Our government’s computer systems are woefully insecure. We’ve seen this in multiple reports, including Russian hackers meddling with our election infrastructure, vulnerabilities found in US military weapons systems, and data breaches involving records of travelers crossing our borders.
Our government’s military-grade security used to serve as the ultimate example of security best practices. The tables have turned, and now our government must learn from the private sector. That’s why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently announced a draft directive that requires federal agencies, including all civilian agencies, to establish a vulnerability disclosure policy or VDP.
An “if you see something, say something” for security bugs in the digital world, vulnerability disclosure policies enable good-faith hackers and citizens alike to look for and report security vulnerabilities without fear of legal action, with the end goal of safely identifying security issues before cybercriminals can exploit them.
Vulnerability disclosure policies are a recommended cybersecurity best practice by organizations like the National Institute of Standards and Technology (NIST) and are already in place at companies like Google, Chase, Goldman Sachs, General Motors, and Ford. The hacker community welcomes this directive and hopes that anyone concerned about our government’s digital infrastructure sees this as the moment that our nation’s cybersecurity changed for the better.
A history of hacks
In 2015, a breach of the U.S. Office of Personnel Management exposed millions of government employees’ security clearance records to Chinese hackers. Had there been a vulnerability disclosure policy in place then, an ethical hacker may have discovered these flaws before they could be exploited by criminals.
Last year, I disclosed a security vulnerability to the Department of Defense in a file-sharing system broadly used across the federal government. This system was used to share sensitive files such as military medical records and, notably, detailed voter data for Trump’s Election Integrity Commission. The vulnerability allowed anyone to bypass passwords and directly download any of the 15 million files uploaded on the site. Armed with the information in my report through their active vulnerability disclosure policy, the military was able to mitigate the security flaw before it could be exploited.
The U.S. government’s relationship with hackers hasn’t always been this smooth. Just a decade ago, the government viewed most hackers as enemies of the state. In 2002, teenage hacker Tommy DeVoss was arrested for hacking into military computer networks and banned from using computers for five years. That perception has since changed. Now, when DeVoss hacks the military as part of legitimate bug bounty programs like Hack the Pentagon, they write him a thank you letter and a check to boot.
Today, several government agencies are well-versed in working with ethical hackers. Three years ago, I was one of the first outside hackers invited to hack the U.S. government with the launch of the Hack the Pentagon bug bounty program. After participating in several more of these cybersecurity challenges, I joined the Pentagon’s Defense Digital Service to help lead the military’s work with ethical hackers in the summer of 2018.
One of the Department of Defense’s efforts is its vulnerability disclosure policy, which has received over 11,000 valid vulnerability reports from good-willed hackers across the globe in just three years. That’s 11,000 fewer ways that an attacker could penetrate Pentagon systems. The Department of Defense estimates such measures have saved $64 million, not to mention the consequences of an unknown number of potential breaches.
The U.S. government sees the value that the outside hacker community provides and is choosing to work with them instead of against them. U.S. government officials are now taking an active role at DEF CON, the world’s largest hacking conference. Held in the summer heat of Las Vegas each year and drawing 25,000 attendees annually, hackers have historically participated in playful games of “spot the Fed,” where they would try to identify hidden government agents.
Now, members of Congress and top military officials are speaking regularly at DEF CON about bridging the gap between public and private cybersecurity talent. This past summer, Will Roper, assistant secretary of the Air Force for Acquisition, Technology, and Logistics, pledged that the Air Force would open up a satellite currently in orbit to ethical hackers next year.
The opportunity ahead
As government agencies notoriously struggle to hire and retain technical talent, working with outside hackers offers an opportunity to help bridge that gap. With endlessly diverse perspectives, approaches, and experiences in tow, hackers can provide crucial feedback and point out glaring security holes that no one else in government is finding. Furthermore, it exposes hackers like me to roles working in government, which I personally, would have otherwise never considered.
By both establishing channels for hackers to report vulnerabilities and ensuring legal protection for hackers who play by the rules, federal agencies can forge relationships with hackers that are desperately needed. Successes from the Department of Defense must be replicated across all government agencies in order to affect security at a wider scale.
Change will not come easily. But just as curing a disease requires diagnosing it, our government must know about its own vulnerabilities. The recent CISA directive will instigate this change at scale, empowering every government agency to learn about and address real cybersecurity threats. Vulnerability disclosure policies will enable our government to better protect the systems our nation relies upon—by the people and for the people.
Jack Cable is a coder turned white hat hacker and undergraduate at Stanford University, currently ranked within the top 50 on HackerOne. After placing first in the Hack the Air Force challenge, Jack began working at the Pentagon’s Defense Digital Service. He is also the founder of Lightning Security. In 2018, Jack was acknowledged by Time Magazine as one of 2018’s 25 Most Influential Teens.