Hacking the System: Lessons Learned from CMS's Inaugural Bug Bounty
Leah Siskind, Remy DeCausemaker, and Keith Busby
Bug bounties have become commonplace in private corporations, but what happens when a government agency serving millions of people decides to run one? Join us to explore the groundbreaking Bug Bounty program launched by the Centers for Medicare & Medicaid Services (CMS) - an agency responsible for providing healthcare to over 150 million Americans annually. With the high stakes of protecting sensitive personal and health information, CMS has always prioritized security and employs top experts in the field. However, nothing compares to the power of inviting the world’s best hackers to target our systems.
In this talk, we will share captivating stories of CMS’s first-ever Bug Bounty, held in October 2024. Discover how we attracted security researchers from across the globe to hack our most high-profile targets. Through this initiative, we gained invaluable insights into implementing proactive security measures and driving a cultural shift within government agencies. Join us as we unveil the lessons learned and explore the potential of Bug Bounties to empower and transform the security landscape of government organizations.
Speaker Bios:
Remy DeCausemaker is the Open Source Lead for the Digital Service at the Centers for Medicare & Medicaid Services (CMS.) Remy helps developers, designers, and other contributors work with dedicated civil servants to create open accessible healthcare technology projects, programs, and policy. Through his work with the US DigitalCorps and the Digital Service at CMS, Remy improves access to health Information, and grows communities of practice around Open Data, Open Standards, and Open Source code.
Leah Siskind is a bureaucracy hacker and the Senior Advisor to the CMS Digital Service. Leah helps build multidisciplinary technical teams in federal agencies that deliver digital products to the public.
Keith Busby is the Acting Chief Information Security Officer (CISO) for the Centers for Medicare and Medicaid Services (CMS). In this role, he leads enterprise cybersecurity, compliance, privacy, policy, and counterintelligence functions, ensuring that CMS not only complies with secure IT requirements but also fosters innovation across its vast digital ecosystem.
With over 20 years of experience in information technology, security, and management consulting, Keith has a proven track record of driving strategic initiatives and building robust security programs. Prior to his current role, he served as the Deputy CISO, Director of CMS’ Cyber Threat and Security Operations Division, and Director of the Security and Privacy Compliance Division, where he was instrumental in enhancing the agency’s cybersecurity posture and operational resilience.
An eight-year U.S. Army veteran, Keith holds a bachelor’s degree in computing and security technologies from Drexel University and a master’s degree in cybersecurity and information assurance from Capitol Technology University. Outside of work, Keith takes pride in his unofficial title as a "participation trophy-winning backyard BBQ pit master" and enjoys coaching youth baseball. When he’s not leading on the field or at the grill, he’s likely shuttling his children between baseball games and practices, savoring the balance between his professional and personal passions.
