U.S. CISO wants to lean on freelance hackers to improve .gov security

The U.S.’ first Chief Information Security Officer outlined a series of strategic plans he hopes to execute during his tenure, including the possible expansion of a bug bounty program across all .gov domains.

The U.S.’ first Chief Information Security Officer outlined Tuesday a series of strategic plans he hopes to execute during his tenure including the possible expansion of a massive bug bounty program across all .gov domains.

Gregory Touhill, formerly the deputy assistant secretary for cybersecurity and communications in the Department of Homeland Security’s Office of Cybersecurity and Communications, was named to the CISO position roughly six months after the White House first announced plans — via the Cybersecurity National Action Plan, or CNAP — to create such an office. He is primarily responsible for leading cyber practices across federal agencies.

“You’re going to see us do an increased push to field and use the tools and capabilities of CDM, continuous diagnostic and mitigation, so we can better do the right things the right way. It’s not just the technology, it’s also creating some new capabilities that have not been there before; such as actively looking with hunt teams through .gov for hackers, it’s improve our pen testing, it’s incorporating software assurance and perhaps a bug bounty across the federal government,” Touhill said during a speech at the 2016 AFCEA DC Cybersecurity Summit.

He added, “frankly, if I had it my way, we would do a bug bounty across .gov and the program office in charge of the source code would reimburse the bug bounty pool once a bug is discovered.”


Key to improving the government’s digital security, according to Touhill, is the establishment of fixed, transparent metrics to judge the progress and performance of different agencies over time. In this vein, a federal CISO Council — much like the existing CIO Council, which brings together federal chief information officers from different agencies to collaborate and share best practices — is in the works.

Touhill, in recent weeks, has also been in touch with the Department of Education. He is working on a broad effort to help build the U.S.’ future cybersecurity workforce by, among other things, advocating for the inclusion of computer science-related educational opportunities at earlier ages in the public schooling system. One of his related ideas in this space is a cybersecurity awareness campaign aimed at children, which centers on a McGruff the Crime Dog-like mascot named “Byte.”

In the short-term, Touhill said a website will be launched in the coming months to provide basic digital security educational resources, best practices and tips for keeping good cyber hygiene. This online platform will become a centerpiece for free, updated cybersecurity recommendations and information for both federal agencies and private sector partners.

Touhill, who was named to the position on Sept. 8, said he fully expects to continue in his role as CISO beyond the upcoming election and into the next administration regardless of who becomes president. 

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts