Today the White House rolled out its long awaited National Cybersecurity Strategy. It was very exciting – but also a little unsurprising – to see crowdsourced security front and center as one of the few named solutions:
The United States Government will also promote regular testing and exercising of the cybersecurity and resilience of products and systems during development using best practices from forward-leaning industries. This includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack.
The United States Government represents an enormous attack surface on the Internet. The combination of a broken status quo in security assessment, active and effective adversaries, a severe resource shortage in cybersecurity, and the fact that human creativity is intractable from solving these problems has driven the Governement to take the lead of the corporate world and adopt more creative approaches to solving this problem.
The U.S. and other governments are under siege from both nation-states and criminal hacking groups with a number of large and high-profile cyber attacks in recent years (the financial system attacks of 2011, the more recent DNC hacks, WannaCry and NotPetya, as well as a rash of attacks in 2018 including one that shut down much of the IT operations for the City of Atlanta).
The release of the National Cybersecurity Strategy comes on the heels of the House Homeland Security Committee advancing a pair of bipartisan bills that would force the Department of Homeland Security to initiate a crowdsourced security approach through both a bug bounty (via Hack DHS Act) and vulnerability disclosure program (via H.R.6735). Together these would enable whitehat hackers to look for and responsibly disclose vulnerabilities.
A few key notes from the document:
- The risk management priority of EO13800 was brought back to the top with risk management coming second in the agenda only to the centralization of management of infosec. Given the enormous attack surface of the federal government and the cybersecurity resource shortage, the only realistic way to deliver this is through more innovation resourcing models. This is where crowdsourced security and VDP play an important and necessary role and why they were specifically called out as the recommended approaches.
- The unfortunate piece is the Modernization of Computer Crime Laws and it’s singular focus on the enablement of law enforcement and prosecution of criminals. I would have liked to see good-faith carve-outs — you can’t effectively adopt this model at scale without them. Disclose.io and contractual safe harbor will continue to be a departmental and organizational responsibility (vs a DOJ or Federal one ) for now.
For the Crowd – the global community of elite white hat hackers – these bills combined with today’s announcement signal a continued evolution of what we’ve seen over past 3-4 years. When I started Bugcrowd – we we’re the first to offer crowdsourced security testing back in 2012, hackers were still inherently scary. What’s changed is the public perception. Private organizations and government agencies around the world have seen the value of harnessing the power of a global community of trusted hackers. This has created a ground swell around turning hackers into friends instead of foes. My hope is that vulnerability disclosure will be mandated and ubiquitous across all government organizations, which encourage security practitioners to build a relationships with the researcher community.
We’re no strangers to a ballooning attack surface and we know the security skills shortage continues to increase. We once fought wars on land and sea then the invention of the airplane added another attack surface: the sky. Today, with the large and growing attack surface of the internet, the war is much more personal, bleeding into our everyday lives. To effectively shore up and secure the fourth frontier, cyber, we need to look to the Crowd.
The National Cybersecurity Strategy is an important and necessary move and demonstrates that the US government not only sees the value of Crowdsourced security, but stands behind the global whitehat hacker community that powers it. This is a clear mandate, and a good one.