Senate Commerce, Science & Transportation Subcommittee Issues Testimony From HackerOne
"Chairman Moran, Ranking Member Blumenthal, and Members of the Subcommittee, thank you for inviting me to testify today. I look forward to providing you with my perspective on Data Security and Bug Bounty Programs.
"I am Chief Executive Officer of
"
The Threat of Weak Cybersecurity
"Today's cybersecurity practices are severely outdated in contrast to the cyber threats that society faces. When exploited for criminal purposes, even just one single and relatively unremarkable security vulnerability can create havoc, as the
"Unfortunately it is only a question of time before cybercrime causes physical damage to structures or, worse, physical harm to humans. Citizens in general and consumers in particular are exposed to risks that they cannot possibly deal with themselves. Privacy is threatened. Consumer protection against faulty and vulnerable software-based products is presently inadequate.
"The economic repercussions are enormous, and we are only now starting to see the true costs of lax cyber hygiene. When data breaches occur, corporations lose millions of dollars. These costs are often passed along to consumers who additionally face unquantifiable burdens associated with the breaches, including compromise of privacy.
"It is an unfortunate fact that in the digital realm, society is currently failing to provide its citizens with what societies were established for: safety and security.
Hacker-Powered Security Offers a Solution
"Whatever protections and defenses we build into our digital assets - and we should build a lot of them - there is one practice that covers every possible cause of cyber breach. There is an "immune system"2 that will approach the digital assets from the same direction as adversaries and criminals do - from the outside. There is a mechanism that at scale has the opportunity to ultimately detect every hole, every weakness and every security vulnerability in a system or product built by humans.
"This practice is often called "Hacker-Powered Security." It is a mechanism that turns the asymmetry that favors the attacker into an asymmetry that favors the collaborating defenders. It is a collective effort that relentlessly looks for more vulnerabilities. Its outstanding success metrics are a result of stochastic probability: the more attempts there are at finding vulnerabilities, the higher the likelihood that these will be found. Over time the result improves asymptotically towards 100%.
"Hacker-powered security is a model that invites external and independent security researchers and ethical hackers - we will here simply call them "hackers" - to hunt for vulnerabilities in computerized systems. Today there are over one hundred thousand white hat hackers in the world. These are individual experts who have signed up to help corporations and organizations to detect and fix their security weaknesses. These hackers are motivated by the challenge, by the opportunity to do good and by peer recognition. They are rewarded for their finds with bounties. They are bug bounty hunters.
How Hacker-Powered Security Works
"Hacker-Powered Security covers any cybersecurity-enhancing services and automations that are partially or wholly produced by independently operating security experts outside the company or organization in question.
"The most fundamental function of hacker-powered security is a Vulnerability Disclosure Program, also called Responsible Disclosure or Coordinated Vulnerability Disclosure.
"A vulnerability disclosure program is essentially a neighborhood watch for software. The motto is "If you see something, say something." Concretely, if and when an ethical hacker finds a security vulnerability in and company or government organization's website or mobile app or other computer system, this person will be invited to disclose the vulnerability found to the system's owner.
"Most human beings are ready to help their neighbor, so the impetus for vulnerability disclosure is enormous. Issues of legality and trust, however, make vulnerability disclosure more complicated than a regular neighborhood watch. To solve this issue, leading companies have created their own policy frameworks for the disclosure of vulnerabilities to them, and others turn to companies such as
"When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program is called a Bug Bounty Program. Bug bounty programs have existed at least since 1983.3 The practice was perfected by Google,
Proven Effectiveness
"Hacker-powered security programs have demonstrated their effectiveness compared to other methods for vulnerability detection. Hiring full-time employees or external service or product vendors to test for vulnerabilities is more expensive. Through
"Hacker-powered security is a model that scales. Today there are over 160,000 registered ethical hackers, and over the coming years this number is likely to grow to over a million. This army of hackers will be able to take on the work of the entire digital realm of our society.
"Thanks to the diversity and scale of the hacker community, hacker-powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not find. Existing models are good at finding predictable security vulnerabilities, but even more important is to find the unpredictable ones - the unknown unknowns. Given a large enough hacker community and enough time, such vulnerabilities will be identified.
Vast and Diverse Clientele
"Hacker-powered security emanated over the past decade as a best practice among
"The vendors providing hacker-powered services have established communities of ethical hackers for whom they keep track of skill profiles and performance metrics. Bug bounty programs may be self-managed by the customer, or fully managed by the vendor. In the latter scenario, customers save both time and money while being presented with valid security vulnerabilities on a continuous basis. In either scenario, it is up to the customer to remediate the vulnerability once found.
"Entities that operate such vulnerability disclosure and/or bug bounty programs include: Adobe,
Who are the Hackers?
"The original experts at the
"Security experts may be described using a variety of titles including "ethical hacker", "white hat", "security researcher", "bug hunter", and "finder." One title is conspicuously absent: Criminal. Hackers are not criminals. Specifically, bug bounty platforms offer no benefit to someone with criminal intent. On the contrary,
"Hackers are driven by a variety of motivations, many of which altruistic. The security advocacy organization I Am The Calvary summarizes these motivations4 as: Protect (make the world a safer place), Puzzle (tinker out of curiosity), Prestige (seek pride and notability), Profit (to earn money), and Protest/Patriotism (ideological and principled).
"The
"Hacker-powered security does not only improve security. The model democratizes opportunity and offers meaningful work to anyone with the inclination and drive to be a useful ethical hacker. Many hackers are young adults. They can do their work from anywhere. The money hackers make is used to support their families, pay for education, and catapult them into successful professional careers. Hacking brings meaning and mandate to enterprising people irrespective of their location. Hacking brings positive societal impact across the nation.
Case Studies
"
""Hack the Pentagon" was initially launched as a pilot program under the leadership of Secretary of Defense
""We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks," said Secretary Carter of Hack the Pentagon7. "What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference - hackers who want to help keep our people and nation safer."
""It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than
"The Pentagon announced it would continue Hack the Pentagon program and bring this successful model to other agencies.
Hack the Army
"The "Hack the Army" Bug Bounty program9 ran from November to
"While bug bounties are a way for the
Hack the
"It took just under one minute for hackers to report the first security vulnerability to the
""Adversaries are constantly attempting to attack our websites, so we welcome a second opinion -- and in this case, hundreds of second opinions -- on the health and security of our online infrastructure,10" said
"Two of the Hack the
"The Hack the
Consistency with Existing Laws & Best Practices
"Federal regulatory agencies responsible for consumer safety have acknowledged and adopted vulnerability disclosure programs as a cybersecurity best practice. These agencies recognize the critical role that hackers play in securing technology and protecting consumers.
"In
"In later comments made by the
"In
"In
"In
"In
"These federal agencies have recognized the critical role that ethical hackers play in enabling public and private sector organizations to provide secure services that are resilient to cybersecurity vulnerabilities.
Conclusion and recommendation
"We need hackers. Our goal must be an internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security.
"Hackers are truly the immune system of the internet. They are a positive power in society. We must enable and encourage them to make their best security contributions. This requires a safe legal environment encouraging all individuals to come forward with vulnerability information, no matter the circumstances.
"I provide you with the following recommendations:
"First, the Computer Fraud and Abuse Act (CFAA), enacted in 1984, contains vague wording that has not kept pace with the proliferation of the internet. The act is in need of modernization. I encourage the members of the committee to support CFAA reform19 to remove imposed criminal penalties on actions that do no harm to consumers.
"Individuals that act in good faith to identify and report potential vulnerabilities should not be legally exposed.
"Second, the patchwork of breach notification laws enacted primarily at the state level may create uncertainty and perverse incentives for those who safeguard consumer data. I encourage this subcommittee to support a harmonized and unambiguous breach notification law governing all
"Third, I repeat the words of numerous experts that a ubiquitous "See something, Say something" practice for vulnerabilities is a vital and critical step towards improving cybersecurity for consumers. The absence of a formal channel to receive vulnerability reports reduces a vendor's security posture and introduces unnecessary risk. Corporations should welcome input from external parties regarding potential security vulnerabilities and
"As
"Hacker-powered security has matured as a model to be ready to help society solve one of its most pressing problems: cyber threats.
"Pioneering entities have perfected the practice of hacker-powered security. Hundreds of thousands of security vulnerabilities have already been found and remediated. The vast community of hackers stands ready. The hackers are not asking what society can do for them. They are asking what they can do for society. Ethical hacking may be the only force that can stop criminal hacking. The asymmetry of digital threats can be turned around with pooled defense. Together we hit harder against cybercrime.
"Thank you for the opportunity to testify on this important issue."
* * *
Footnotes:
1https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
2https://www.ted.com/talks/keren_elazari_hackers_the_internet_s_immune_system
3 Hunter & Ready ran a campaign in 1983 called "Get a bug if you find a bug", offering a
5https://www.hackerone.com/sites/default/files/2018-01/2018_Hacker_Report.pdf
6https://www.ntia.doc.gov/files/ntia/publications/2016_ntia_a_a_vulnerability_disclosure_insights_report.pDf
7https://www.defense.gov/News/News-Releases/News-Release-View/Article/802929/defense-secretary-a sh-carter-releases-hack-the-pentagon-results/
8https://www.defense.gov/News/Article/Article/802828/carter-announces-hack-the-pentagon-program-resu lts/
9https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In
10http://www.af.mil/News/Article-Display/Article/1274518/hack-the-air-force-results-released/
11https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business#current
12https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-staff-comment-national-telecommu nications-information-administration-regarding-safety-working/170215ntiacomment.pdf
13https://www.nhtsa.gov/staticfiles/nvs/pdf/812333_CybersecurityForModernVehicles.pdf
14https://hackerone.com/gm
15https://www.tesla.com/about/security
16https://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm4 82022.pdf
17https://www.justice.gov/criminal-ccips/page/file/983996/download
18https://www.justice.gov/opa/speech/deputy-attorney-general-rod-j-rosenstein-delivers-remarks-global-cy ber-security-summit
19https://www.eff.org/document/letter-def-con-cfaa-reform
20https://www.cnet.com/roadshow/news/general-motors-cybersecurity/
Senate Commerce, Science & Transportation Subcommittee Issues Testimony From Consumers Union
HGGC Continues to Expand Davies Group with Acquisition of TLSS and Carve-Out from Randall & Quilter
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News