setting an example for the hackers of today and the hackers of tomorrow to participate in the defensive economy for bugs in the right way. Senator Moran. Thank you very much. Senator Blumenthal. Senator Blumenthal. Thank you, Senator Moran. I think this distinction is pretty simple and I think you make it in your testimony, Ms. Moussouris, when you say that we need to make clear that only ``the minimum necessary proof is required to prove that a vulnerability exists and that no further access or exploitation passed that point is authorized.'' And actually, Mr. Flynn, you make it pretty clear, too, when you say in your testimony, ``in my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download the data.'' It's the difference between a security consultant who says about your home, you have this vulnerability to forced entry and the criminal who says you have this vulnerability to forced entry and I have your child, pay me a $100,000. That's ransom. It's a crime. And so concealing it, in my view, is in effect aiding and abetting that crime. I don't know what you want to call it, but wouldn't you agree with me that the net effect was to cover up or seek to cover up a crime? Mr. Flynn. Mr. Blumenthal, thank you for those points. I agree that this was not consistent with the way in which our Bug Bounty Program normally operates and it's important to understand that this is not the way that we're going to do these things moving forward. You know, I think that, as you point out, sir, the fact that this was a multistep malicious intrusion, a downloading of data, and an extortion and ransom demands, means that this wasn't consistent with that or the way that that program normally operates. Senator Blumenthal. And any such criminal conduct needs to be reported immediately to authorities. Mr. Flynn. Yes, sir, exactly. Senator Blumenthal. And to consumers, ordinary people, whose lives may be put at risk as a result. Mr. Flynn. I agree with you on both counts, sir. I think we made a misstep in not reporting to consumers and I think we made a misstep in not reporting to law enforcement and those are both things that we have corrected and will correct going forward. Senator Blumenthal. Would you agree with me, actually with the Electronic Privacy Information Center that ``bug bounties need to be non-negotiable and clearly defined in company policy. Otherwise, companies are letting user data be held as ransom.'' Mr. Flynn. I do believe it's important to understand the boundaries between our Bug Bounty Program and a case like this which had those features that you had pointed out, the extortion and ransom demands and so forth. Senator Blumenthal. Extortion and ransom demands but also when you say you're going to run a bug bounty program, if you say we're going to negotiate with you when you have access to our information or when you have the information, it exposes you in effect to extortion and ransom demands, correct? Mr. Flynn. Yes, sir, and what I would recommend, after learning a lot of lessons from this experience personally, is that I would recommend all companies that are running and operating bug bounty programs to ensure that they have a process and procedure in place for when and if this type of occasion does occur because I think it's something that we hadn't contemplated at the time and we made some missteps along the way as a consequence. Senator Blumenthal. Does Uber have that procedure in place now? Mr. Flynn. So we have changed a number of aspects of our approach. One of the things that we didn't do well here is that we didn't include enough of the right legal representatives to determine if this was a data breach notification requirement. So we've done one thing, which is brought everybody into the room. I think we've done another thing where we've made sure that we---- Senator Blumenthal. Let me just because my time is running out---- Mr. Flynn. Oh, sorry. Senator Blumenthal.--ask you, do you have clear limits, parameters, for non-negotiable and clearly defined policy on how much you will pay? Mr. Flynn. Yes, as part of new leadership coming in, we are in the process of reviewing and updating our policy regarding that right now. Senator Blumenthal. So you don't have them now but you're-- -- Mr. Flynn. It's something we are working on and we've also brought in Matt Olsen, the former General Counsel of the National Security Agency, to help guide us, as well. Senator Blumenthal. Mr. Mickos, does HackerOne have those kinds of policies in place? Mr. Mickos. We do. Senator Blumenthal. Clear brackets or parameters? Mr. Mickos. Senator, we do have policies. We do not engage in extortion payouts. That's against our policies. It's not the business we are in. Senator Blumenthal. My time has expired. In deference to the other members of the Committee, I'm going to stay within the limit. I'm hoping that maybe we'll have another round. I would--while I'm remembering to do it, I have three documents I'd like to submit for the record. A written statement by Kathleen McGee, Chief of the Bureau of Internet and Technology for the New York State Office of Attorney General. Her statement highlights the important role of State Attorneys General in protecting consumers and enforcing data security protections. The second is the letter, dated February 5, 2018, from Representatives Schakowsky and Lujan, and the third is the letter, also dated February 5, from the Electronic Privacy Information Center. Senator Moran. Without objection, they'll be entered. [The information referred to follows:] Prepared Statement of Kathleen McGee, Chief of the Bureau of Internet & Technology, New York State Office of the Attorney General Chairman Moran, Ranking Member Blumenthal, and other distinguished Members of the Subcommittee: My name is Kathleen McGee, and I am the Chief of the Bureau of Internet & Technology at the New York State Office of the Attorney General, Eric T. Schneiderman. The Bureau of Internet & Technology is responsible for protecting New Yorkers from existing as well as new and developing online threats. I am pleased to present this prepared testimony concerning data breaches, which continue to victimize consumers with greater and greater frequency, from small local businesses to giants like Target, Anthem, Yahoo, Equifax, and Uber. In late November 2014, the New York Attorney General's Office opened an investigation into Uber's collection, maintenance and disclosure of riders' personal information amidst reports that Uber executives had access to riders' locations and that Uber displayed this information in an aerial view, known internally as ``God View.'' Separately, Uber notified our office that, as early as September 2014, it had experienced a data breach where Uber driver names and driver's license numbers were accessed by an unauthorized third party. In a settlement resolving those allegations, Uber agreed, among other things, to: Maintain and store GPS-based location information in a password-protected environment, and encrypt the information when in transit. Limit access to geo-location information to designated employees with a legitimate business purpose, and enforce this limitation through technical access controls, and a formal authorization and approval process; Designate one or more employees to coordinate and supervise its privacy and security program; Conduct annual employee training to inform employees who are responsible for handling private information about Uber's data security practices; Adopt protective technologies for the storage, access, and transfer of private information, and credentials related to its access, including the adoption of multi-factor authentication, or similarly protective access control methodologies; Conduct regular assessments of the effectiveness of Uber's internal controls and procedures related to the securing of private information and geo-location information and the implementation of updates to such controls based on those assessments; and Maintain a separate section in its consumer-facing privacy policy describing its policies regarding location information collected from riders. Despite those commitments, reports surfaced late last year that Uber experienced yet another data breach affecting 57 million riders and drivers. Worse yet, Uber reportedly kept the data breach secret for more than a year after paying a $100,000 ransom. These deeply concerning reports led the New York Attorney General's Office to open an investigation into this breach and Uber's associated conduct. While I cannot share details from ongoing investigations, I can say we are getting to the bottom of this Uber breach, and that we take very seriously drivers' and riders' right to the protection of sensitive information they entrust to Uber. States have a central role in protecting consumers and their data. The New York Attorney General's Office and other State Attorneys General offices have been policing data breaches for nearly two decades. In fact, State Attorneys General frequently work cooperatively, in collaboration with each other and relevant Federal agencies, to protect consumers in this area. Indeed, the states have led the way on data protection for consumers. When the Internet was still relatively new to consumers, states responded with data protection and data breach laws to protect their residents. And as the technology has evolved over the years, state law has evolved with it. Back in 2002, when the Internet was younger and e-commerce was beginning to take off, California enacted the first data breach notification law. It proved to be a tremendous success for consumer protection, and New York and other states soon followed. Today, 48 states, the District of Columbia, and U.S. territories all have data breach notification laws. That is the sort of innovation at the state level that our Federal system, at its best, promotes. The states have already adapted those laws as technology and consumers' use of it changed, and as new threats emerged. For example, as e-mail and other online accounts became an increasing part of consumers' daily lives--to make appointments, send confidential documents, and discuss work and personal affairs--account credentials became the ``keys to the castle'' for consumers' data. As a result, states amended their laws to add username-and-password combinations as a trigger for breach notification--a key state law innovation. This is just one of many examples. As companies increasingly used fingerprints to unlock devices, state laws began covering biometric data. But it is better to prevent breaches before they happen. And states have been equally innovative on this point: enacting legislation requiring companies to implement adequate data security, and updating such laws as technology evolves. And states have a second tool: consumer protection laws, which State Attorneys General use to police misrepresentations about data security--as with other consumer products, it can be unlawful for a company to make misrepresentations about data security to consumers. The New York Attorney General's office, recognizing the importance of this issue for consumers and the need to update New York's law, has proposed legislation to update New York's data security and breach notification laws. And, the New York Department of Financial Services-- a separate state agency with jurisdiction over New York's banking and insurance sectors--also has innovated in this area, implementing important data security regulations to protect consumers' financial data. In light of this background, I would like to make a few key points. First, it would be a big mistake for Congress to preempt states' ability to legislate and innovate in this area. The law must be able to keep pace with the ever-increasing rate of change in technology. States have proven the ability to act quickly in that regard--from both legislative and enforcement perspectives. In contrast, bills have been proposed in Congress for many years but, for one reason or another, enactment has proven elusive. Even if a Federal law were enacted, it could prove difficult to amend and would fall far behind new technologies that will inevitably continue to emerge. Thus, even a Federal law providing the most stringent protections based on current state requirements will leave consumers more and more vulnerable over time. Second, when it comes to enforcement, states occupy a leading role today and must continue to do so. Our office has issued data breach reports in recent years that show an alarming increase in data breaches. Indeed, in 2016 we received 1,300 data breach notices--up 60 percent from the year before. This Committee is likely aware of the megabreaches, such as the Target breach involving 40 million credit card numbers and the Anthem breach involving over 78 million records including Social Security Numbers. In those instances, New York and other states used a well-established process to coordinate enforcement efforts against companies that violated consumer trust with inadequate data security. As a result, the states obtained not just data security reforms through injunctive relief but also large civil penalty recoveries that are essential to deterring other companies from violating consumer trust through lax security practices. Less well-known, yet equally important, are the enforcement actions our office takes in response to smaller breaches that occur by the hundreds each year in New York and other states. One recent case illustrates the point. A small company outside Buffalo, New York misconfigured a web server, which led to the disclosure of 500 employment applications with Social Security Numbers in Google search results. Our office found out through a tip, contacted the company immediately, and got the applications removed from search results within days. Even if a Federal agency were provided with the most comprehensive data security law and the considerable resources needed for serious enforcement, it is unlikely that a Federal agency would be as responsive as our office and our sister State Attorneys General to breaches involving local businesses and relatively small numbers of local consumers. These breaches may be smaller than a Target or an Equifax or an Uber--but the victims are no less in need of law enforcement protection. Smaller breaches like these are the rule, not the exception. Further, with years of first-hand experience policing data security in our state, we know how to distinguish between breaches that a company should have prevented with better security versus breaches that could not have been avoided despite the company's reasonable security practices. By virtue of this experience, and our knowledge of conditions within our local communities and industries, we can avoid both underenforcement that would leave consumers unduly vulnerable and overenforcement that would create undue burdens on local businesses. For all of these reasons, I respectfully urge this body to ensure that any legislation it considers meets the following requirements, which are vital to protecting states' innovative role in consumer data protection: Any new Federal requirements should not preempt state law, but instead should expressly set a floor--not a ceiling--on data security standards and protocols in the event of breaches. States must be able to innovate in the areas of data security and breach notification and pass stronger and more up-to-date laws than the Federal standard. As with several other Federal consumer protection laws, any Federal requirements must be enforceable by State Attorneys General in addition to a Federal agency, and any Federal penalties or other monetary relief must be recoverable by the states as well. To the extent any preemption language is included, beyond the floor/ceiling issue discussed above, the language must be drawn carefully to avoid unintended severe consequences. Some preemption language can be so broad that it might be interpreted to set aside state laws concerning personal privacy or computer crimes, and that would be a serious problem for constituents. These or similar provisions for joint Federal and state enforcement authority are already included in other Federal laws and have proven successful. For example, the New York Attorney General's office has coordinated with the FTC on several investigations into violations of the Federal Children's Online Privacy Protection Act, or COPPA, to stop invasive tracking on major child-focused websites. The vast majority of State Attorneys General have similarly called on Congress to avoid preempting state action on data security, as recently as 2015, when a broad bipartisan group of 45 State Attorneys General joined in asking Congress to oppose then-pending data security bills with harmful preemption provisions. Our office continues to enforce data security protections on behalf of New Yorkers and to work with New York's state lawmakers to continually update those protections. We appreciate your Committee's efforts to complement those efforts at the Federal level while ensuring that work at the state will continue successfully. ______ [GRAPHICS NOT AVAILABLE IN TIFF FORMAT] ______ Electronic Privacy Information Center Washington, DC, February 5, 2018 Senator John Thune, Chairman, Senator Bill Nelson, Ranking Member, U.S. Senate Committee on Commerce, Science, and Transportation,Russell Senate Office Building, Room 253 Washington, DC 20002 Dear Chairman Thune and Ranking Member Nelson: We write to you regarding the upcoming hearing on ``Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers.'' \1\ The Electronic Privacy Information Center (``EPIC'') supports initiatives, including payments to outside computer security experts, that prompt companies to fix vulnerabilities as this makes user data --------------------------------------------------------------------------- \1\ Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers, 115th Cong. (Feb. 6, 2018), S. Comm. on Commerce, Science, & Transportation, https:// www.commerce.senate.gov/public/index.cfm/hearings?ID=73871FA8-29AD- 4ED5-ABB8-C86B4BE4E0A3. --------------------------------------------------------------------------- more secure. But Uber disguised a blackmail payment as a bug bounty payment and waited over a year to disclose the breach of personal data to authorities and to consumers. Bug bounty programs do not excuse non- compliance with data breach notification laws. EPIC is a public interest research center established in 1994 to focus public attention on emerging privacy and civil liberties issues in the information age. EPIC is a leading consumer privacy advocate and has played a key role in developing the authority of the Federal Trade Commission (``FTC'') to safeguard the privacy rights of consumers.\2\ EPIC's complaint \3\ concerning Google Buzz provided the basis for the FTC investigation and subsequent settlement, and the Commission's settlement with Facebook also followed from a complaint filed by EPIC and a coalition of consumer privacy organizations.\4\ --------------------------------------------------------------------------- \2\ See, e.g., Letter from EPIC Exec. Dir. Marc Rotenberg to FTC Comm'r Christine Varney (Dec. 14, 1995) (urging the FTC to investigate the misuse of personal information by the direct marketing industry), http://epic.org/privacy/internet/ftc/ftc_letter.html. \3\ In re Google Buzz (2011), https://epic.org/privacy/ftc/ googlebuzz/. \4\ In re Facebook, Inc. (2011), https://epic.org/privacy/ inrefacebook/. --------------------------------------------------------------------------- Uber's privacy and security practices have been of particular concern to EPIC. EPIC filed a complaint \5\ with the FTC in 2015 regarding Uber's egregious misuse of personal data. That complaint led to an FTC settlement \6\ with Uber in August 2017. In 2015, EPIC also proposed a privacy law for Uber and other ride-sharing companies.\7\ --------------------------------------------------------------------------- \5\ EPIC Complaint to the FTC, In the Matter of Uber Technologies, Inc. (June 22, 2015), https://epic.org/privacy/internet/ftc/uber/ Complaint.pdf. \6\ Agreement Containing Consent Order FILE NO. 1523054, In the Matter of Uber Technologies, Inc., https://www.ftc.gov/system/files/ documents/cases/1523054_uber_technologies _agreement.pdf. \7\ Marc Rotenberg and Julia Horwitz, Privacy Rules for Uber, HuffPost (Feb. 11, 2015), https://www.huffingtonpost.com/julia-horwitz/ privacy-rules-for-uber_b_6304824.html. --------------------------------------------------------------------------- It is important for this Committee not to lump in Uber's actions with legitimate payments to computer security experts. Bug bounty programs are used in both the public and private sectors to identify vulnerabilities. Blurring the line between bug bounties and breaches hurts white hat hackers who want to disclose vulnerabilities in an ethical way. Joe Sullivan, Uber's chief security officer (who has since been fired), denied that the 2016 incident was a breach and said the company had treated it as an authorized vulnerability disclosure.\8\ But e-mails between Uber and the hacker reveal more complicated circumstances. After Uber told the hacker that the max payout of their bug bounty program was $10,000, he responded that he expected at least $100,000 and then threatened the company.\9\ --------------------------------------------------------------------------- \8\ Nicole Perlroth and Mike Isaac, Inside Uber's $100,000 Payment to a Hacker, and the Fallout, N.Y. Times (Jan. 12, 2018), https:// www.nytimes.com/2018/01/12/technology/uber-hacker-payment- 100000.html?_r=0. \9\ Id. (One e-mail read: ``Yes we expect at least 100,000$ I am sure you understand what this could've turned out to be if it was to get in the wrong hands, I mean you guys had private keys, private data stored, backups of everything, config files etc. . . . This would've heart [sic] the company a lot more than you think.'') --------------------------------------------------------------------------- Bug bounties need to be non-negotiable and clearly defined in company policy, otherwise companies are letting user data be held as ransom. $100,000 could have been an appropriate bounty for Uber to pay. Last month Google paid a security researcher $112,500 for an Android bug \10\ and Apple offers up to $200,000 for iOS and iCloud bugs.\11\ But the communications between Uber and the hacker make the $100,000 payment look more like extortion than a payment for services. --------------------------------------------------------------------------- \10\ Charlie Osborne, Google awards researcher over $110,000 for Android exploit chain, ZDNet (Jan. 18, 2018), http://www.zdnet.com/ article/google-awards-researcher-over-110000-for-android-exploit-chain/ \11\ Andrew Cunningham, Starting this fall, Apple will pay up to $200,000 for iOS and iCloud bugs, ArsTechnica (Aug. 4, 2016), https:// arstechnica.com/gadgets/2016/08/starting-this-fall-apple-will-pay-up- to-200000-for-ios-and-icloud-bugs/. --------------------------------------------------------------------------- More critically, bug bounty programs do not exempt companies from data breach notification laws. Even though Uber obtained assurances that the downloaded data had been destroyed,\12\ it was still required under state laws to notify users and authorities of the data breach. Once Uber was aware that user data had been compromised, it had a legal obligation to notify those affected by the breach. Waiting over a year to disclose is a clear violation of state data breach notification laws, most of which require a company to notify affected users within 30 or 45 days.\13\ --------------------------------------------------------------------------- \12\ Dara Khosrowshahi, 2016 Data Security Incident (Nov. 21, 2017), https://www.uber.com/newsroom/2016-data-incident/. \13\ National Conference of State Legislatures, Security Breach Notification Laws (Apr. 12, 2017), http://www.ncsl.org/research/ telecommunications-and-information-technology/security-breach- notification-laws.aspx. --------------------------------------------------------------------------- The legal avenues for security researchers and white hat hackers to disclose vulnerabilities need to be more clearly defined. Most companies--94 percent of the Forbes Global 2000 to be exact--do not have a published vulnerability disclosure policy and because of this nearly one in four hackers have not reported a vulnerability that they found.\14\ This hurts users, whose information may be stolen through a vulnerability that went unpatched because it was never reported. --------------------------------------------------------------------------- \14\ HackerOne, The 2018 Hacker Report (Jan. 17, 2018), https:// www.hackerone.com/blog/2018-Hacker-Report. --------------------------------------------------------------------------- The 2016 Uber breach also highlights the need for reform of the Computer Fraud and Abuse Act (``CFAA'').\15\ Due to the CFAA, companies are able to give white hat hackers little assurance that they will not seek civil or criminal penalties if they assist the company. The law blurs the line between ethical and unethical hacking, leaving companies and hackers in legal limbo. Former Secretary of the Army, Eric Fanning, said ``what Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation's security, but lack a legal avenue to do so.'' \16\ Last year, the Department of Justice created A Framework for a Vulnerability Disclosure Program for Online Systems, but following this framework only ``substantially reducing the likelihood that such described activities will result in a civil or criminal violation of law under the Computer Fraud and Abuse Act.'' \17\ If we want white hat hackers to help companies and government identify vulnerabilities, we need to be able to give them more legal protection than they have now. --------------------------------------------------------------------------- \15\ See Testimony of Marc Rotenberg, Computer Virus Legislation Before the Subcomm. on Criminal Justice of the House Comm. on the Judiciary, 101st Cong., 1st Sess. 25 (November 8, 1989) reprinted in Marc Rotenberg, ``Computer Virus Legislation,'' Computers & Society, vol. 20, no. 1 (March 1990). \16\ HackerOne, Hack the Pentagon, https://www.hackerone.com/ resources/hack-the-pentagon. \17\ DOJ Cybersecurity Unit, A Framework for a Vulnerability Disclosure Program for Online Systems (July 2017), https:// www.justice.gov/criminal-ccips/page/file/983996/download. --------------------------------------------------------------------------- We ask that this letter be entered into the hearing record. We look forward to working with the Committee to help strengthen security practices that protect users. Sincerely, Marc Rotenberg, President, EPIC. Christine Bannan, Administrative Law and Policy Fellow, EPIC. Senator Blumenthal. Thanks, Mr. Chairman. Senator Moran. Senator Cortez-Masto. STATEMENT OF HON. CATHERINE CORTEZ MASTO, U.S. SENATOR FROM NEVADA Senator Cortez-Masto. Thank you, and thank you for this hearing. It is so appreciated. It's obviously fascinating but so needed. Let me start, Mr. Flynn, with you because I'm trying to understand this. So in November 2016, when you identified that data breach, at that time, were you engaging also in separate defensive bug bounty programs to help you identify security breaches? Mr. Flynn. Yes. Senator Cortez-Masto. And had HackerOne been on payroll already then? Mr. Flynn. That's correct, Senator. We had started that program in 2015, I believe. Senator Cortez-Masto. And the breach that actually occurred, was it somebody that was invited in as a defensive type of bug bounty or is this a criminal element that found a breach and exploited it to get money from you? Mr. Flynn. My understanding is these people came in not knowing about bug bounty programs from the get-go and it was our attempt to try to get them to use the program as it was intended. Senator Cortez-Masto. So it was a criminal element coming in to exploit and get money from you and you were trying to put them into a defensive bug bounty program to put them on the right track? Mr. Flynn. It's not atypical, Senator. Senator Cortez-Masto. To the panel, is that a normal process that occurs that there are some criminal elements out there, they identify a breach, they're there to exploit a company, but now we have this whole new world of bug bounty and we're going to try to put them on the right path here to help us or is it you're trying to manage somehow how much you literally have to pay out? Can I open that up? I'm just curious. This is all new to me. Mr. Flynn. I'm happy to answer, if you like. Senator Cortez-Masto. OK. Go ahead. Mr. Flynn. In my experience at least, it's not atypical to have people that come in with a report of a problem--a security issue--not knowing how bug bounty programs operate and not being familiar with the nature of the programs. I've seen this a number of times in my career and in many cases, we can steer those people into the program and behaving in accordance with the program's requirements. Senator Cortez-Masto. Don't you have concerns that they're a criminal element? You're going to go out after them and hold them accountable because if they do it to you, they're going to do it to somebody else? Mr. Flynn. Well, it's not clear that they were a criminal element in the beginning of the exercise until we were able to know more about who they were and what they were after. Senator Cortez-Masto. OK. And I think I'm with Senator Blumenthal. I'm a former Attorney General. To me, that's a criminal element and you want to uncover who they are and hold them accountable and not try to somehow put some parameters around them that legitimizes them, I guess, is my concern. Second, I'm curious about this conversation about how we have this perverse incentive and the whole idea of pricing. Who defines that? Is it the company that actually defines that pricing cap? How does that work? Ms. Moussouris. Well, you know, typically the organization paying will determine what price it's willing to pay. However, you know, we've seen a lot of failures to understand behavioral economics in this environment. This is not the highest bidder wins type of scenario. Senator Cortez-Masto. Right. Ms. Moussouris. It is also not a replacement for your in- house labor costs to actually find and prevent these vulnerabilities in the first place and so when people are trying to pay for, you know, the work that it took to find vulnerability, they're missing the point. They might be able to actually better invest that money in more in-house resources to find and prevent those issues from being vulnerabilities in the first place. The prices for vulnerabilities themselves, I think, right now, there is definitely an uptick in the pricing for various bug bounty programs. As I said earlier, that logical ceiling has to hold below a perverse incentive level. Senator Cortez-Masto. So let me ask this, and I guess we're all trying to understand whether there needs to be Federal regulation or how we address this issue so that we are putting the security protocols in place and working with vendors or people out there to help us identify it but not legitimizing a criminal element, I guess, is my concern here. And so besides the pricing piece of this, I also understand there--I think two of you, Mr. Brookman and Mr. Mickos, you talked about that the Computer Fraud and Abuse Act, which was enacted in 1984, needs to be reformed. Is that a venue where we can take a look at addressing all of these concerns we're hearing today, as well? Ms. Moussouris. Absolutely. I think that, you know, providing safe harbor for researchers in the Computer Fraud and Abuse Act would go very far toward encouraging legitimate helpful hackers for coming forward because right now, it is a gray area, and especially if the scope of a program is not clear, they will not necessarily know whether they've overstepped and they might be afraid to come forward. So we want to encourage that. We want to provide safe harbor for them in the form of reforms to the Computer Fraud and Abuse Act because the actual act of discovering vulnerabilities for defense and discovering them for exploitation purposes, those are technically indistinguishable acts. Senator Cortez-Masto. Right. Ms. Moussouris. So providing that safe harbor is going to be important. Senator Cortez-Masto. OK. And I know my time is up, but this is a fascinating topic. So I appreciate it. Mr. Brookman, I didn't know if you had a comment quickly on any of this. Mr. Brookman. Yes. I would not encourage Congress to try to micromanage the bug bounty process. I did not testify about to see if they would reform, though I certainly am sympathetic to a lot of the issues you talked about. But as I stated in my oral testimony, I think the most important thing you can do is shift the incentives to the companies that do bear the costs of data security incidents, you know, whereas we're seeing, you know, companies, like Equifax, will have a stock hit and then like, you know, a year later, they're back to where they were. They're not bearing the cost of that identity theft. You know, some companies who are hit a lot do have good robust programs but you see that a lot of the top companies, I think, you know, systematically in the industry, you don't see enough of this. So the incentives need to change. Senator Cortez-Masto. Thank you. Thank you very much. Senator Moran. We're going to have a second round. Let me start by asking this question. When, if ever, is it appropriate to disclose a cyber security vulnerability to the public before it's fixed? Ms. Moussouris. So having run Microsoft Vulnerability Research, which was an organization within the Microsoft Security Response Center, designed to notify other parties of either vulnerabilities we found ourselves internally that affected third party software, and it was also a coordination arm that would coordinate among multiple parties, so think of the, you know, multiparty coordination involved with Heart Bleed or with the Meltdown Inspector incidents. There are times when a vulnerability in question affects so many different organizations that you may do the best you can to coordinate the activities of creating patches all up and down the supply chain but you will inevitably have to leave some out of the embargoed disclosure, the staged disclosure of these vulnerabilities, which means in the end, you will be doing the best you can to prepare as many organizations as possible, but you will end up disclosing a vulnerability before everyone has had a chance to either create patches or apply some of the patches that you've created. So that is one example of a legitimate circumstance where you would disclose ahead of a patch. Another is simply that there is exploitation going in the wild, a patch isn't ready, and you need to disclose to warn users and administrators to be able to mitigate and protect themselves. Senator Moran. Before anyone else responds, let me turn to Senator Blumenthal, who has to return to Armed Services. Senator Blumenthal. Senator Blumenthal. I have a classified Armed Services briefing or hearing that I have to return to, but I just want to highlight one of the comments I made at the beginning. Without casting aspersions personally on anybody here, I hope that you would agree that stronger legislative tools have to be given to the Federal Trade Commission. I hope that you will work with me on the Data Breach Accountability and Enforcement Act of 2017 which the Ranking Member and I have co- sponsored. The FTC needs tools to adequately protect consumers and to prevent future damaging breaches. So that's a final request. I hope that you are sympathetic to it and that you will support efforts to move forward with those kinds of tools. Thank you, Mr. Chairman, and I apologize that I'm going to have to take off. Senator Moran. Thank you very much, Senator Blumenthal. Let me ask this question to Mr. Flynn. The Justice Department published a set of guidelines aimed at helping companies run bug bounty programs within the law. These guidelines included a suggestion that any firm inviting hackers into their systems consider imposing restrictions on a hacker ``accessing, copying, transferring, storing, using, and retaining'' sensitive data. As of last Friday, February 1, Uber had not added such a clause to their Bug Bounty Program listed on the HackerOne website. Does it have plans to add a similar clause to its policy? If this type of clause had been included in Uber's program, how would a bounty request in the 2016 breach have been treated? Mr. Flynn. So let me first say I think it's a great point. We are going through that process right now of looking at our clauses exactly as you describe. I'm not a lawyer, so I can't really speak to the details of the clause itself, but I think it's a great suggestion, and I think I'm going to take it back and have a discussion about it with my team. And then you had another question at the end there, if I recall. Senator Moran. I just wondered how different it would have been in 2016 if that clause had been a matter of practice? Mr. Flynn. I think the answer I would imagine is, you know, essentially this was not a typical bug bounty situation, as I described, and I would say that, you know, I think there was a real attempt to try to get this individual to participate in the program, but ultimately this person was, you know, offering extortionist demands and so I think, you know, looking back on it and learning what I've learned now, I think the better approach would be to have a separate process once you determine that it's outside of the scope of the program itself and engage that process at that time. Senator Moran. Thank you very much. Mr. Flynn. Yes, you're welcome. Senator Moran. Senator Blunt. STATEMENT OF HON. ROY BLUNT, U.S. SENATOR FROM MISSOURI Senator Blunt. So, Mr. Flynn, when Uber has somebody get inside their system, did I understand that that would be their records on where every driver drove and every rider rode and maybe their entire rider history? Is that the kind of thing you would see if you got into your system? Mr. Flynn. So in this case, Senator, this was a backup of a very specific database stored outside of our systems and the data that was stored there did not include the elements you described. It included--it had a number of records for--I think it was, you know, 25 million different users, but of---- Senator Blunt. Would it have had the payment records for those users? Mr. Flynn. It had credit--sorry. Excuse me. It had--sorry. Let me just look here. It had the drivers' license numbers for 600,000 of our drivers included in that data store. Senator Blunt. What else did it have, besides that? Mr. Flynn. It had--for new e-mail users, it had the names, e-mail addresses, and phone numbers of those users. For some of the users, it had Salton and Hash passwords. It didn't include some of the things you described, trip location history, credit card information, bank account numbers, plain text passwords, social security numbers, or birth dates. Those were not included in the data. Senator Blunt. And what have you done since then to secure that data in a better way? Mr. Flynn. Well, within 24 hours of learning about this incident back in 2016, we took a number of important steps: the first of which was, you know,--so just describing the attack briefly, the attacker got into an external GitHub repository, which had some of our source code, by using a password of one of the users that was in the system. We rotated all the passwords. We implemented multi- factorial authentication on the system. The attacker also took advantage of finding keys in the code base that was stored in that infrastructure. We rotated all the keys and actually put them in a secure storage system, as well, and, finally, the keys that the attacker was able to glean from that code repository was then able, in turn, to be used against our Amazon S3 external infrastructure. We also rotated the keys, put them in a secure storage location, and we put IP-based restrictions on those keys so that they couldn't be used to access that data going forward. Senator Blunt. For those of you who worked to find flaws in the system or protect a system, what kind of lessons would be learned there from the ability to get to that information? Mr. Mickos, is that what you do? Mr. Mickos. Yes, Senator Blunt, we are a platform that connects the hackers to the companies. We do not look for vulnerabilities ourselves or fix them, if that was your question. Senator Blunt. Yes. So you do not do that. Do you provide the platform? Mr. Mickos. We provide the platform and, if you will, the marketplace between the two and we provide a trusted place where hackers can trust that they will be well treated by the customers, the companies, or government organizations, and they in turn can trust that they know who they're dealing with on the hacker side. That is our business. Senator Blunt. And I'm assuming your name is not Missouri? Mr. Mickos. No. My name is Mickos. Senator Blunt. No. Yours is Mickos. What is your last name? Ms. Moussouris. My last name is pronounced Moussouris or at least that's how I've---- Senator Blunt. I was close. Ms. Moussouris.--chose to mispronounce it. Senator Blunt. I was pretty close. Half of the people where I live call our state Missoura and half call it Missouri and-- -- Ms. Moussouris. You miss---- Senator Blunt.--you could easily mistake your name. Now what--from your company perspective, what lessons should we learn there? Ms. Moussouris. Well, my company actually does help organizations look at their overall defensive picture and helps them figure out the best way to work with the hacker community but actually looks at their business goals when it comes to security. So in terms of the trusted advisorship, when we look at their capabilities, we look at whether or not they're actually actively investing internally on some operational security basics, such as what would have prevented, you know, this type of breach where keys and credentials were available. There's a lot you can do in terms of low-risk internal investments in terms of security, which have been documented by, you know, lots of organizations over the past 25 years of developing information security best practices. So we don't just advise on how to start a bug bounty. It's really about looking at the overall picture, looking at where your investments are, and determining is it actually a place where you can invest further on your internal staff, further in terms of operational security, and then prepare the mechanisms such that you can receive vulnerability reports from the outside, whether it's from a hacker or from one of your suppliers. I mean, this really could be from anywhere. It could even be from the Federal Government letting you know that you have a vulnerability. So it's building capacity. Senator Blunt. And, Mr. Brookman, is there a growing concern about how much information is out there and how many people seem to be able to get their hands on it? Mr. Brookman. Yes, certainly. I mean, as I testified, data breaches are commonplace for people. Companies don't have sufficient incentives. I mean, we've seen in so many of these hacks and there are things that maybe, you know, it's easy to play Monday morning quarterback, but things that were easily remediable. In this case, hard coding AWS of credentials in GitHub is an incredibly common practice, one that Uber had been caught doing before. It was a private account but still generally considered not to be best practice. Equifax case, updating the website to address the publicly known vulnerability. Even the companies that are trying to do it right get it wrong and there's just not enough incentive for companies to try to get it right. Senator Blunt. Thank you, Chairman. Senator Moran. Thank you, Senator Blunt. Senator Cortez-Masto. Senator Cortez-Masto. Thank you. I have one final question. Small businesses, you know, in Nevada, there are probably almost 240,000 of them. The conversation I have with them all the time is their cyber security and they just don't have the resources to really address this issue and are oftentimes victims. Any thoughts on what can be done to help our small businesses and give them the tools they need to protect their cyber security? And I would just open it up to whoever. Mr. Mickos, Ms. Moussouris. Mr. Mickos. Yes, Senator Cortez-Masto. Senator Cortez-Masto. Yes, please. Mr. Mickos. As I said in my opening statement, we believe, as DOJ and others, that a vulnerability disclosure program is useful for anybody. This is what then Secretary of Defense Ash Carter said. ``If you see something, say something,'' meaning every company with software that contains valuable consumer data, they need to have an ability to receive input from the outside world because there's so much good intent among security researchers and hackers on the outside. And I would recommend you to read this report, the 2018 Hacker Report where we go through the hackers and what motivates and how they work. So back to your small businesses, if they will have a way of receiving vulnerability reports and taking action, they will all successively get more and more secure. Now to be a little bit more specific, many of them, of course, don't have IT staff. They are working with a third- party provider where they run their website or mobile application. That provider has a very important responsibility in doing the same. Senator Cortez-Masto. OK. Thank you. Ms. Moussouris. So I would say that, first and foremost, the small businesses need to run some of these freely available tools on their own infrastructure before they invite external parties in to do so. Doing so first is just part of their own preventative mechanisms. That will give them a decent picture before they operationalize what I very strongly support, which is having vulnerability disclosure programs, but you need to be able to take care of the bugs you already know about yourself first. The fact of the matter is, it's not just small businesses that have a problem dealing with vulnerabilities they already know about. There's been a doubling in the common vulnerabilities and enumeration where the CDE count, the overall bug count, that have been reported. There was a doubling last year of reported vulnerabilities. There is a bug fatigue that is plaguing organizations and governments all over the world and it is not just small businesses. So we have an operational problem and I think that preventative measures and looking internally first, growing those capabilities, and then looking to outside help is the way to go. Senator Cortez-Masto. Thank you. Mr. Brookman. I just had a couple thoughts. This is fantastic question. I mean, when you look at, you know, companies, like Uber, who have invest in the best and the brightest, even they have problems. I think a few words of advice. One, practice data minimization. I mean don't connect stuff you don't need to be connected. Don't collect data you don't need, get rid of all data. A general recognition to try to update everything. I mean, you rely on vendors, non-updated software is one of the biggest problems in this space. The FTC has some really good resources on this with their Start with Security series, which I know you contributed to. It's really fantastic guidance for small businesses in this area, so I would point people to that. Senator Cortez-Masto. Thank you. Thank you very much. I appreciate the panel and the discussion today. Senator Moran. Senator, thank you very much. Let me ask a final question and then we'll conclude this hearing. You're all aware likely that 48 states have different data security breach notification laws. This patchwork creates a different standard, depending on where you are, and many companies, as we know, operate outside of a state and they contract with people who are in different places to do their security work. Anyone have any thoughts about Federal preemption legislative solution in regard to notification so that there's greater clarity and certainty for a company in their obligations? Mr. Flynn. Senator, if you might, if you don't mind, as a defender and having dedicated my life to protecting customer data and implementing security engineering defense, I would say that it is something I would very much support personally because I do believe it's very hard for companies to contend with this patchwork of notification regulations throughout the United States. So, Senator, a short statement, but I believe very much that this is the right approach and I'd love to work with you on it, if I can. Senator Moran. Thank you. Mr. Mickos. Mr. Chairman, as I said in my opening statement, we're in support of this. I would love to work with you on the details of such legislation. Senator Moran. Thank you. Mr. Brookman. I would say I have significant reservations about that. I mean, if the approach of a Federal bill is just to make it simpler to have a data breach incident, then that, you know, decreases an incentive and decreases their costs and I think could lead to actually a worse security environment. I would encourage any statute to allow states to actually pass new bills, especially for information that's not covered. In my opening statement, I mentioned e-mail accounts, photo storage accounts, not originally in data breach notification bills, but over time people have recognized, well, there's some really sensitive stuff in there. If my iCloud gets hacked, I should be told about it. I would not want to see a Federal bill say, OK, here are the 18 elements that you need to be notified for and then prevent the states from over time changing that. I mean, we can discuss other ways to update it over time, give the FTC the ability to nullify the definitions, but I'd be very nervous about freezing that in time with Federal legislation. Ms. Moussouris. And I would say that, you know, I look forward to helping to contribute to make sure that any kind of legislation that normalizes data breach laws takes into account that we don't want to create an environment where organizations are incentivized not to know and not to detect, to avoid data breach laws. We don't want to swing the pendulum backwards and so I look forward to working with you as this goes forward to not create some of those unintended consequences of over-legislation. Senator Moran. We welcome all of you on working with us, but especially intending to avoid unintended consequences. Is there any witness who would like to add anything to the record before I close it out? Anyone have something they'd like to make certain is said before we conclude the hearing? [No response.] Senator Moran. Thank you very much. Then the hearing record will remain open for two weeks. During this time, Senators are asked to submit any questions for the record. Upon receipt, the witnesses are requested to submit their written answers to the Committee as soon as possible. This concludes our hearing today, and I'm very grateful to our witnesses. We are adjourned. [Whereupon, at 4:10 p.m., the hearing was adjourned.] A P P E N D I X Response to Written Questions Submitted by Hon. Jerry Moran to John Flynn Question 1. What separates a good faith researcher from a malicious actor? What's to stop a criminal from posing as a researcher? How can companies or vendors tell the difference? Answer. A good faith researcher investigates and discloses vulnerabilities in an ethical manner consistent with the prescribed terms of the bug bounty program. Good faith researchers are generally cooperative throughout the bounty process and willing to abide by the program's rules. Although it may not always be apparent what someone's intentions are or whether a criminal actor is posing as a white hat researcher, certain conduct should raise a red flag. Anyone who in bad faith strays beyond the bounds of the bug bounty program by engaging in behavior such as maliciously compromising user data, making threats, or making extortionate demands should not be considered a good faith researcher. Question 2. What is the role of bug bounty programs when faced with extortion attempts? Answer. Bug bounty programs are designed for good faith researchers, not extortionists. Question 3. As you have acknowledged, the hackers involved in the 2016 breach of your company did obtain data of your users. As it relates to Uber's specific bug bounty program, how often is data actually obtained by the hacker that is disclosing a vulnerability to your company? Was the sheer number of exposed and obtained records in the 2016 case unusual compared to other vulnerability disclosure cases your company had witnessed through the bug bounty program? Answer. Most often researchers will use test accounts or access their own data when researching vulnerabilities. If the researcher comes in contact with user data while acting in good faith, the access should be limited to the minimum amount needed to identify and report the vulnerability. We agree that the 2016 incident was unusual compared to other vulnerability disclosure cases witnessed by Uber in terms of sheer number of records. Question 4. HackerOne's 2018 Hacker Report and a 2016 study conducted by the National Telecommunications and Information Administration (NTIA) both indicated that profit is a relatively limited motivation among hackers participating in coordinated vulnerability disclosure programs. Given the panel's experience with professionals in this field, could you please further describe the predominant motivators. Answer. Historically, before there were bounty programs, researchers would report vulnerabilities as a way to build their reputation in the security community and among their peers. Even today this is the biggest motivator and can open doors for researchers, such as being offered jobs to work for the companies whose vulnerabilities they uncovered. Question 5. Would you agree that it is absolutely critical for companies to administer any vulnerability disclosure program responsibly based on sound principles (such as those included in DOJ's 2017 guidelines) as it has obvious impacts on industrywide use of these types of programs that are proven to protect consumers? Answer. Yes. Bug bounty programs are critical for many large companies to detect security issues, and the programs should be designed and managed responsibly so that they can continue to be an important security tool. The DOJ's 2017 framework is a good starting point. It is not prescriptive, but rather outlines a process that companies considering bug bounty programs can follow to clearly define for researchers what the company considers to be authorized vulnerability disclosure and discovery conduct. Question 6. Did Uber have a predetermined maximum bounty amount for its bug bounty program? If so, what was the maximum amount? Answer. Uber's Bug Bounty program at HackerOne has a published maximum payment of $10,000, see https://hackerone.com/uber, but the actual amount of any payment under the program is up to Uber in its sole discretion, see https://www.uber.com/legal/other/ bugbountyprogramterms/ (``Bounty payouts, if any, will be determined by Uber in its sole discretion.''). Question 7. Mr. Mickos's testimony stated that the Computer Fraud and Abuse Act is in need of modernization to prevent liability of hackers acting in good faith in identifying vulnerabilities to protect consumers. Do you have any specific recommendations related to modernizing the law? Answer. Other panel participants are closer to these issues, but we at Uber understand that those speaking on behalf of good faith security researchers would like to see more clarity that when conduct complies with the terms of a bug bounty program, it is not ``unauthorized'' access under the Computer Fraud and Abuse Act. Question 8. Following an inquiry that I sent along with Chairman Thune and our colleagues from Senate Finance Committee, Uber responded with a letter on December 11, 2017, describing the 2016 breach and the ensuing actions taken by the company. The letter described the payment of $100,000 to the two individual hackers responsible for the breach and stated, ``It thereafter engaged in further communications with the two individuals using their real identities, including having them sign assurances that the data was destroyed.'' For the sake of clarity, was the $100,000 paid to the two individuals prior to their real identities being known? Answer. As I explained in my written testimony, I was not part of the ``attribution'' team--the team that determined the two individuals' real identities. I was aware that the process of paying them was part of the process of determining their identities, but I am not sure if their identities were confirmed prior to or after the moment the payment was made. Question 9. Please describe to the greatest extent possible the ``assurances'' that were made to Uber's ``attribution team'' that the stolen data had been eliminated. Were signed documents the sole source of assurance? Answer. It is my understanding that the attribution team obtained various sources of information about the destruction of the data, in addition to the signed documents and in person meetings. Question 10. Please describe the measures Uber has taken to confirm these assurances and monitor the affected accounts for additional fraud protection. Answer. We have seen no evidence of fraud or misuse tied to this incident. That being said, we have identified the 57 million affected accounts in our systems, and have tagged them for a heightened level of fraud protection. Specifically, we have created new fraud ``rules'' that will surface any unusual activity on the accounts going forward. Uber already looks at many signals like location or device ID, in addition to e-mail address and password, to authorize logins to Uber user accounts. Additionally, we automatically send users a second factor authentication request such an SMS or e-mail if we detect a high-risk login attempt. ______ Response to Written Questions Submitted by Hon. Brian Schatz to John Flynn Question 1. Uber has argued repeatedly that it is a tech platform, rather than a transportation company. By using this characterization, the company is able to avoid certain local and Federal regulations that protect consumer safety and worker rights. But last year, Uber made a deal to purchase and deploy 24,000 autonomous vehicles from Volvo. Is Uber a transportation company or a tech platform company? For cybersecurity, whose rules and standards does Uber follow at the Federal level? Answer. Uber is a technology company and not a transportation company. It is a technology company that strives to make a difference in the lives of people in the real world, starting--for now--with improving how transportation resources are utilized by matching drivers with riders (the Uber app), shippers with haulers (Uber Freight), and consumers with restaurants and restaurants with delivery partners (Uber Eats). Uber's technology creates and standardizes markets that efficiently connect otherwise unmatched supply and demand, but Uber itself is not a participant in the market. At the Federal level, the Federal Trade Commission regulates data security for consumer-facing technology services through Section 5 of the FTC Act. In addition, some specific aspects of Uber's services are subject to applicable sector-specific laws, such as HIPAA. Question 2. In your written testimony, you state that Uber is ``working to make transparency and honesty core values of [the] company.'' What specifically has Uber done to increase transparency and make honesty part of its core values? Answer. Uber has taken several steps to ensure that transparency and honesty are core values of the company. First, Uber created a robust Integrity Helpline for its employees to report concerns. Second, Uber has also embraced all of the recommendations presented to it by former U.S. Attorney General Eric Holder regarding improving Uber's workplace culture. Third, it is devoting resources to improve and expand its Compliance team. Fourth, it has installed additional safety features for riders and drivers in its app. Finally, Uber now gives victims pursuing individual sex assault or sex harassment claims the choice to litigate their claims in court or arbitration. Uber is not perfect, but it is deeply committed to being better and to doing the right thing, and it will continue to engage in the self- reflection and change that are essential to getting where it wants to go as a company. Question 3. What percentage of Uber's annual revenue and workforce are dedicated to minimizing the risk of future data breaches outside of a bug bounty program? What were those percentages before the 2016 data breach? Answer. Uber has long devoted substantial resources to minimizing the risk of data breaches, separate and apart from its bug bounty program. Some of these other efforts were noted in Uber CISO John Flynn's written testimony to the Subcommittee, which explained at page 2 that bug bounty programs are just one part of a comprehensive data security program. Uber's internal work efforts to minimize the risk of data breaches is, in many respects, part and parcel of other aspects of quality code development since minimizing vulnerabilities is a component of writing high-quality code, and it is also a part of broader security efforts relating to all aspects of security including physical security as well as data security. As a result, it is difficult to quantify the percentage of Uber's annual revenue and workforce ``dedicated to minimizing the risk of future data breaches outside of a bug bounty program,'' and that is not a metric that Uber keeps in the ordinary course. Question 4. Other than the 2016 data breach, how many other incidents has Uber experienced where cyber intruders extorted the company? Answer. The team at the company that handles cybersecurity threats is not aware of any other incidents in which a cyber intruder extorted the company. Question 5. What exactly did Uber get in exchange for paying the extortionists $100,000 through HackerOne? Did Uber confirm that the data was deleted? How did Uber make this confirmation? Answer. Uber paid the outside actors $100,000 in exchange for their agreement to delete the data they had downloaded and their written and oral assurances that they had destroyed and would not use or disseminate that data. The process of making the payment also helped to determine the real identities of the outside actors, which enabled Uber to engage in further communications with them regarding technical details of how they had deleted the data. Uber has seen no evidence that the data downloaded by the outside actors has been disseminated or used, or any evidence of fraud or misuse tied to this incident, since the incident occurred over a year ago. Question 6. What policy changes has Uber enacted in response to the 2016 data breach? Answer. Uber has taken several steps in response to the 2016 data breach. At the time of the incident, Uber determined the means of access, shut down the credential used by the outside actors, and took other steps intended to confirm that the outside actors had destroyed and would not use or further disseminate Uber's data. Uber also imposed technical security measures designed to prevent a similar incident from occurring in the future, as described on page 6 of Uber CISO John Flynn's written testimony to the Subcommittee; these technical improvements are now a part of Uber's baseline security posture. Additionally, Uber has made a number of policy changes since the incident including the following: Uber adopted specific written policies to establish baseline security measures that are required for use of Amazon Web Services and S3. Uber revised its Bug Bounty program terms, specifically to provide more detailed information about what type of conduct is not good faith conduct and what the limits are on accessing user data. Uber is revising its incident response plans. Question 7. Does Uber have an internal whistleblower program? How is it managed? Answer. Uber's Integrity Helpline is available to all employees for reporting concerns. Employees may report their concerns to the Helpline via website or telephone in their language of choice. The Integrity Helpline is hosted by an independent third-party to ensure the anonymity of the reporter, if desired by the reporter, and is maintained by Uber's Global Compliance team. Upon filing a report, the reporting employee will be provided with an access code to use so that she or he can contact the Integrity Helpline to track her or his report. Once a report is filed, it is sent to the relevant Uber team for review and investigation, and appropriate action will be taken for substantiated reports. Question 8. In March 2015, Vice News reported that stolen Uber accounts were being sold on the dark web for $1, although Uber claimed that there was no data breach at the time. To Uber's knowledge, how was this account data stolen? How many data breaches have been occurred at the company? Does Uber keep an estimate of how many stolen accounts are sold on the dark web? What is the current estimate? How many complaints does Uber get from customers per month about stolen accounts? Answer. As indicated in the original Vice article that we believe is referenced by the question (https://motherboard.vice.com/en_us/ article/z4mk7j/stolen-uber-customer-accounts-are-for-sale-on-the-dark- web-for-1), Uber found no indications that it suffered a data breach. Indeed, the article itself merely claimed that it found Uber account login information available for sale, but acknowledged that while ``[t]hese logins may indicated that Uber's security was hacked or compromised somehow . . . [i]t also might mean that these customers were breached individually by other means, and their Uber credentials harvested and put up for sale.'' (Emphasis added). Given that Uber found no evidence of a data breach that could have led to the login information for these accounts being stolen, it has no non-speculative information about how the information was obtained. As one possibility, when people choose to use the same or very similar login credentials for multiple online or app accounts, or simply use easy-to-guess passwords, third parties can sometimes determine those credentials. These types of ``account takeovers'' are a common problem across all online services, Uber as well as others. Uber addresses the issue as described in the response to the next question, below. Question 9. How does Uber address stolen accounts? Please walk through the experience that a typical customer would go through when he or she notices suspicious account activity. How does a customer resolve issues with a stolen account if the thief has changed the e-mail address or phone number associated with the account? How effective is Uber at resolving customers' complaints about stolen accounts. Answer. Uber takes reports of fraud very seriously, regardless of their root cause. In the United States, when Uber detects a suspicious login to an account, even if the user has not notified Uber of concerns, Uber sends a second-factor authentication request to the user to help stop and prevent the incorrect person from accessing the account. When a rider notifies Uber about suspicions that his or her account has been stolen or taken over, Uber's customer support representatives: (1) will look for signs that the account has been compromised, (2) secure the account by rotating the user password and forcing two-factor authentication, (3) restore the account (i.e., reverse any changes made to the user's e-mail, phone number, etc.), (4) refund the affected rides, and (5) advise the user about the risks of password re-use. The process for drivers is similar, except drivers must verify that their payment information is correct before Uber unlocks their account. Question 10. Uber recently signed onto the Shared Mobility Principles for Livable Cities--one of these principles is in support of open data. But, citing user privacy issues, Uber has not always been successful in sharing data with local planning officials. User privacy is important, but so is sharing data with cities. How exactly will Uber now prioritize meaningful data sharing with state and local governments? Where is the sweet spot between user privacy and providing data to city planners and other government officials? Answer. Uber is committed to building replicable models for sharing insights with city planners and other government officials. Last year, we launched Uber Movement, a free and public website using Uber's data to help cities address some of the challenges they face day to day. We engaged with city leaders, urban planners and civic community stakeholders around the world to validate our assumptions to develop and design Movement. Right now, Movement is optimized to look at macro trends in a city to accommodate specific urban use cases--traffic analysis and demand modeling and also understanding the impacts of different infrastructure investments and changes to the built environment--road closures, bridge closures, etc. Additionally, we're working with the non-profit SharedStreets to create new methods for public-private collaboration and data sharing that respect the need for rider and driver privacy as well as the competitive landscape of the industry. We're starting with a pilot in Washington, D.C., and are working with the District Department of Transportation, Department of For Hire Vehicles, and SharedStreets to share data on curb usage across multiple modes of transportation. Better understanding curb utilization can help cities around the world prepare for a future where more and more of us are accessing transportation through a combination of shared modes, rather than relying on our own vehicles. We're looking forward to building on what we learn from working with DC to support data partnerships in other cities using SharedStreets data standards. Earlier this year, we also announced the Cincinnati Mobility Lab, a first-of-its kind multi-year partnership with the City of Cincinnati to explore different mobility issues. Through this partnership, we're sharing insights that look at how to improve the problem of curb congestion, to commuting challenges, to working to develop a strategy for the future of the City's public transit service--one that is seamlessly integrated with other ways of getting around the City. Question 11. Uber often touts the potential for transportation network companies to complement public transit by providing the last- mile service. Does Uber currently provide those services to riders with small children who require car seats or does it require customers to provide appropriate safety equipment? Does Uber currently provide those services to riders with a disability or limited mobility? Does Uber currently provide those services to older adults or persons with limited technology proficiency? What accommodations does the company make for those groups? Does Uber levy additional charges on those riders? Answer. Riders and drivers using the Uber app are expected to follow local laws when it comes to transporting infants and small children. In certain locations, for an additional fee, people who ride on the Uber app can request a vehicle equipped with a car seat. The seat is forward-facing and for children who are at least 12 months old, 22 lbs, and 31 inches tall. Additional details about the car seat offering can be found here. People who ride also have the option to bring their own seats for installation in Uber. However, it is up to the person driving to accept the trip and they may cancel the trip if they so choose. Uber works hard to understand the needs of elderly riders and riders with disabilities. For example, the uberASSIST option in the Uber app is designed to network riders who would like a helping hand with drivers who have chosen to obtain training from a third-party organization on how to provide additional assistance. In addition, we developed the Uber Central dashboard to allow senior centers and other organizations to call rides for senior riders who may not have access to a smartphone. Finally, the ``Request for a Guest'' feature allows Uber users to seamlessly request a ride for their loved ones right from the Uber app. The senior receives a text message with the vehicle information and the driver's phone number so they can communicate directly with them. Additionally, the Uber app is compatible with various accessibility technologies, including VoiceOver, TalkBack, and wireless braille (depending on hardware and operating system) that can help provide a safe and reliable transportation option for the blind and low-vision community. In addition, by providing visible and vibrating alerts as well as GPS navigation, Uber has provided economic opportunities for drivers who are deaf and hard of hearing. Both the Uber Rider and Driver apps are monitored and tested regularly by internal resources and by a third-party provider of Accessibility testing and monitoring. You can read more about our Accessibility efforts on our website here: https://accessibility.uber.com/. All driver-partners are expected to accommodate riders using walkers, canes, folding wheelchairs, service animals, or other assistive devices to the maximum extent possible. Where available, UberWAV lets riders who use non-folding, motorized wheelchairs to connect with drivers in wheelchair accessible vehicles that are equipped with ramps or lifts. Question 12. When providing the last-mile service, how does Uber ensure that cars are available in all areas of a city at all times? How does Uber provide access to riders with limited or no access to the Uber app? Answer. By design, our app aims to make efficient and reliable transportation a possibility for everyone, everywhere. Our technology automatically and efficiently matches riders' requests with nearby drivers, and real time dynamic pricing ensures that the supply of cars can meet the demand from passengers. As Uber has grown, more people in more parts of cities have been able to push a button and get a ride. Over time, wait times have decreased significantly across more parts of cities, including parts that other means of transportation cannot reach. In Los Angeles, a metro area that covers 100 square miles, the average ride is less than 10 minutes away, and in New York's outer- boroughs, riders are just as likely to get picked up as if they were in downtown Manhattan. In fact, a majority of our trips in New York now start outside Manhattan and 52 percent don't start or end in the central business district. As mentioned in our response to Question 11, the Uber Central dashboard allows organizations, like senior centers or transit agencies, to call rides for riders who may not have access to a smartphone. Additionally, the ``Request for a Guest'' feature allows Uber users to seamlessly request a ride for their loved ones right from the Uber app. The senior receives a text message with the vehicle information and the driver's phone number so they can communicate directly with them. Question 13. Uber recently signed onto a letter with the Service Employees International Union supporting portable benefits. What benefits is Uber planning provide to its drivers? Will they be offered nationwide? Answer. Uber's joint letter with the SEIU and Civic Venture Partners is about working together on the creation of a portable benefits system in Washington state. We are working with our partners, the business community and labor to make progress on this important policy goal with a view to determining policy and regulatory frameworks over the course of 2018 and developing legislation for introduction in 2019. We would be eager to provide your staff updates as this effort progresses. While we continue our work in Washington state, we are working to provide additional benefits to our drivers nationwide. For example, we believe that at a basic level everyone should have the option to protect themselves and their loved ones against rare and unforeseen work accidents that prevent them from earning a living. That is why Uber, with Aon, now enables drivers to access a driver injury protection program for a few cents per mile directly through the Uber app. This product provides Uber driver-partners the option to obtain coverage for medical expenses, disability payments and a survivors benefit resulting from a covered accident. Drivers who elect to enroll are protected for injuries while online, en route and on-trip in connection with the Uber app; however the premium of a few cents per mile is calculated and charged only for miles travelled while on-trip. While the Driver Injury Protection insurance offered to Uber's driver-partners is first-of-its-kind, it is the latest example of benefits designed primarily for independent workers. In the US, Uber's partnership with Betterment enables drivers to contribute to their retirement savings, while 150,000 drivers have been able to navigate the healthcare market through Stride Health. Drivers can also file their taxes and claim returns through our partnerships with Stride, TurboTax and H&R Block, cash out their earnings instantly with Instant Pay, and receive discounts on fuel and other operational expenses. Question 14. Uber has repeatedly admitted to underpaying its drivers. What oversight has Uber put in place to ensure that this does not happen again? Answer. We have made an effort to regain drivers' trust by owning up to our mistakes and improving the driver experience from end-to-end. In particular, we have made many improvements for drivers designed to make their earnings easier to understand and access, including: Easier to understand rates--Drivers see the exact rates they earn for every minute and every mile they drive. Previously, drivers needed to deduct Uber's service fee from their rates to determine their earnings. Now, no math is required. Drivers will always know exactly what they'll earn. Clearer in-app earnings pages--In response to driver requests for more clarity in our earnings calculations, we have updated our trip receipts. Drivers now see a clear breakdown of how their trip earnings were calculated, as well as additional fare details, including what the rider paid and Uber's service fee. Faster fare receipts--Drivers tell us seeing what they earn in real-time is important. We have committed to a goal of having earnings details available in the app within 15 seconds after a trip ends. Cash out more earnings, anytime--With InstantPay, drivers are able to cash out their earnings (including promotions) instantly up to five times a day. We've made promotions available for immediate cash out through Instant Pay. Additionally, we have defined new policies and controls designed to help ensure drivers earn what they are owed for every trip. We also have a dedicated, cross-functional oversight group tasked with reviewing and approving all pricing and service fee changes. Question 15. Uber has committed to changing its workplace culture to address discrimination and sexual harassment concerns. What policy changes have been enacted for full-time, permanent employees of Uber? What policy changes have been enacted for drivers of Uber? Answer. Uber is not immune from the global epidemic of sexual violence, which affects nearly one in three women worldwide, and we want to be a big part of the solution. That's why we've committed to making important changes. Over the last year, we've met with 80+ women's groups and have been working closely with advocates and experts from sexual assault organizations to listen and incorporate feedback about how we can make a difference. Experts tell us that one of the best ways to prevent sexual harassment incidents is through education and awareness. That's why we've committed $5 million to support prevention initiatives, and have been partnering with leading organizations in this space to educate our employees, riders and drivers with important information on this topic. We recently made important changes to give victims of sexual assault and sexual harassment more choices, ensure they have the option to share their story, and raise the bar on transparency: First, Uber no longer requires mandatory arbitration for individual claims of sexual assault or sexual harassment by Uber riders, drivers or employees. We believe the survivor should choose their venue of redress for their individual claims, whether that's in court or arbitration. Second, survivors now have the option to settle their claims with Uber without a confidentiality provision that prevents them from speaking about the facts of the sexual assault or sexual harassment they suffered. The decision to talk about what happened should rest with the survivor, not Uber, and supporting that choice will help end the culture of silence that surrounds sexual violence. Third, we committed to publishing a safety transparency report that will include data on sexual assaults and other incidents that occur on the Uber platform. We are the first ridesharing company in the world to make this commitment. In addition, we believe that sexual assault awareness should permeate every level in our company. That's why we have begun educating employees--starting with our executive leadership team, who receive training on sexual assault and sexual harassment prevention hosted by experts from the National Alliance to End Sexual Violence and the National Network to End Domestic Violence, and we'll continue to do more. We have a robust HR team and systems equipped to handle and manage a myriad of employee matters, and we have an anonymous hotline where anyone can bring their workplace issues. Our Employee Relations team, solely dedicated to investigating and addressing employee issues, has been strengthened. We've also taken the following steps to improve our culture: performance review system, compensation review, manager trainings, Executive Education, $3M diversity fund, improved hiring practices to promote diversity & inclusion. Additionally, we implemented a comprehensive equal pay analysis and have ensured aggregate pay equity between women and men, and between all racial groups. ______ Response to Written Questions Submitted by Hon. Jerry Moran to Marten G. Mickos Question 1. What separates a good faith researcher from a malicious actor? What's to stop a criminal from posing as a researcher? How can companies or vendors tell the difference? Answer. Intent is what separates a good faith security researcher from a malicious actor. Researchers that are reporting vulnerabilities through lawful channels are doing so with the intent that the vulnerability report be delivered to the owner of the system for the bug to be resolved. Vulnerability disclosure and bug bounty programs are so designed that they provide no particular benefit or special access to the participants. On the contrary, the programs generate additional work for the participant while collecting various pieces of information about them. For these reasons, a malicious actor has something to lose and nothing to gain in such a program. It is more rational for the malicious actor to engage in their unauthorized activity outside of the program. Like in most professional endeavors, it is at least in theory possible for a criminal to pose as a legitimate participant. But given that there are no benefits but only obligations in a program, this would not be rational behavior. The only way to receive a benefit from a vulnerability disclosure or bug bounty program is by reporting a valid vulnerability to the owner of the system. When that happens, a vulnerability can be removed and rendered unusable by criminals. Criminals, for the above mentioned reasons, do not wait for vulnerability disclosure or bug bounty programs to start, and they obtain no benefit from joining such programs if they exist. Criminals engage in their unauthorized activity at any time and outside any formal program. When researchers bring security vulnerabilities to the attention of companies and organizations, they should assume good faith until proven otherwise. The question of whether an entity operating a program can tell the difference between a well-intended researcher and a criminal becomes philosophical or even irrelevant. Outside of the program, any criminal activity is possible and often likely. Inside the program, only good and non-criminal deeds are rewarded. The above text describes the general case. Additionally, there can be a special case of a bug bounty program in which the program- operating entity indeed does offer special access or benefits to the participants. For instance, a company may provide test accounts or other credentials to participating researchers so that they may venture deeper into the computer system in their hunt for vulnerabilities to report and be rewarded for. In such programs, the participating researchers go through additional vetting and screening. The exact nature of the screening depends on the company's or organization's preferences and may include verification of identity and tax ID, verification of home address, criminal background check, and so on. With these additional screening requirements, the operator of the bug bounty program guards itself against malicious actors gaining access to the program in question. For an overview of the motivations of ethical hackers and for personal profiles of a number of them, we recommend reading the 2018 Hacker Report that is available from HackerOne, Inc., on our website www.hackerone.com and by contacting us by e-mail at [email protected]. Question 2. What is the role of bug bounty programs when faced with extortion attempts? Answer. Extortion has absolutely no role in bug bounty programs. Whenever a situation develops that may indicate an extortion attempt, HackerOne advises the sponsor of the program (its customer) to notify and work with law enforcement for guidance and instructions. It is always the entity with the bug bounty (or vulnerability coordination) program that determines whether conduct by a hacker or hackers is authorized or unauthorized. Bug bounty platform providers such as HackerOne act as a preventative service. There are situations where immature researchers may ask for a bounty in an impolite or even threatening way. Often, such situations can be de-escalated with the help of mediation and diplomacy. Hackers do commonly suggest or ask for specific bounty amounts from the vendor. The size of the bounty is largely determined by the severity of the vulnerability, and severity can be properly assessed only by the customer. So the finder is in a position of no control at all over the payment outcome. To balance this, they often make suggestions, requests and claims for specific bounties in the hope that the customer will be open to suggestions. As many hackers are young and all of them are impatient, the language of such requests may not seem proper to someone not familiar with the trade, even though the hacker has the best of intentions. Question 3. According to your testimony, the diversity and scale of the hacker community allows the ``hacker-powered security'' model to identify vulnerabilities that automated scanners and permanent penetration testing teams will not. Can you please further explain this sentiment? Are there any metrics or numbers that are able to cite to quantify the effectiveness of the model over other approaches? Answer. Customers on HackerOne have resolved more than 65,000 unique security vulnerabilities to date by working with the hacker community. A good portion of these customers have reported back to HackerOne that they are finding vulnerabilities that they could not otherwise detect with scanners or penetration testing (also called pentesting). The strongest metric in support of hacker-powered security is the fact that even after deploying scanners and pentests there are innumerable security vulnerabilities that bug bounty and vulnerability disclosure programs identify. There are a number of reasons for this. A key reason is that scanners and penetration testing are limited in scope whereas hacker- powered security is broad and diverse. A scanner has been programmed by engineers to detect specific previously known vulnerability types, but it is limited in its ability to modify its search or ``think outside the box.'' Though useful, scanners cannot find what humans can. Penetration tests are conducted by humans and therefore represent more intellectual variety and creativity than scanners. But they cannot measure up against a broad and creative collection of external researchers. Penetration tests follow pre-defined guidelines and are designed to test for a specific set of vulnerabilities. Often, customers are more eager to get a clean report than to find all possible vulnerabilities. In both the case of scanners and of penetration testing, the customer is paying a fixed price for effort. But in the case of hacker- powered security, the customer pays for result. Hackers do not get paid unless they find something of value to the customer. This leads the hackers to try harder and think more creatively, and that in turn leads to superior results. Question 4. Your testimony described vulnerability disclosure programs with the motto of ``If you see something, say something,'' and further elaborates how the outside hacker will be invited to disclose the vulnerability to the system's owner. During the disclosure process, is it a common practice for the hacker to actually take exposed data in order to demonstrate proof of vulnerability to the company? If so, is there a standard type or amount of data that these [sic] is needed for the hacker to demonstrate authenticity? Answer. The amount of evidence that it is prudent to collect when discovering a security vulnerability is a topic of great interest to the security community. On the one hand, the hacker is bound and committed by the program rules not to cause harm or obtain any data that is not needed for the work. On the other hand, there are situations where perhaps the only way of demonstrating that a breach could be possible is to actually exfiltrate some data. Entities that operate bug bounty programs declare on their program page the rules for the hackers. Typically, they will prohibit data exfiltration, as this example from a prominent bug bounty program shows: ``Findings not eligible for bounty: . . . Internal pivoting, scanning, exploiting, or exfiltrating data from internal [company name] systems.'' It should be noted that a hacker may not initially know what is inside a data file found. In order to determine the nature of the file, the hacker may have to open it, which for practical purposes may mean downloading it, which amounts to exfiltration. If the contents are irrelevant, then no harm was done. If the file contains pointers to other data sources, or perhaps credentials to another system, then this is valuable information for resolving the security problem. But if the contents turn out to be customer or personal information, then the hacker must immediately erase any such copies of the file and refrain from opening it or using it again. The determination of whether it is permissible to open the file or not can be made only after the file has been opened. Question 5. HackerOne's 2018 Hacker Report and a 2016 study conducted by the National Telecommunications and Information Administration (NTIA) both indicated that profit is a relatively limited motivation among hackers participating in coordinated vulnerability disclosure programs. Given the panel's experience with professionals in this field, could you please further describe the predominant motivators? Answer. In the course of its business, HackerOne has enabled tens of thousands of hackers to find and help fix over 65,000 security vulnerabilities. The motivations behind the hackers' work are as diverse as the group. In the hacker surveys we have conducted, we consistently see hackers operating under multiple motivations. Financial rewards are essential and important, but they are far from the only motivation. The presence and success of numerous vulnerability disclosure programs (i.e., programs that pay no financial rewards) serve as a clear indicator that there are plenty of hackers ready to hunt for security vulnerabilities for other than pecuniary reasons. For instance, in the various programs by the Department of Defense, about 3,000 vulnerabilities have been reported into the vulnerability disclosure program and 600 within the bug bounty programs. Many hackers hack for the intellectual challenge. They want to learn more and they are eager to know that they have the skill to find a hole in the armor of a famous company or government entity. Being thanked or acknowledged by a prestigious vulnerability disclosure program is a great motivation. Often, hackers hack in order to find like-minded people and be able to collaborate with them. It is a reward in itself to be able to interact with someone with unusual skill or intellect. Others hack for the pragmatic reason of advancing their careers. The list of vulnerabilities found that each hacker has on their individual HackerOne page serves as evidence of their skills. It helps them gain entry to colleges and universities or to land a security job at a company or other organization. For many, there is an altruistic motive in hacking. They want to make the world a more secure place. They want to contribute to society. They have a sense of duty and feel that if they know how to detect vulnerabilities, it is their mandate to report them to the owners of the various systems. Question 6. Would you agree that it is absolutely critical for companies to administer any vulnerability disclosure program responsibly based on sound principles (such as those included in DOJ's 2017 guidelines) as it has obvious impacts on industry-wide use of these types of programs that are proven to protect consumers? Answer. Yes, HackerOne applauded the U.S. Department of Justice for its 2017 guidelines for vulnerability disclosure programs (VDP). The DoJ's guidance reflects best-practices across the industry and is a critical document for any organization. Indeed, in many ways, HackerOne is dedicated to facilitating the responsible implementation of VDPs across the broad spectrum of vulnerable entities in line with the DoJ's guidance. Question 7. Given the unique national security aspects of working with DOD, I am interested to hear more about HackerOne's involvement in the vulnerability disclosure programs aiding our Armed Services, starting with the ``Hack the Pentagon'' program and followed by the ``Hack the Army'' and ``Hack the Air Force 1.0 and 2.0.'' Answer. The Department of Defense's Defense Digital Services pioneered the first ever Federal bug bounty challenge, ``Hack the Pentagon,'' in 2016. The DoD is continuing to do so by engaging with the global hacker community through its ongoing vulnerability disclosure policy. Since the Hack the Pentagon program launched in 2016, over 3,600 vulnerabilities have been resolved in government systems through the bug bounty and vulnerability disclosure challenges on HackerOne. Working with the ethical hacker community supplements the useful work the DoD's internal security teams are already doing. Hack the Army The Hack the Army Bug Bounty program ran from Wednesday, November 30, 2016 to Wednesday, December 21, 2016. Hackers reported more than 118 valid unique security issues. Through this program, the Army was able to tap into the reservoir of diverse hackers on HackerOne, many of whom would otherwise not work with the Army, augment the work the Army red teams are already doing to help secure their systems and networks, and increase the security of mission critical systems and networks that house information critical to military recruiting. The Army chose as its target digital assets that might have been used as a stepping stone for reaching personally identifying information about Army recruits--colloquially referred to as ``the crown jewels.'' Ensuring this data was secure was a high priority for DoD because of the sensitivity of the information for America's potential war fighters. The most significant vulnerability found was due to a series of chained vulnerabilities. A researcher could move from a public-facing website, goarmy.com, and get to an internal DoD website that requires special credentials to access. The researchers got there through an open proxy, meaning the routing was not shut down the way it should have been. The researcher, without even knowing it, was able to get to this internal network because there was a vulnerability with the proxy and with the actual system. On its own, neither vulnerability is particularly interesting. Paired together, they become critical. Automated testing tools are not capable of such leaps of logic. It requires a highly skilled and creative researcher (or team of researchers) to chain together a number of independent flaws in order to create a path to the critical inside of the system. The Army remediation team that owns and operates the websites, as well as the Army Cyber Protection Brigade, acted quickly. Once the report was submitted, they were able to block any further attacks, and ensure there was no way to exploit this chain of vulnerabilities. Hack the Air Force The Hack the Air Force Bug Bounty program ran from May 30, 2017 to June 23, 2017, with nearly 300 individual hackers participating in the bug bounty challenge. More than 50 hackers earned bounties for reporting more than 207 valid unique security vulnerabilities, the first of which was reported in less than a minute from the start of the program. Some of the vulnerability reports received an initial response time of less than a minute by the Air Force security teams. The average time to resolution during the challenge was 4 days. What this means is that the Air Force's security team was extremely fast at processing reports, verifying them and resolving bugs, making the systems more secure faster. Hack the Air Force 2.0 On December 9, 2017, the first day of the challenge, 24 hackers met in New York City and participated in a live hacking event--the first ever to include Federal government participation on-site. DoD and U.S. Air Force personnel worked alongside the vetted and pre-selected hackers to simultaneously report security flaws and remediate them in real-time. Together, they collaborated to find 55 of the 106 total vulnerabilities during this nine-hour hacking event. Twenty-seven trusted hackers successfully participated in the Hack the Air Force bug bounty challenge--reporting 106 valid vulnerabilities and earning a total of $103,883. Hackers from the U.S., Canada, United Kingdom, Sweden, Netherlands, Belgium and Latvia participated in the challenge. In this event, the highest single bounty of any Federal program--$12,500--was awarded. Question 8. More specifically, were there lessons learned from the earlier programs that your company addressed and implemented in the more recent programs? Answer. Working with its DoD counterparts, HackerOne and the security research community continue to improve its programs. We regularly revise and improve our internal process descriptions and our external program guidelines in order to reduce the risk of failure in a program and to increase the overall productivity and effectiveness of hacker-powered security. We also continually learn more about the digital assets of our customers so that we can provide better advice on which assets to include in a program, and at what phase of the program. As our customers develop a thorough expertise in operating a bug bounty program, we may recommend events where hackers and the security team of the customer are brought together for a live hacking event. We did so during ``Hack the Air Force 2.0'' and the results exceeded expectations. Hack the Air Force targeted operationally significant websites and online services. The goal of the program was to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. The preliminary results indicate nearly doubling the results of the first Hack the Pentagon program a year earlier. With every DoD bug bounty the pool of invited participants has grown, with the intent of opening it wider to continue to include all qualified participants. By now, every person on HackerOne is legally permitted to participate in the DoD's vulnerability disclosure program (VDP). To date, the DoD's VDP has resolved more than 3,000 security vulnerabilities. Question 9. How did your company account for the specific capabilities and functions of the different services your company worked with? Answer. The key to success in a bug bounty or vulnerability disclosure program lies in diversity of approach and specificity of skill among the hackers. That is why HackerOne has established the world's largest community of security researchers, also known as white hat hackers. By having an enormous pool to draw from, we ensure that for each particular program there is a large enough group of hackers with the particular skills needed. We record and keep track of skill profiles in our hacker database. When a new program launches, we can find the hackers most likely to have the required skills. As new customers launch programs on HackerOne, a useful cross- pollination of skills often happens. The new customer typically brings along hackers with deep skills in their particular digital asset. These hackers can then find other programs with similar profiles. And from those other programs, existing hackers may engage in the new program. In this way, over time, individual hacker skills are strengthened, and the overall skill profiles in the HackerOne community become more complete. Additionally, both HackerOne and its clients may arrange for additional education, training and briefing of hackers in specific areas of technology. The more information there is available, the sharper the skills and the better the results of bug bounty programs. Arguably the best source of learning for ethical hackers is the Hacktivity feed () where vulnerability reports are being published by various companies and government agencies for others to learn from once the vulnerability has been fixed and removed. Question 10. Please explain the utility of a combined pool of Federal employee and outside participants. Answer. The success of cyber security is measured not by how many good events there are but by how many bad events can be avoided. The best results are achieved by multiple layers of security. Even if one layer occasionally fails, there is another layer that will catch the deviation from the norm. Cyber security starts with the design of the digital system. This is the first layer of security. Later in the software lifecycle comes quality assurance, which also removes weaknesses. When a digital asset is ready for production use, it still needs testing and validation. This is where internal and external bug hunting teams come into the picture. Internal teams of employees have the benefit of inside knowledge of the system. External teams of hackers have the benefit of lack of bias. These and other, more technical, layers of security are needed for the best outcome. A theme we heard over and over again while working with the DoD is that military and civilian personnel need hands-on training whenever possible. This keeps their skills sharp and allows them opportunities to see unique tactics from a highly skilled researcher community. Allowing employees to participate in bug bounty programs provides realistic training experiences in a controlled environment, at a low cost. Question 11. Your testimony states that $250,000 is the current maximum bounty listed across all programs that the company administers for its clients. Are the maximum bounty amounts pre-determined in agreements with your client companies? Answer. On HackerOne's platform, it is the customer that sets the bounty criteria, often based on a recommendation from HackerOne. HackerOne maintains a set of recommended bounty amounts that we derive from historical bounty payment data, adjusting for size and ambition level of the program in question. The bounty amount is typically a function of the severity of the vulnerability and the value of the digital asset in which the vulnerability was found. The client company has the full right to deviate from their own criteria and pay out higher bounties than advertised. As a matter of fact, many programs do not publish or advertise any maximum bounty. In addition to bounties, customers can choose to pay individual bonuses to hackers. For instance, if a hacker has prepared an unusually well-researched and well-written vulnerability report to the customer, the entity may choose to reward the hacker with a bonus on top of the bounty. The bonus amounts are typically small. In 2017, less than 5 percent of all hacker rewards were bonuses. Question 12. Your testimony stated that the Computer Fraud and Abuse Act is in need of modernization to prevent liability of hackers acting in good faith in identifying vulnerabilities to protect consumers. Do you have any specific recommendations related to modernizing the law? Answer. Current law, particularly the Computer Fraud and Abuse Act (CFAA), does a disservice to the Internet and its citizens. Congress should amend it to reflect the modern-day needs of the country's cybersecurity community, including the value and necessity of voluntary disclosure programs. The CFAA fails to define the terms ``without authorization'' or ``exceeding authorized access,'' which are key elements of the law. This broad undefined language has resulted in the CFAA being called one of the most controversial, confusing, and inconsistently interpreted laws in the country. We suggest that the law should clarify ``without authorization'' and distinguish between bad intent on the one hand, and good intent or innocent lack of intent on the other. While intended as a criminal law preventing malicious hacking, a 1994 amendment to the bill allows for civil actions. We suggest that the CFAA focus on criminal liability rather than civil liability. Much of the chilling effect created by the law originates from its broad interpretation in civil cases, where the burden of proof is reduced. HackerOne also suggests that violations of contractual obligations, such as a website's terms of service, must not form a basis for criminal charges. Further, it should be clarified in the law that if access to data is already authorized, gaining that access in a novel or automated way is not a crime (i.e., changing IP addresses, MAC addresses, or browser User Agent headers). Finally, minor violations of the CFAA should be punishable with minor penalties, ensuring the punishment fits the violation. HackerOne urges Congress to modernize the CFAA and related laws to reflect the necessity to fight cybercrime with modern-day tools and processes, including particularly voluntary disclosure programs. ______ Response to Written Questions Submitted by Hon. Brian Schatz to Marten G. Mickos Question 1. I have been working to make the process of software vulnerability disclosures more transparent and accountable. As part of this effort, Senators Gardner, Johnson, Klobuchar, and I introduced the PATCH Act. Do you support the PATCH Act? Answer. We believe in the general and overarching principles of finding, fixing and disclosing security vulnerabilities. We as a e society should make every effort to detect security vulnerabilities and have them corrected by the owner of the system before the vulnerability can be exploited by criminals or other adversaries. Once the responsible owner of a system has remediated the vulnerability, or after a reasonable time of being advised of the existence of a vulnerability, it is in society's best interest to make this information publicly known. In our increasingly connected world, it is rare that critical lessons learned from a vulnerability are limited to a single organization. We also acknowledge that the government from time to time will have valid and specific reasons of a national security character not to report or disclose a known security vulnerability. Such withholding of vulnerability information from the owner of the system in question should be allowed temporarily only when required to address a specific and significant nation security threat. To the degree the PATCH Act validates and enforces these principles, we support the act. Question 2. HackerOne's code of conduct clearly forbids extortion or blackmail. Yet, after the 2016 incident, Uber still remains a client of HackerOne and is listed on its platform. Was Uber's payoff to its extortionists not a violation of HackerOne's code of conduct? Was their account suspended or penalized in any manner? Answer. Based on our observations and investigations, Uber is not and has not been in violation of HackerOne's terms and conditions or code of conduct for customers. HackerOne did not suspend or penalize Uber's customer account in any manner. ______ Response to Written Question Submitted by Hon. Amy Klobuchar to Katie Moussouris Question. If we are going to increase the size and expertise of our cybersecurity workforce it is essential that we commit to expanding educational opportunities for American students. That's why I introduced the bipartisan Innovate America Act with Senator John Hoeven. Provisions from this bill became law as part of the Every Student Succeeds Act. They will improve students' access to STEM education by allowing states to award funding to create or enhance a STEM-focused specialty school or a STEM program within a school. Minnesota has received $4 million of these grants and will be making awards soon. Ms. Moussouris, how significant is the current skills gap in the cybersecurity workforce? Answer. No Response Provided. ______ Response to Written Questions Submitted by Hon. Brian Schatz to Katie Moussouris Question 1. There are serious questions about the disclosure timeline and process of the ``Spectre'' and ``Meltdown'' flaws. Do you believe that the right entities were involved in the research and disclosure process leading up to public notification? How could this be improved? Answer. No Response Provided. Question 2. What should be the threshold for disclosing vulnerabilities to the U.S. government? As the cyber threat model evolves, how and when should this threshold change? Answer. No Response Provided. Question 3. I have been working to make the process of software vulnerability disclosures more transparent and accountable. As part of this effort, Senators Gardner, Johnson, Klobuchar, and I introduced the PATCH Act. Do you support the PATCH Act? Answer. No Response Provided. ______ Response to Written Questions Submitted by Hon. Amy Klobuchar to Justin Brookman Question 1. I introduced the Seniors Fraud Prevention Act with Senator Susan Collins, the Chair of the Senate Committee on Aging, to help the Federal Trade Commission (FTC) more effectively combat senior fraud. When personal information has been compromised online, identity theft and other fraud can follow consumers for years. My bill would help fight scams designed to strip seniors of their assets by helping educate seniors about fraud schemes and improving monitoring and response to fraud complaints. This bill was passed by the Commerce Committee last year and I am happy to say it passed the Senate in August. Mr. Brookman, what additional resources or authority at the FTC would be helpful in protecting consumers' personal information? Answer. There are a number of important steps that I believe Congress should undertake to improve the FTC's ability to protect consumer privacy. These include: Enact statutory privacy protections. The United States is outlier in that it is one of the few nations that does not provide legal protections for most personal data. Instead, only a few isolated pockets of information (such as medical history, data about children, and video rental records) are protected-- and even some of those protections are being rolled back.\1\ In lieu of dedicated privacy authority, the Federal Trade Commission has leveraged existing consumer protection law to challenge some privacy violations, but its legal authority is extremely constrained. Most of the FTC's privacy cases have been brought under its deception authority, meaning that the FTC can only act if a company proactively deceives a consumer about its data practices. Absent affirmative transparency and choice obligations, many companies evade this liability by offering only vague and inscrutable information about its practices in privacy policies that consumers rarely read. The FTC has more recently brought privacy cases under its unfairness authority, but such cases require a showing of ``substantial injury''--and what constitutes a substantial privacy injury is a legal uncertainty.\2\ Congress could dramatically improve privacy protections and consumers' rights by enacting privacy legislation modeled on the Fair Information Practice Principles;\3\ Consumers Union would be more than happy to collaborate with your office and other interested members of Congress in crafting what such legislation would look like. --------------------------------------------------------------------------- \1\ See, e.g., Kimberly Kindy, How Congress dismantled Federal Internet privacy rules, Washington Post, May 30, 2017, https:// www.washingtonpost.com/politics/how-congress-dismantled-federal- internet-privacy-rules/2017/05/29/7ad06e14-2f5b-11e7-8674- 437ddb6e813e_story .html?utm_term=.11a7cf766dad. \2\ The Federal Trade Commission recently hosted a public workshop on this topic. See Informational Injury Workshop, Federal Trade Commission, Dec. 12, 2017, https://www.ftc.gov/news-events/events- calendar/2017/12/informational-injury-workshop. \3\ Bob Gellman, Fair Information Practice Principles: A Basic History, Apr. 10, 2017, https://bobgellman.com/rg-docs/rg- FIPshistory.pdf. Statutory penalties for lawbreaking. The Federal Trade Commission lacks the legal authority to obtain civil penalties in the considerable majority of its cases--instead, it can only obtain injunctive relief and offer restitution to injured consumers (though again, restitution is challenging in the privacy realm where injuries are difficult to quantify). As such, companies are able to treat legal challenges merely as a cost of doing business. The FTC should be able to obtain reasonable civil penalties in order to sufficiently deter wrongdoing, both for violations of a new privacy statute as --------------------------------------------------------------------------- well as its existing Section 5 legal authority. Ability to issue clarifying regulations. Unlike many regulatory agencies, the Federal Trade Commission generally lacks the ability to issue regulations under the Administrative Procedure Act. This limitation prohibits the agency from issuing more precise guidance to companies and consumers as to what behavior is prohibited, relying instead on establishing legal norms through litigation and negotiated consent decrees. We urge Congress to provide the FTC with this authority, both for a new privacy statute as well as for Section 5. Staffing. The Federal Trade Commission needs more resources to perform its consumer protection mission. Despite the U.S. economy more than doubling in size since 1980, the size of the FTC staff has--to say the least--failed to keep up. Moreover, other agencies are increasingly pushing their own responsibilities to the FTC, especially on privacy--from the Federal Communications Commission\4\ to the National Highway Traffic and Safety Administration.\5\ Further, some FTC critics have called upon the FTC to litigate more its cases--instead of relying upon settlement agreements--in order to create binding and reliable rules (though, as noted above, this could also be accomplished through rulemaking).\6\ However litigating against more well-resourced companies is labor intensive, and the Commission will need considerably more attorneys in place to pursue such as a strategy. In addition to additional legal support, I strongly support funding more technical staff at the FTC in order to competently police online privacy and related issues, both within substantive divisions such as the Division of Privacy and Identity Protection, but also in the Office of Technology Research and Investigation (or OTECH) which supports the entire Consumer Protection Bureau mission. --------------------------------------------------------------------------- \4\ Amir Nasr, Trump's Repeal of Internet Privacy Rules Shifts Regulatory Powers to FTC, Morning Consult, Apr. 7, 2017, https:// morningconsult.com/2017/04/04/trumps-repeal-internet-privacy-rules- shifts-regulatory-powers-ftc/. \5\ Joe Jerome, NHTSA Automated Vehicles Guidance Punts Privacy to the FTC and Congress, Center for Deomcracy & Technology, Sep. 22, 2017, https://cdt.org/blog/nhtsa-automated-vehicles-guidance-punts-privacy- to-the-ftc-and-congress/. \6\ Tom Struble, Reforming the Federal Trade Commission Through Better Process, R Street, Dec. 2017, http:// 2o9ub0417chl2lg6m43em6psi2i.wpengine.netdna-cdn.com/wp-content/uploads /2017/12/122.pdf. Question 2. During your time at the FTC, did you notice any trends in how new technology was being used to exploit seniors? Answer. In my experience, the Federal Trade Commission takes very seriously its obligation to protect all citizens, but especially segments of the population that may be vulnerable to particular practices. Through its Every Community Initiative, the FTC has tried to identify various ways that predators are more likely to target certain populations.\7\ A recent FTC Fraud Report found that while senior citizens were not more likely to be targeted with fraud generally, they were more likely to be targeted by certain scams, such as fraudulent prize promotions, timeshare fraud, and fraudulent medical claims.\8\ Tech support scams was another such category, where attackers try to exploit unfamiliarity with technology to sign consumers up for unneeded, high-cost technical assistance--or worse, hold a consumer's computer hostage until a ransom has been paid.\9\ The FTC has brought a number of tech support scam enforcement actions,\10\ and in 2016 held a public workshop on the growing menace of ransomware.\11\ Robocalls are another common--and growing--frustration of older Americans, and the FTC along with the FCC have taken a variety of actions to try to combat their rise.\12\ Consumers Union has also advocated a number of additional steps that policymakers should take, including requiring phone companies to offer to all consumers comprehensive tools to block spoofed and unwanted calls, at no charge, and without delay.\13\ --------------------------------------------------------------------------- \7\ Every Community, Federal Trade Commission, https:// www.consumer.ftc.gov/features/every-community. \8\ Testimony of Lois Greisman before the Senate Special Committee on Aging, Stopping Senior Scams: Developments in Financial Fraud Affecting Seniors, Feb. 15, 2017, https://www.ftc.gov/system/files/ documents/public_statements/1069573/ p134405_commission_testimony_re_stopping_senior_scams_senate_02152017.pd f. \9\ Id. \10\ E.g., Press Release, FTC Obtains Settlements from Operators of Tech Support Scams, Federal Trade Commission, Oct. 26, 2017, https:// www.ftc.gov/news-events/press-releases/2017/10/ftc-obtains-settlements- operators-tech-support-s cams. \11\ Fall Technology Series: Ransomware, Federal Trade Commission, Sep. 7, 2016, https://www.ftc.gov/news-events/events-calendar/2016/09/ fall-technology-series-ransomware. \12\ Robocalls, Federal Trade Commission, https:// www.consumer.ftc.gov/features/feature-0025-robocalls. \13\ E.g., Maureen Mahoney, Letter from Consumers Union to Senators Bill Nelson et. al, Apr. 5, 2018, g/wp-content/uploads/2018/04/CU-CFA- Robocalls-S.-134.pdf. --------------------------------------------------------------------------- ______ Response to Written Questions Submitted by Hon. Brian Schatz to Justin Brookman Question 1. There are serious questions about the disclosure timeline and process of the ``Spectre'' and ``Meltdown'' flaws. Do you believe that the right entities were involved in the research and disclosure process leading up to public notification? How could this be improved? Answer. Given the unprecedented scope of the Spectre and Meltdown vulnerabilities and my lack of practical experience in incident response, I am hesitant to severely criticize the disclosure timing and processes that were used. Multi-party coordination can be extraordinarily challenging under less complicated circumstances, and there are inevitable and difficult trade-offs between the values of concealing information to prevent leaks that could harm consumers with sharing information to the diverse parties who will have to address the vulnerabilities. I question the assessment that the vulnerabilities were not being actively exploited, and how it was used as a rationale for not sharing information with US-CERT. Further, I believe that several companies' initial public statements understating the scope of the problem was counterproductive. It is my hope that the companies involved will undertake a rigorous assessment of what worked well and what did not in order to learn from this experience, as this will certainly not be the last major vulnerability that threatens devices and services across the ecosystem. While the Spectre/Meltdown incident may provide valuable lessons about incident response and coordination, I believe there are potentially more important lessons about how security often receives insufficient attention during product design. The current legal framework does not provide strong enough incentives for companies to safeguard against these types of vulnerabilities in the first place. Functions such as speculative execution prioritize performance at all costs without sufficient weighting of the risks of exploitation. Unfortunately, companies do not bear the full costs of security vulnerabilities, as it is consumers who end up bearing the burdens of identity theft, impaired functionality, and the need to replace products. While companies who experience a security breach may face the loss of consumer goodwill, in a vulnerability as fundamental as Spectre and Meltdown, consumers may not even know which company to blame, given that so many products and system layers were affected. In concentrated industries with only a handful of providers (or fewer), the insufficiency of after-the-fact market pressure is an even greater problem. Consumers often feel helpless in the wake of incidents such as these, unsure of which products are vulnerable, and if so, to what types of attacks. While there are some useful guidelines for consumers to keep in mind (keep software updated, use tracker blockers to stop unnecessary interactions with third-party servers), consumers are usually not in the best position to ensure security on their systems. Companies should have legal obligations to deploy and maintain reasonable security measures, proportionate to the risks borne by both by the companies and others. In some cases, this may compromise performance, if the security risks outweigh the performance loss. However, in many cases, this can be remediated through addressing other prevalent anti-consumer inefficiencies, such as device bloatware and excessive reliance on third party tracking code. [all] This page intentionally left blank. This page intentionally left blank. This page intentionally left blank.