Three ways hackers can help protect our national cyber infrastructure

From data breaches to election interference, cyberattacks continue to be a serious threat to U.S. government agencies, businesses and citizens alike. However, these incidences are so prevalent that it seems like it has become the new normal. Even with lawsuits, Senate hearings and financial penalties, the reaction seems less urgent. Data breaches have caused distrust, and with that has come cynicism and an acceptance that nothing can be done.

Yet, there is hope. In the last six months, the U.S. government has taken three extraordinary steps towards changing the way it approaches cybersecurity, and they all involve the help of an unusual ally: hackers.

With the following initiatives, there is an opportunity to greatly improve the security of federal civilian agencies, the government supply chain and our election systems.

Secure every federal civilian agency

There are over 400 civilian agencies operating as part of the federal government, and they are all responsible for securing their digital assets and the extensive amounts of sensitive information they hold.

These agencies touch every citizen in ways that we cannot even imagine — from physical defense to private data. Yet, these agencies continue to be a frequent target of cybersecurity attacks. Over 35,000 cybersecurity incidents were reported by federal agencies in 2017 alone. The U.S. Postal Service, the Internal Revenue Service and the White House are among the agencies that have reported data breaches in the last five years.

A new initiative rolled out by the U.S. Department of Homeland Security (DHS) will require every civilian agency to work with ethical hackers to better secure their digital assets. The directive would require all federal civilian agencies to establish a vulnerability disclosure policy (VDP) to receive and resolve security vulnerabilities found by ethical hackers before they can be exploited by cybercriminals. A VDP ensures that if a hacker sees something risky on a website or application, that they can easily report it, and the organization will have an immediate way to handle the communication with a pathway to remediation.

Vulnerability disclosure has long been an important practice within the cybersecurity community. The U.S. Department of Defense (DOD) has been running such a policy since 2016 and has since resolved over 12,000 security vulnerabilities that otherwise could have been exploited. VDPs are also promoted extensively — from the U.S. Department of Justice to the European Commission to the U.S. Food & Drug Administration.

Secure our election systems

The IT-Information Sharing and Analysis Center (IT-ISAC) and Senate Rules Committee have been working with all of the election security vendors, the election certification bodies, and private industry to figure out how ethical hackers can help secure the election.

Relations between ethical hackers and the election security vendors have been notoriously fractured, even though they are working towards the same goal.

This past summer, the IT-ISAC sought to bridge the gap by issuing a Request For Information (RFI) on how VDPs and hackers can best work together. Election vendors have since made huge efforts to understand the importance of the contributions of ethical hackers.

Secure the government supply chain

The DOD is completely overhauling the manner in which it secures the defense supply chain via the Cybersecurity Maturity Model Certification (CMMC). The CMMC will require every organization that does business with DOD to meet certain cybersecurity standards, from the spot welder to the big system integrators.

The impact of this is astounding.

The DOD itself awards billions of dollars of contracts each year. Breaches in the government supply chain risk our national security, and there is a direct monetary impact to the taxpayer, an average cost of $6,000.

Ethical hackers could have a role in this initiative. An earlier draft of the CMMC required Level 3 contractors to meet a core standard (RS.AN-5) in the NIST Cybersecurity Framework that requires organizations to have processes in place to receive and analyze vulnerabilities disclosed from external sources including security researchers. Unfortunately, that core standard was removed from the CMMC and replaced with an alternative standard that only requires Level 2 contractors to monitor system security alerts and advisories and take action in response. While the DoD is missing an opportunity to leverage security researchers to secure its supply chain, there is hope that our government will reconsider in future versions of the CMMC.

We encourage our government to continue to recognize the contribution that hackers can make to national security.

The exploitation of vulnerabilities found in our government’s cyber infrastructure is only going to grow. Meanwhile, there is an entire army of hundreds of thousands of security experts eager to help.

Deborah Chang is VP of Policy and Business Development at HackerOne, an internet security company.