On the U.S. Government and bug bounties
My favorite thing about going to conferences is establishing the underlying trends behind the questions I’m asked. We’re only half-way through RSAC/BSides week, and already the dominant question is clear:
When is the government going to start a bug bounty program?
Here’s my answer:
The government has no choice but to adopt a crowdsourced model for vulnerability discovery, it’s more a question of when will the pain of staying the same exceed the pain of change.
The US government faces the same challenge that Bugcrowd addresses with our many tech and non-tech corporate clients…
- There is a dearth of defenders. In the US alone there are 209k unfilled cybersecurity roles according to the Bureau of Labor. Last year, Cisco reported a global shortage of 1 million people. Despite an offered median annual wage of 116k per year, the problem isn’t going away… There aren’t enough defenders to go around.
- Then there’s the other elephant in the room: The attackers have a clear economic advantage over the defenders. I’m not talking about classic defender’s dilemma – At this point in the evolution of cybersecurity that should be a given… I’m talking about the fact that defenders are incentivized (and therefore constrained) by an hourly rate; while the attackers are incentivized (and therefore enabled) by a results.
This is not a bug bounty problem, nor is it a vulnerability disclosure problem. It’s a resourcing and economic problem, in which cybersecurity defenders are fundamentally disadvantaged by an outdated model.
When I started Bugcrowd, the market didn’t have a bug bounty problem (it does now – but that’s for another post), I was responding to inquiries from penetration testing clients who saw the Facebook and Google bug bounty programs and came to their own conclusion that a crowd of allies would be a logical way to level the playing field against the crowd of adversaries. The idea behind Bugcrowd was to take the bug bounty concept and use it as a catalyst to change the way defenders worldwide think about how they access the intelligence and data they need to resource the constant challenge of outsmarting an adaptive adversary.
…and now, here we are: With arguably the best known defender on the planet, The Department of Defense, going to the press and signaling that they are keen to adopt this model.
Here’s the point I’d like to get across… A constant challenge for those considering a more distributed model of cybersecurity resourcing and, based on the press articles today, a key concern for the DoD is “how can we embrace and engage the talents of people we’ve traditionally distrusted?”
The key thing to keep in mind is this: A dominating trend of the last 10 years is making our core systems more accessible to our users. In doing this, we’re also making them more accessible to the adversary. We will make mistakes in how we implement these systems because we are human, and these mistakes will continue to create vulnerabilities. Our adversary isn’t subject to our concerns around trust… The Internet is not background checked, nor does it stay in scope.
As a defender, you cannot control your adversary. You can only control where you are vulnerable, but you can only do that if you know.
As crowdsourced security proliferates, the task of shifting mindsets from “why not” to “how do I engage this” centres around bringing enough of a level of comfort to the idea to get started… Bugcrowd pre-empted this, built trust tiers to support it, and deploy it successfully for almost all of our more traditional customers. After their initial interaction with the crowd via our platform our the majority of our clients go on to relax the trust controls, thereby accessing a wider pool of the creativity that exists in the whitehat hacker community.
To the DoD…
Congratulations on your decision to make a stand around thinking progressively in this area. I’m obviously biased, but I firmly believe that the combination of an army of allies coupled with a radically different and more efficient way of connecting with them will be the only viable path to leveling the playing field against your adversaries. Start small, and focus on finding a the appropriate level of trust that will get you over the bar and get started. Once you experience the benefits from accessing a broader range of talent under a more efficient economic model, work to expand the scope of what you’ll allow people to test and those you’ll invite. The results will be worth the effort and initial discomfort.
You’ve gotten ahead of the curve, and that’s a wonderful thing not just for you but for the Internet at large.