We are thrilled to introduce the newest member of the HackerOne team, Kathryn Haun, who is joining our board of directors. Katie is a former U.S. Department of Justice (DOJ) federal prosecutor, Stanford Business School Lecturer and serves on the board of Coinbase.
With cybersecurity affecting every industry, every entity, and every person who is digitally connected, Katie thinks one of the best ways to protect against nefarious actors is to provide a safe environment for ethical hackers to beat them to the punch. We caught up with Katie to learn how empowering the world to build a safer internet is an extension of the work she was doing for the DOJ. Check out the full Q&A below:
Tell us a bit about yourself and why you are excited to join the HackerOne team?
My name is Katie Haun, and I’m a former federal prosecutor and now teach at Stanford University. I’m passionate about public safety and security. In my role as prosecutor, I got to take murderers and violent gangs off the street and stop fraudsters and identity thieves. Joining the HackerOne board feels like an extension of that work since its mission is to make online systems and digital identities safer for everyone. The distributed aspect of the HackerOne community also really appeals to me. I think such models are the way of the future. They harness the best and brightest without regard to physical location – and that just so happens to mirror those who are working to exploit us. Cybersecurity affects every industry, every entity, and every person who is digitally connected. We live in an age where our dependence on technology is growing faster than we can secure it, and I’m really excited to work with a company that is helping address that problem.
For those that may not be as familiar, what is the role of a corporation’s Board of Directors?
Generally speaking, the Board of Directors consults with management about the overall strategic and operational direction of the company. Though it does not manage the company or its day-to-day operations, it identifies risk areas and opportunities, protects company assets, and works closely with management. It does this through formal mechanisms, like voting on actions presented at board meetings, but also through informal mechanisms, serving as a sounding board or resource for company management. I am joining as the company’s first independent director, a role that is required in public companies but that private companies are increasingly adding as they mature and scale to bring an outside voice and diverse set of professional experiences.
You are a known expert in blockchain and cryptocurrency and on the board for Coinbase, what do you look for in companies you advise? How does HackerOne fit in?
First off, I look to work with companies that are building technologies or platforms that are transformative and that will be used to improve the status quo for us all. Many times they may not fit neatly into existing regulatory and legal frameworks -- this is where my expertise comes in. One of the things I saw after over a decade of working in government and living in Silicon Valley was the need for bridge building between regulators and policymakers, on the one hand, and technologists and creators on the other. But my work with companies isn’t a one-way street: I also seek out places where I am able to learn and broaden my own substantive knowledge. For example, since teaming up with HackerOne I’ve learned a whole lot more than I thought possible about hunting cross-site scripting errors! I enjoy immersing myself in new technology by working with companies that are industry leaders in cutting edge fields and that embrace responsible innovation. HackerOne and Coinbase both share these characteristics.
As a DOJ prosecutor, you took on some high profile cases, including those with members of Russia’s largest illegal hacking rings and other cybercriminals. How did your experiences as a federal prosecutor, and in particular these cases, shape your view of cybersecurity legislation, policy and even hackers in general?
Criminals are some of the best beta testers of new technologies; they continuously adapt and innovate. The stereotypes of cybercriminals are a far cry from some of these organized enterprises being run as businesses. Ransomware campaigns, for example, now use price discrimination algorithms to detect what price they can extract from their victims and provide customer service support.
In the cyber context the bad actors are often outside the jurisdictions where their misdeeds have the most impact. These cases require going through extremely outdated processes to obtain even the most basic evidence for attribution, so law enforcement has its work cut out for it. Antiquated rules for gathering evidence overseas are hampering the government’s ability to root out, deter and prosecute cybercriminals, and increasingly private entities are finding they are able to act more swiftly than law enforcement. But this is only so effective because private entities lack the ability to prosecute and hence deter. Thus, instead of deterring cybercriminals, our current system can actually provide many of them something of a safe harbor.
At the same time, current laws have the potential to create a real chilling effect on ethical hackers. I think that one of the best ways to protect against nefarious actors is to provide a safe environment for ethical hackers to beat them to the punch. But a fear of being sued civilly, or worse, prosecuted, may deter some real talent from engaging in this important work. That’s why I was encouraged to see DOJ publish a framework for vulnerability disclosure programs, and to see government entities like the Pentagon or GSA embrace ethical hacking programs by running them -- things like this send a signal that white hat hacking is to be encouraged.
At HackerOne, we are all hackers in some way. How/what do you hack?
I’d like to think I hack career paradigms. I have never pursued a traditional career path despite having a traditional profession. For example, I began my career working at the U.S. Supreme Court for Justice Kennedy. But instead of becoming a partner in a big D.C. firm which would’ve been a traditional path, I left for the gritty world of gangs and guns. From that role the more expected path was to become a judge or go into private practice, but I pivoted to the tech world and got deep into cryptocurrency. Now I’m gearing up to work with a company that hacks the Pentagon! I’ve also done these jobs from a range of locations. No matter what role I’ve had, I’ve found a way to work while living on the road a couple months a year -- whether that’s in Ljubljana or Laos, or in Africa or the Atacama desert. Thanks to technology, I’ve managed to live in new places without sacrificing the professional career that I love.
What is something that most people don’t know about you?
That I grew up living in Cairo and as a kid I appeared in Middle Eastern television commercials.