“Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers.”
Statement of
Chairman Moran, Ranking Member Blumenthal, and distinguished members of the Committee, thank you for the opportunity to testify at this hearing on behalf of Luta Security and the security research community.
We commend the Committee for holding this open hearing to help understand, clarify, and differentiate between defensive security research and vulnerability disclosure activities, which may or may not include bug bounties, versus Internet-enabled crimes, which may include extortion for unauthorized access to consumer data.
I am the founder and CEO of Luta Security, working with governments and complex organizations on multi-party supply chain vulnerability coordination to create mature, robust, sustainable vulnerability coordination and disclosure programs. We base these programs on the industry international standards ISO/IEC 29147 Vulnerability disclosure n2, ISO/IEC 30111 Vulnerability handling processes n3, and our Vulnerability Coordination Maturity Model.
I am the co-author & co-editor of these international standards, was co-chair of the NTIA's multi-stakeholder vulnerability disclosure working group subcommittee of multi-party vulnerability coordination n4, with over 20 years of professional technical and strategic work in technology and information security, as a former penetration tester at @stake n5, to creating
Today, I'm here as a witness to talk about the defense market for bugs, the role of bug bounties and other security research, and the role of the defensive ecosystem to shape these new markets.
When I was a teen learning to hack in the late '80s, there was no broadly-recognized and accessible defensive market for hacking skills, no online banks or e-commerce sites to hire us to test their Internet-facing systems for holes, no bug bounty programs, and even
This awareness of the power of hackers had prompted not job offers or viable legal career paths, but legislation that made hacking a criminal offense. n9 This law not only gave prosecutors the necessary legal tools to go after nation state actors and criminals, but to this day has caused a chilling effect on security research for defensive purposes. This chilling effect on researchers has also been reflected in the reluctance of governments and organizations to engage with hackers, further complicated by recent data breaches under the mis-applied term "bug bounty".
Only in the past 5 to 8 years have we seen any major acceptance by governments and companies working cooperatively and openly with hackers. However, there is still a great fear among many organizations that opening a front door for hackers to report security holes will cause damage from disruption of operations, intellectual property theft, fraud, reputational damage, and data breaches.
In 2015, 94% of the Forbes Global 2000 had no published way to report a security hole to them. If you saw something, it was difficult to say something. It was even a risk to your freedom, if the organization chose to pursue legal action against you under the Computer Fraud and Abuse Act (CFAA).
While the CFAA hasn't materially changed over the past 34 years to grant security researchers safe harbor for helping to point out security bugs, in July of 2017, the
The main premises to help create robust vulnerability disclosure or bug bounty programs are straightforward in the DoJ framework, with a summary of the key aspects as follows:
1. Decide whether sensitive systems and data are in scope for discovery and reporting by external helpful hackers.
2. Encourage the use of test accounts whenever possible to avoid the unnecessary compromise of other users' privacy and data without their permission.
3. Make it clear that only the minimum necessary proof is required to prove that a vulnerability exists, and that no further access or exploitation past that point is authorized.
4. Further define how any deliberately or accidentally accessed private data should be stored and transmitted.
5. Specify the manner in which proof of the hack is conveyed, perhaps using a screen capture to avoid further transmitting the protected data.
6. Decide whether to include the requirement to destroy any copies of data once the report is delivered.
To protect both well-intentioned researchers from ambiguity and accidental overstepping the intended scope, as well as to protect consumers whose data may be subject to access, transmission, and storage without their consent, it is important to define these parameters as clearly as possible. This applies in vulnerability disclosure programs as well as bug bounties.
Finally, as a creator and advisor of some of the major new bug bounty programs in the past several years, I want to point out that the ecosystem for rewarding bug hunting is skewing the markets toward more bug hunters, but not necessarily more bug fixers. This imbalance that is being created in these markets may very well shift the ecosystem towards rewarding more data theft than bug hunting.
There is a difference between paying
Already, we are facing a global shortage of talent in cyber security, and while more legal ways to report bugs is good, the creation of an overall defense workforce is necessary, in
"In 2017, the
""With more than 200,000 open cybersecurity jobs in 2015 in the
According to a 2016 study, "none of the top 10 U.S. computer science programs required a cybersecurity course for graduation, and 3 of the top 10 university programs don't even offer an elective course in cybersecurity." n11
Much like in Star Wars, The Force for finding vulnerabilities has a dark side as well as a light side, but they are two sides of the same coin, representing indistinguishable skill sets. We are creating more of an imbalance in The Force, weighted against defenders.
As a visiting scholar with
The defense market is typically paying lower amounts than the offense market, but doesn't traditionally require the bug hunter to stay silent about their find, once it is fixed, providing the finder with recognition and further opportunities for their career in other ways.
The defense market for bugs cannot compete directly with the offense market on price.
Very quickly, we would run out of willing software developers and testers, and the markets are already taking that direction in the way that bug bounties are being used today. Bug bounty hunters worldwide are on average able to make more than being a software developer in many countries. Perverse incentives include overpaying for bugs on the defense market, as well as the rewarding of data theft with much higher prices than an honest bug hunter would get for adhering to the rules.
The entire defensive bug hunting ecosystem has a responsibility to help uphold the law & guide the creation of programs that will not breach ethical or legal standards. We have a responsibility to the current and next generation of hackers to demonstrate best practices in bug bounties as well as the broader vulnerability disclosure picture.
"Focusing on the labor market opens new productive avenues for conversation and future research: It suggests linkages between research on vulnerability markets and a larger body of work rooted in the tradition of economic sociology. These efforts consider markets not only or, at times, not even primarily--as engines of efficient resource allocation, but move to address pressing descriptive questions related to the contingent and historical specificity of the construction of markets.
Markets are not inevitable. They are always actively created." n12
If
1. Funding for increased education in security be set for all grades (K-12), to begin finding early security talent and recruiting for defense
2. Setting forth requirements that all college majors in computer science understand secure coding and organizational cyber risk management
3. Fewer "Hack the x" bills be introduced without proper assessment of sustainable defensive capabilities in each government agency considering launching a bug bounty.
Again, I'd like to thank you for the opportunity of testifying today. I welcome your questions and comments.
n2 http://standards.iso.org/ittf/PubliclyAvailableStandards/c045170_ISO_IEC_29147
n3 https://www.iso.org/standard/53231.html
n5 https://en.wikipedia.org/wiki/@stake
n6 https://langevin.house.gov/press-release/langevin-statement-wassenaar-arrangement-plenary-session
n8 https://www.youtube.com/watch?v=kDJxAm-AVNA&feature=youtu.be
n9 https://www.nytimes.com/2016/02/21/movies/wargames-and-cybersecuritys-debt-to-a-hollywood-hack.html
n10 https://www.justice.gov/criminal-ccips/page/file/983996/download
n12
Read this original document at: https://www.commerce.senate.gov/public/?a=Files.Serve&File_id=E162FD54-F858-44AE-B25F-64E331C628AE
“The Opioid Crisis: Removing Barriers to Prevent and Treat Opioid Abuse and Dependence in Medicare.”
“Reauthorizing the Higher Education Act: Improving College Affordability.”
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News