Search This Blog


Search Tool

Jan 24, 2019

Analysis | The Cybersecurity 202: Congress is finally embracing bug bounties. Will it backfire?

By Joseph Marks


The Harry S. Truman Building at the State Department in Washington on Oct. 24, 2014. (Larry Downing/Reuters)
Lawmakers have started going bananas for bug bounty programs, and some prominent security pros are worried these ethical hacking contests could turn out to be counterproductive or even dangerous.
One of the first things the House did this session was pass the Hack the State Department Act -- offering cash prizes to ethical hackers who undergo background checks in exchange for reports about vulnerabilities in State's websites and other Internet tools. Separately, Democrats' wide-ranging  H.R. 1 bill -- which outlines their top priorities -- would also allow state and local governments to participate in another bug bounty program so outside researchers could search for unpatched bugs in their election systems.
As one of their final actions last Congress, legislators passed a Homeland Security Department bug bounty. They also considered bounties at the Treasury Department and elsewhere in government.
Congress's eagerness to embrace bug bounties marks a dramatic shift from just a few years ago, when government officials and many lawmakers were wary of this tech company model of crowdsourcing cybersecurity. 
But one of the most influential bug bounty proponents in the private sector worries that Congress now incorrectly views them as a panacea -- and a replacement for the hard job of fixing serious and institutional problems in government cybersecurity. 
“Bug bounties can be useful. They can be lucrative. [But] they are not universally applicable,” said Katie Moussouris, who was instrumental in launching the first government bug bounty at the Pentagon in 2016 when she was chief policy officer for the bug bounty contractor Hacker One. The company went on to manage bug bounties at the Army, Navy and Air Force.
Moussouris, who is the founder and chief executive of Luta Security, says the model that worked for the Pentagon and military services  is unlikely to work for civilian agencies, which have far fewer resources and less technical expertise -- and a poor track record of fixing vulnerabilities that in some cases have festered for decades.
That means researchers are likely to turn up a long list of vulnerabilities the department either can’t fix, can’t fix expeditiously, or should have fixed itself before it invited the outsiders in, Moussouris said. 
But Rep. Ted Lieu (D-Calif.) who sponsored the State Department bug bounty bill along with Rep. Ted Yoho (R-Fla.) disagreed.
Lieu told me in an email that his office consulted with the State Department while drafting the bill and is “confident that our approach has the necessary timeline and flexibility to ensure the same success achieved by the Department of Defense.”
“The best response to capacity problems is not to shrug and do nothing, but rather to shine a light on the problem, require the adoption of best practices and conduct rigorous oversight over implementation,” Lieu said.
Yet Moussouris says that before the Pentagon launched its bug bounty, officials spent months doing computer penetration tests to detect and patch easy-to-find computer vulnerabilities.
Once the program launched, it had staff ready to address the most serious bugs, triage others and determine whether the vulnerabilities hackers uncovered affected systems beyond the scope of the program.The State Department, however, lacks the Pentagon’s hefty technology resources and is bound by more stringent contractor requirements that make patching vulnerabilities a complicated process.
The department is also struggling under serious and ongoing cybersecurity vulnerabilities that it has been unable to fix in house, according to audit reports.
Other critics have warned against rushing bug bounties too soon, but said it's useful for agencies to aspire to them — especially if they start slowly by launching a vulnerability disclosure policy, or  VDP, first. A VDP essentially tells ethical hackers how to search an organization for digital vulnerabilities and who to contact when they find them, but doesn't offer any cash rewards.
Lieu and Yoho's Hack the State Department Act would begin with a vulnerability disclosure policy mandated within six months and follow with a full bug bounty after one year.
Even establishing a vulnerability disclosure program in six months would be a very difficult task, however, Moussouris said.
“You need to be prepared to fix your bugs when people report them, and that’s easier said than done,” she said.
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


Employees of the Fulton County Election Preparation Center in Atlanta test electronic voting machines on Sept. 22, 2016.  (Alex Sanz/ AP)
PINGED: Georgia Secretary of State Brad Raffensperger said adopting a new voting system for the state is his highest priority -- and asked Georgia lawmakers for $150 million to replace outdated paperless direct-recording electronic voting machines, according to the Associated Press's Ben Nadler. Raffensperger said a system using ballot-marking devices would be more accurate than a hand-marked paper ballots system — though experts say the latter is the most secure and less expensive.
“We believe that you get a better result, a more accurate result, and are actually able to move people through the lines faster when you have a ballot-marking device, so you don’t have to cipher out what someone meant with stray marks,” Raffensperger said, according to the AP.
While Raffensperger said the procurement process for the new voting system would have no “predetermined outcome,” the amount of $150 million that he requested is in line with estimates for ballot-marking systems. “Raffensperger said that, ideally, the state would have new machines in place in some cities for municipal elections in November 2019, before having them fully online across the state before November 2020,” the AP reported.

A Google employee holds media information files in Berlin on Jan. 22. (Clemens Bilan/EPA-EFE/Shutterstock)
PATCHED: Google's Threat Analysis Group issues about 4,000 warnings per month to Gmail users who have accounts that government-backed hackers are trying to penetrate, the Wall Street Journal's Robert McMillan reported in an in-depth story on the tech giant's counterespionage team. The team, which has tracked operations by operatives linked to Iran, North Korea and Russia, is headed by Shane Huntley, a former hacker for Australia’s Defense Signals Directorate — the equivalent of America's National Security Agency.
“The 27-person team tracks more than 200 hacker groups that pose a threat to Google and its users, analyzing hacking techniques and clues to the groups’ identities to head off attacks,” McMillan wrote. “It leverages access to data across widely used Google products like Gmail, with more than 1.5 billion accounts world-wide, and to a database of attack code called VirusTotal managed by another arm of Google-parent Alphabet Inc.” The group also works to combat disinformation operations.
Huntley and others who have been part of cyber threat teams for major tech firms say their work for a company can have more impact than in the public sector. “There were a lot of people who had spent close to a decade in government, and everyone was recognizing, ‘Yeah, we can’t really do much,’ ” Sergio Caltagirone, a former NSA analyst who went to work at Microsoft and is now at Dragos, told the Journal.

Hands type on a computer keyboard in Los Angeles on Feb. 27, 2013. (Damian Dovarganes/AP)
PWNED: A British think tank called the Integrity Initiative that tracks Russian disinformation operations was hacked in late 2018 and Russian government-affiliated news outlets RT and Sputnik seized on the leaked materials, according to BuzzFeed News’s Kevin Collier. “This is yet another example of Russian disinformation intended to confuse audiences and discredit an organisation which is working independently to tackle the threat of disinformation,” a spokesman for Britain’s National Cyber Security Centre told BuzzFeed News in a statement. The NCSC and a private security company are probing the think tank's servers and employees' devices. 
The Integrity Initiative has removed content from its website for now, Collier noted. “Initial findings indicate that the theft was part of a campaign to undermine the work of the Integrity Initiative in researching, publicising and countering the threat to European democracies from disinformation and other forms of hybrid warfare,” according to a message on the site.

The dome of the Capitol is reflected in a window in Washington on Jan. 12. (Jabin Botsford/The Washington Post)
— Rep. Jim Langevin (D-R.I.) said he wants the Department of Homeland Security to brief members of the House Homeland Security Committee after DHS issued an emergency directive requiring civilian agencies to protect their data against a hijacking campaign targeting the “Domain Name System,” CyberScoop's Sean Lyngaas  reported. Langevin told CyberScoop that “we need to understand the scope of this action and how many agencies were actually affected.”
— House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) will host a panel discussion at the Capitol today on the impact of the partial federal government shutdown on homeland security personnel and agencies, which includes the Cybersecurity and Infrastructure Security Agency. You can watch the event here.
— The Senate Intelligence Committee will also probably hear about cybersecurity threats next week as Paul Nakasone, the NSA director, will appear before the panel alongside the heads of other U.S. intelligence agencies for an open hearing on worldwide threats. A closed session will follow the open hearing.
— More cybersecurity news from the public sector:

The month-long shutdown is affecting how much information about cyberthreats the federal government can pass on to states, a former DHS leader says.

WikiLeaks founder’s lawyers file urgent application in attempt to prevent extradition to US
The Guardian

The panel’s responsibilities—which include oversight of FITARA and other federal tech initiatives—will be swept up by the Government Operations subcommittee.

A man on his phone at the Eastern Market Metro station in Washington. (Michael S. Williamson/The Washington Post)
— Zumigo, a company that sold cellphone users' location data, asked the Federal Communications Commission in a presentation in late 2017 to relax requirements about user consent for data sharing, Motherboard's Joseph Cox and Jason Koebler reported. A Motherboard investigation this month revealed that T-Mobile, AT&T and Sprint sold their cellphone users' location information to third-party companies such as Zumigo.
However, FCC Chairman Ajit Pai said the commission doesn't plan to end consent requirements for sharing personal data. “The FCC’s position is that we have no interest in removing consent requirements around the sharing of personal data, and that extends to having no interest in working with Congress to remove any of those requirements,” Pai told Motherboard in an email.
— More cybersecurity news from the private sector:

The all-seeing Amazon, Google, and Facebook have every incentive to help the national security state undermine privacy, free speech, and democracy. We’ve read this book before.

The founder says the charge is ‘baseless,’ but that hasn’t stopped employees at some of the most important infosec companies from posting misogynistic comments in a closed Facebook group.

A Surface Laptop computer at Microsoft's main campus in Redmond, Wash., on April 20, 2017. (Mike Kane/Bloomberg News )
— A database containing more than 24 million financial documents leaked online following a server security blunder, according to TechCrunch's Zack Whittaker. The database was exposed online for two weeks, according to TechCrunch. “The server, running an Elasticsearch database, had more than a decade’s worth of data, containing loan and mortgage agreements, repayment schedules and other highly sensitive financial and tax documents that reveal an intimate insight into a person’s financial life,” Whittaker wrote. “But it wasn’t protected with a password, allowing anyone to access and read the massive cache of documents.”
— More news about security incidents:

Cryptocurrency swindlers are targeting Ether users and one Ponzi scheme made off with $3.5 million worth.

Nest's weak password requirements helped him pull off the hack.

France is aware of the risks of China’s Huawei Technologies access to next-generation mobile networks and will take measures when the time comes, its foreign minister said on Wednesday.

2FA is an important step in preventing your account from being accessed by unauthorized users — here’s how to enable 2FA on your accounts across the web.
The Verge
Coming soon:
Nancy Pelosi keeps throwing shade at Donald Trump:
Federal workers, unions protest the government shutdown on Capitol Hill:
We tried folding like Marie Kondo. Here's how it went.

No comments:

Post a Comment