Members of the House of Commons Standing Committee on Public Safety and National Security, thank you for inviting us to speak today. I look forward to providing you with our perspective on cybersecurity and bug bounty programs.
I am vice-president of business development and policy of San Francisco-based HackerOne, the world's leading provider of hacker-powered security. I'm here with Jobert Abma, the founder of HackerOne. He founded the company when he was 23 years old and has been hacking since he was 13.
HackerOne operates bug bounty programs that connect companies and governments with the best white hat hackers in the world to find and fix vulnerabilities before malicious actors exploit them. As of January 2019, over 300,000 white hat hackers have registered with HackerOne to defend customers,—among them, the United States Department of Defense—removing over 80,000 vulnerabilities and preventing an untold number of breaches in the process.
Today's cybersecurity practices are severely outdated, in contrast to the cyber threats that society faces. When exploited for criminal purposes, even just a single and relatively unremarkable security vulnerability can create havoc, as the Equifax data breach grossly reminded us in 2017. In 2018 many other breaches have made the press, including the WannaCry ransomware attack.
For financial institutions, fraud incidents both online and offline increased by more than 130% in 2018, resulting in significant monetary and reputational losses. In the U.K., the number of cyber-attacks against U.K. financial services reported to the U.K.'s Financial Conduct Authority has risen by more than 80% in the last year. It is an unfortunate fact that in the digital realm, society is currently failing to provide its citizens with what societies were established for: safety and security.
I would like to talk now about hacker-powered security—a scalable model that can be used to prevent cyber-attacks in society as a whole, especially in the financial industry and national security. Whatever protections and defences we build into our digital assets—and we should build a lot of them—there's one practice that covers every possible cause of cyber breach. There is an immune system that will approach the digital assets from the same direction as adversaries and criminals, from the outside. There is a mechanism that, at scale, has the opportunity to ultimately detect every hole, every weakness and every security vulnerability in a system or product built by humans.
This practice is often called hacker-powered security. Hacker-powered security covers any cybersecurity-enhancing services and automations that are partially or wholly produced by independently operating security experts outside the company or organization in question. It is a model that invites external and independent security researchers and ethical hackers to hunt for vulnerabilities in computerized systems. These are individual experts who have signed up to help corporations and organizations detect and fix their security weaknesses.
The most fundamental function of hacker-powered security is a vulnerability disclosure program, also called responsible disclosure or coordinated vulnerability disclosure. A vulnerability disclosure program is essentially a neighbourhood watch for software. The motto is “If you see something, say something.” Concretely, if and when an ethical hacker finds a security vulnerability in a company or government organization's website, mobile app, or other computer system, this person will be invited to disclose to the system's owner the vulnerability that was found.
Most human beings are ready to help their neighbour, so the impetus for vulnerability disclosure is enormous. Issues of legality and trust, however, make vulnerability disclosure more complicated than a regular neighbourhood watch. To solve this issue, leading companies have created their own policy frameworks for the disclosure of vulnerabilities to them, and others turn to companies such as HackerOne to organize and coordinate such programs.
When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program is called a bug bounty program. Bug bounty programs have existed since at least 1983. The practice was perfected by Google, Facebook and Microsoft over the past half-dozen years.
Hacker-powered security programs have demonstrated their effectiveness compared with other methods of vulnerability detection. Hiring full-time employees or external service or product vendors to test for vulnerabilities is more expensive. No other method for validating software or manufactured products in use by consumers has been shown to produce similar results at such a favourable economic unit price.
Hacker-powered security is a scaled model. Today, there are over 300,000 registered ethical hackers on our platform alone, and over the coming years, we hope that this number will grow to over one million. The army of hackers will be able to take on the work of the entire digital realm of our society.
Thanks to the diversity and scale of the hacker community, hacker-powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not. Existing models are good at finding predictable security vulnerabilities, but even more important is to find the unpredictable ones: the unknown unknowns. Given a large enough hacker community and enough time, such vulnerabilities will be identified.
Entities that operate such vulnerability disclosure or bug bounty programs include Adobe, AT&T, the U.S. Department of Defense, Dropbox, Facebook, General Motors, Google, Microsoft, Nintendo, Starbucks, Shopify, Twitter and United Airlines. Specifically in the financial industry, American Express, Citigroup, JPMorgan Chase, ING and TD Ameritrade have public VDPs.
The U.S. Department of Defense and HackerOne pioneered the first federal government bug bounty program. Since the program's inception, more than 5,000 security vulnerabilities have been safely resolved in DOD critical assets with hacker-powered security. While the majority of the vulnerabilities reported through the DOD were without financial compensation, hackers have been awarded hundreds of thousands of dollars in bug bounty payments by the DOD.
A question I get a lot is, who are these hackers? Security experts may be described using a variety of titles, including ethical hacker, white hat, security researcher, bug hunter and finder. One title is conspicuously absent: criminal. Hackers are not criminals. Specifically, bug bounty programs offer no benefit to someone with criminal intent. On the contrary, HackerOne will record data about every hacker on the platform and only reward action that followed the rules. For these reasons, criminals go elsewhere.
Hackers are driven by a variety of motivations, many of which are altruistic. The security advocacy organization I Am The Cavalry summarizes these motivations as to protect—make the world a safer place; puzzle—tinker out of curiosity; prestige—seek pride and notability; profit—to earn money; and protest or patriotism—ideological and principled. A 2016 study by the U.S. National Telecommunications and Information Administration within the Department of Commerce found that only 15% of security researchers expect financial compensation in response to vulnerability disclosure.
Hacker-powered security not only improves security, but the model democratizes opportunity and offers meaningful work to anyone with the inclination and drive to be a useful, ethical hacker. Many hackers are young adults. They can do their work from anywhere. The money hackers make is used to support families, pay for education and catapult them into successful professional careers.
Hacking brings meaning and mandate to enterprising people irrespective of their location. Hacking brings positive societal impact across the nation.
In conclusion, we need hackers. Our goal must be an Internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security. Hackers are truly the immune system of the Internet. They are a positive power in society. We must enable them to encourage contribution. This requires a safe legal environment, encouraging all individuals to come forward with vulnerability information, no matter what the circumstance.
To close, I will repeat the words of numerous experts that a ubiquitous “see something, say something” practice for vulnerabilities is a vital and critical step towards improving cybersecurity for consumers. The absence of a formal channel to receive vulnerability reports reduces a vendor's security posture and introduces unnecessary risk. Corporations and the government should welcome input from external parties regarding potential security vulnerability. The Canadian government should encourage, if not require, that behaviour.
Thank you for the opportunity to testify on this important issue.