BOSTON—More than ever, hackers are getting a welcoming embrace from law enforcement, governments and business.
Bug bounties and vulnerability disclosure programs are becoming the norm across industry, and hackers are no longer universally viewed as a pariah.
Simultaneously, however, groups such as the ShadowBrokers and rogue hacktivist operations are co-opting some of that acceptance when they leak dangerous tools or personal information, putting a dent in the hacker spirit of demonstrating a threat to force a solution.
Keren Elazari, a security researcher at Tel Aviv University in Israel, today during a keynote at Source Boston likened white-hats to the immune system of the information age, and urged organizations to continue to embrace “the creative chaos” hackers bring.
To a large degree, that’s happening already, she said, pointing to the Department of Defense’s Hack the Pentagon, Army and Air Force bug bounty programs as examples of hackers playing a bigger role in hardening defenses. She also said programs such as the Federal Trade Commission’s competition that solicited security solutions for connected devices and DARPA’s Cyber Grand Challenge represents a general recognition by lawmakers and boards of directors that awareness of threats and solutions are a mandate.
But the ShadowBrokers’ leaks of NSA hacking tools, WikiLeaks spilling of CIA hacking tools and the relentless manipulation of the U.S. presidential election last year continue to threaten recent gains, Elazari said.
“It breaks my heart when I see a manipulation of the truth taking place,” she said. “This is very far from what I saw a few years ago.”
Bug bounties are probably the most tangible outreach organizations have toward security researchers. More and more, these programs are not limited to tech companies. Retail organizations, airlines, automakers and many others see the value of setting up a mechanism for receiving bug reports and eventually paying relatively short money for private vulnerability disclosures that result in patches.
“Having a bounty means (boards) can show shareholders that the company went the extra mile to identify security risks the company is facing,” Elazari said, adding that some bug-hunters have made a career of joining bounty platforms such as Bugcrowd and HackerOne and getting reimbursement and recognition for their work. “Bounties have created an opportunity for people worldwide to work as a researcher and get paid legitimately by big companies, and sometimes get a job offer,” Elazari said. “That’s something that had never happened before on such a scale.”
The U.S. government has also extended an olive branch to white-hats through the Hack the Pentagon/Army/Air Force programs, something that was also incomprehensible in years prior. Five years ago, there was no way the government would advocate researchers poking around public-facing websites looking for vulnerabilities without the threat of long-term incarceration. Today, early beta runs of the DoD bounty programs have paid out tens of thousands of dollars to researchers who have turned over more than 100 bugs collectively.
“There is great value there,” Elazari said. “Companies are enjoying an increase in reputation and can promote themselves as having a more mature approach to cyber if they have a bug bounty. It makes a world of difference.”
Going forward, Elazari said advocacy groups such as I Am the Cavalry and others are going to be crucial in bringing device manufacturers to the table and securing connected devices. The Mirai DDoS attacks of last October were the warning shot to industry to address IoT vulnerabilities, such as default passwords and exposed telnet connections. It was clear the industry needs to do more to protect IoT devices, such as build mechanisms to automatically update firmware on devices.
“Mirai is what brought the reality that not only will DDOS attacks continue to be with us, but they can be supercharged with these connected devices and can be used to attack DNS and NTP, both technologies that no one really owns and that we all rely on,” Elzari said. “This should inform us as security professionals and civilians to demand better from manufacturers and from people who maintain basic internet protocols.”