The best way to prevent getting hacked is to try to get hacked.
Paradoxical as this may sound, evidence shows it is true. The worst data breaches the world has seen were with companies that did not invite external security researchers to report their findings. But by hunting for their security vulnerabilities, organizations can ensure the weak points are found and fixed before they are identified by criminals. Open sourcing security is the way.
Nowhere is the positive value of hackers understood as well as in the capital city of the United States.
Hack the Pentagon was launched in 2016. To date, nearly 4,000 security vulnerabilities have been reported and fixed in digital assets of the DoD. We have hacked the Army, hacked the Air Force and hacked the Defense Travel System. The more we hack, the more secure the Pentagon is. The strongest line of defense of the United States of America is strong enough only when aided by whitehat hackers around the globe.
Capitol Hill, acting resolutely, is working on bills that when passed will mandate government agencies to run bug bounty programs modeled after Hack the Pentagon. In the proposed ‘‘Prevent Election Hacking Act of 2018’’ bill, independent technical experts are provided a safe harbor to conduct their security research and report their findings.
Long before this, the FTC recommended hacker-powered security to all companies that deal with consumer information. FDA made a similar recommendation for medical devices. NTIA, NIST and NHTSA independently published their own recommendations. The DoJ published a framework for vulnerability disclosure. And in Europe, GDPR provides a strong reason for every organization to establish a process for receiving security input from external researchers. This was recently stated in a report by the Centre for European Policy Studies: “Coordinated vulnerability disclosure can also help mitigate data protection and data security risks, and in fact is one of the good practices encouraged by data protection and other competent authorities as a means to promote compliance with GDPR.”
The message is unison. Governments protect democracy and want no system to get breached. They pass laws to make ethical hacking lawful. Only when we are hacked friendly can we make sure we don’t get hacked criminally.
Can the private sector learn from this? It certainly can. General Motors, Toyota, Goldman Sachs, Starbucks, Intel, Qualcomm and a thousand other companies have established vulnerability disclosure or bug bounty programs. These companies are inviting the whole world to work with them on improving security and reducing the risk of data breach. They know that when they get lawfully hacked, they won’t get awfully hacked.
Corporate boards of directors are turning their attention to managing cyber risk. When everything goes digital, so do the risks that companies face. But how can a board of generalists manage cybersecurity when the technologies are so complex and cryptic? The answer lies in probabilistic risk management. Security is a practice where every detail must be paid attention to. Yet, it is possible to aggregate the analysis to a level where changes in probabilities tell us whether we are reducing cyber risk or not. When we observe cybersecurity through a lens of risk management, the issue becomes manageable. There is actually nothing new in this. Similar safety approaches are used in the management of nuclear power plants and in the airline industry, to name just two examples.
At HackerOne, as we serve large organizations and small ones, corporations and government agencies, we are seeing our business quadrupling on an annual basis. We have developed and built out our customer services to allow companies to start small and grow their programs over time. Through automated software features and custom service offerings, we have reduced the workload on our customers to a minimum while reaching the highest signal-to-noise ratio in the industry. In brief, this means that we can launch programs for our customers faster and show unparalleled ROI in a short time. Organizations are rushing to hacker-powered security because it works.
There remains no reason not to invite hackers to identify security weaknesses. Some organizations continue to be unable, or worse, unwilling, to fix their vulnerabilities. For everyone else, there are only benefits to be had. Governments are recommending hacker-powered security, and they may soon mandate it. Leading corporations are already on board, with impressive results. HackerOne fully manages the programs on behalf of the customer, meaning that staff shortage is not a show-stopper. False negatives are filtered out. What remains is a pure list of valid security vulnerabilities that when fixed or blocked are unavailable to those with criminal intent. There is no faster or more effective way to reduce the risk of breach.
An army of whitehat hackers 200,000 strong stands ready to serve. Their insights have already eliminated over 72,000 vulnerabilities, and the internet has thereby become a good deal more secure. It may seem that cyber risk is only increasing, and the recent breaches certainly give rise to such suspicion. It takes time to turn a big ship. But when you look deeper in the industry, you can observe the ship already starting to turn. Leading software and cloud vendors are running formidable security programs. Governments are leading the way. Corporations are not slow to jump on the bandwagon.
We have countless security vulnerabilities in the wild still to fix. But we also have figured out a scalable way to find them. By open sourcing security in this way, we are on a path of bucking a trend that has been negative for far too long. Together we are analyzing and repairing the digital assets of our connected society.