Ethically hacking federal agencies and contractors
© Getty Images

With federal agencies and federal contractors under daily attack from cyber criminals, nation-states and others, thousands of so-called "white hat" ethical hackers are ready to enlist in the battle.

And longtime open source proponent Marten Mickos is helping them join the fight.

Mickos is the new CEO of HackerOne, the leader in the nascent field of vulnerability coordination. He brought his experience as an entrepreneur and open source advocate to the company in November.

"Modern security is hacker-powered," declares Mickos. "We are providing exactly what the world needs."

ADVERTISEMENT
Major tech companies like Microsoft, Facebook, Google, Adobe and Yahoo! already are connecting directly with the white hat community by offering so-called "bug bounty" programs under which they reward hackers for reporting vulnerabilities they find. Those companies proudly and publicly boast about the programs, and make it clear how bug hunters can get in touch with them to share their findings.

The stakes are high. Companies that ignore ethical hackers — or even threaten them with legal action in the vein of "shooting the messenger" — face a risk that a cyber criminal will find the vulnerabilities first and use them in an attack instead.

While the tech giants are quick to collaborate with ethical hackers so that vulnerabilities can be uncovered and fixed more quickly, many of the top companies in the federal space don't have such programs or follow similar best practices. This summer, The Hill noted that the Government Accountability Office (GAO) castigated federal agencies for being lax on security and thus making agencies more vulnerable to cyberattacks like the Office of Personnel Management (OPM) breach, which impacted more than 21 million Americans.

HackerOne surveyed the sites of the Forbes Global 2000 and found that a mere 6 percent of them were publicly inviting ethical hackers to report bugs, Mickos said. At present, Honeywell, Hewlett-Packard, General Electric and the California Institute of Technology are among the few major federal contractors on that list. Among government agencies, exceptions are the U.S. Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security, and NASA, both of which do have public processes in place to enable constituents and partners to report incidents, phishing attempts, malware and vulnerabilities.

Mickos is betting that federal security professionals soon will demand that vulnerability coordination programs be added to the government's toolkit. And HackerOne is making it easy to do.

The 30-month-old company already has 380-plus commercial companies using its platform.

"Serious security extends beyond any company's staff," he explains. "It's best to invite the community to examine your software or system. This kind of open source solution is more secure."

The company says it has "tens of thousands" of ethical hackers ready to look for vulnerabilities. Those hackers are available as a community to interested companies.

HackerOne provides a free platform that connects hackers and security pros, complete with a hacker "reputation" ranking system. When a company pays the reward for the information on a given vulnerability, HackerOne collects a percentage.

"We are the Uber of security, but instead of offering cabs, we offer ethical hackers," says Mickos.

The reference to Uber is intentional. Benchmark Capital — an early investor in Uber as well as Twitter, Instagram and Snapchat — is a major backer of HackerOne.

"We represent the next natural step in security and a shift in thinking," says Mickos. "Security used to be done in secret and only with those who had clearance. Now the idea is 'keep your secrets in the safe, but let the community see your product.' And the community will complement your staff, not replace it."

Such a shift in thinking may also require a shift in policy.

"The old way of thinking is sometimes applied in bad policy," Mickos adds. "The Wassenaar 'intrusion software' is a perfect example of old-style thinking that doesn't understand an open source community.

"A better policy would say, 'If you want us to buy your product, you must be serious about security. And if you aren't inviting the community to help find vulnerabilities in your product, then you aren't serious about security."

In this way, Mickos sounds like many other Silicon Valley executives who are racing far ahead of the federal government and unaware of the slower pace of policy. But in this case, at least, the government must find ways to move faster.

Bond is a former under secretary of Commerce for technology and a former CEO of the trade association TechAmerica. Today he is president and CEO of Bond & Associates, a technology and healthcare lobbying firm with offices in Washington and Silicon Valley.