Prior to 2016, the U.S. Government shunned the idea of enlisting good-faith hackers to test IT systems for vulnerabilities, due to longstanding concerns about ulterior motives and general reservations about trusting those “outside the tent.”
That has changed in recent years, as more government agencies have come to partner with the crowdsourcing community to harden the nation’s cybersecurity posture.
After years of resistance, the government now views crowdsourced security as a powerful counter-force to strengthen security through bug bounties, red team penetration testing, and vulnerability disclosure programs, and to balance the inherent asymmetry of outsmarting a diverse crowd of adversaries.
The good news is that federal agencies are inoculating public IT infrastructure against dangerous threats by not only listening to the Internet’s Immune System, but proactively inviting its input, and improving their ability to act on its advice.
The White House released its significant Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence in October, based on a whirlwind of public interest in generative artificial intelligence. That Executive Order set out strong standards and guidelines to secure AI systems before public release. The directive promotes best practices for federal agencies to ensure data privacy for all citizens, and it safeguards employees against workplace discrimination through the misuse of AI. It also supports international collaboration to build frameworks that can protect people against unethical uses of AI.
The Executive Order explicitly endorses “AI red-teaming,” which involves the use of adversarial hacking methods to identify flaws and vulnerabilities, such as harmful or discriminatory outputs from an AI system or potential risks associated with the misuse of the system.
Hack the Pentagon
Public-private security partnerships first emerged when Congress passed the Federal Information Security Modernization Act of 2014 (Public Law 113-283), which supported “developing and conducting targeted operational evaluations, including threat and vulnerability assessments” on government information systems. Soon after, the Department of Defense launched its “Hack the Pentagon” program in 2016 to invite public security researchers to help secure its networks and IT systems from cyberattacks.
Congress approved initial funding for crowdsourced security through the National Defense Authorization Act of 2020 (S 1790). That measure provided for “security testing that includes vulnerability scanning and penetration testing performed by individuals, including threat-based red team exploitations and assessments with zero-trust assumptions.”
Another major breakthrough came in September 2020, when the Cybersecurity & Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD 20-01) to develop a vulnerability disclosure policy (VDP). That directive established the first formal way for members of the public to provide cybersecurity support by finding and reporting vulnerabilities in a legally authorized manner. Such policies were created to support good-faith hackers who were willing to contribute their time and skills to better the state of national security.
The CISA plan was ambitious from the start. It set out to standardize VDP adoption across all the Federal Civilian Executive Branch agencies by using a “carrot” of implementation guidance and frameworks, and a “stick” in the form of an endorsement by the Office of Management and Budget. When the VDP Platform was launched in September 2021, adoption was in the low single digits. Today, CISA has on-boarded more than 40 federal agencies to provide ongoing VDP research findings. Some encouraging figures include a 38-day average time to remediate more than 1,100 known vulnerabilities, and an 89% remediation rate for all validated vulnerabilities submitted to the program. The year-over-year growth of submissions by hackers has continued to rise each year, with an estimated 80% growth rate in FY23.
The Securities and Exchange Commission took further steps in March 2022 when it introduced rules to standardize disclosures by public companies regarding their cybersecurity risk management, strategy, governance, and incident reporting. The SEC’s actions calling for cybersecurity expertise in the Boardroom demonstrated that the commission views cybersecurity through the same lens as any other recent or exotic risk, such as human resources, arbitrage, or currency.
In March 2023, the White House Office of the National Cyber Director adopted a far-reaching National Cybersecurity Strategy to establish firm policies for protecting the country. The strategy document broadly states that “the Administration will encourage coordinated vulnerability disclosure across all technology types and sectors.”
Army of adversaries
These public-private partnerships and new reporting processes have driven several important benefits for governmental security, including:
— Massive adoption and consistent results through the use of a technology platform that manages VDP workflows and outcomes. This paradigm is now being extended into bug bounties and crowdsourced penetration testing on the platform.
— Greater visibility for the researchers and a wider impact for the government. The public programs have driven researchers to the targets in ever-larger numbers to improve downstream reporting and successful remediations.
— A working template for successful public-private partnerships that other government agencies can adopt to mobilize the crowd and engage the Internet’s Immune System.
Why is all of this so important? Because the only true method to prevent technology from malicious exploitation is to properly secure it at the technical level. The steady integration of cybersecurity into top-level government policy is an indicator of the maturation of cyber risk from being poorly understood and the exclusive domain of pure technologists, to being accepted as a core aspect of business risk management and a mandated topic from Boardrooms to the Halls of Congress. As a result, these partnerships enable the U.S. Government to continually improve protections for all Americans against ongoing cyberattacks.
Casey Ellis is chief strategy officer at Bugcrowd, a crowdsourced security platform that became one of the largest bug bounty and vulnerability disclosure companies.