Modern field guide to security and privacy

Opinion: Why Washington needs more hackers

The federal government is finally beginning to embrace hackers, but it should do more put their talents to work fixing the nation's cybersecurity. Their help is sorely needed.

|
Photo by Ann Hermes/The Christian Science Monitor
Massachusetts Institute of Technology student Ashley Wang at a hacking competition in March 2016.

A dark room. A hooded figure hunched over a keyboard. Lines of code on a monitor barely illuminate his face. An expression of glee as thousands of dollars are siphoned out of a victim’s bank account, followed by a pained look as a voice calls out, “Son, come take out the trash.” 

The stereotypical image of the teenage hacker in his parents’ basement is everywhere, even in our presidential debates. And yet, it couldn’t be further from reality. Hackers are a diverse bunch: young and old, PhDs and high school dropouts, and, increasingly, women.

But the one thing that unites all of the hackers I have met is intense curiosity. They want to know how things work, and they find out by taking things apart. Unfortunately, this proclivity has led to a number of misconceptions about hackers. Americans celebrate creators, inventors, and entrepreneurs, so the act of deconstructing others’ works is often seen as malicious.

This attitude, while pervasive, is misplaced. There are bad actors out there, who aim to use their skills to steal, extort or corrupt. But the majority of hackers, or cybersecurity researchers as they are sometimes known, are interested in solving the puzzle of how something works, probing its flaws, and then helping to shore up the weaknesses. This last point is very important: not only are most researchers uninterested in nefariously exploiting the vulnerabilities they find, they actively want to help fix them.

That help is sorely needed. Every day, thousands of new software products come on the market, from apps to connected devices. A car, for example, can have over 100 million lines of code powering its systems. These immensely complex systems inevitably contain errors. While most errors are innocuous – a garbled webpage or a crashed app – some can pose major security risks if not patched. The breaches that fill the headlines, from the Democratic National Committee to the Ukrainian power grid, are often a result of these vulnerabilities. 

Knowing these risks, companies are increasingly turning to hackers for help. Rather than threatening security researchers with legal action for disclosing code errors, forward-thinking businesses are providing clear avenues for hackers to report their findings.

These vulnerability handling processes respect the time and effort hackers put in to discovering bugs by keeping clear lines of communication open and, often, providing some sort of acknowledgement to the finder. Occasionally, that acknowledgement comes in the form of cash, a “bug bounty” based on the severity of the issue. Vulnerability disclosure policies leverage the power of the crowd to improve security and save companies money.

While vulnerability handling has exploded across industry in the past several years, the federal government has lagged behind. Despite operating tens of thousands of websites and myriad other software products, the government has not provided any clear avenue for patriotic-minded hackers to disclose security issues.

Thankfully, forward-thinking leaders in the government are beginning to change that. Last year, the Department of Defense hosted the first-ever federal bug bounty program, “Hack the Pentagon.” Over four weeks, 1,400 hackers discovered more than 125 security vulnerabilities at a fraction of the cost per bug of existing programs. The Pentagon has since begun an expansion of the program, and the Internal Revenue Service announced that it, too, would begin offering bug bounties on a limited basis.

More importantly, federal agencies are finally beginning to welcome public service-minded hackers with full-fledged vulnerability disclosure policies. The General Services Administration released a draft policy for comment in October, and, in November, Secretary of Defense Ash Carter unveiled a Pentagon-wide policy. I commend outgoing Secretary Carter and the other leaders in these agencies for their efforts to treat hackers not solely as adversaries but as valuable allies as well.

These policies are nascent and will inevitably need some tweaking. They also cover only a fraction of the services provided by the government. But they represent an inflection point in our thinking about the security research community, and I hope the new federal Chief Information Security Officer makes expanding these programs a priority. 

Changing the image of hackers is tough. But I am glad the federal government is finally moving beyond stereotypes and embracing the potential for security researchers to improve our nation’s cybersecurity.

Congressman Jim Langevin (D) of Rhode Island is the cofounder and cochair of the Congressional Cybersecurity Caucus, and a senior member of the House Armed Services and Homeland Security Committees.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Opinion: Why Washington needs more hackers
Read this article in
https://www.csmonitor.com/World/Passcode/Security-culture/2017/0125/Opinion-Why-Washington-needs-more-hackers
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe