Public Safety Committee on Feb. 4th, 2019

Members of the House of Commons Standing Committee on Public Safety and National Security, thank you for inviting us to speak today. I look forward to providing you with our perspective on cybersecurity and bug bounty programs.

I am vice-president of business development and policy of San Francisco-based HackerOne, the world's leading provider of hacker-powered security. I'm here with Jobert Abma, the founder of HackerOne. He founded the company when he was 23 years old and has been hacking since he was 13.

HackerOne operates bug bounty programs that connect companies and governments with the best white hat hackers in the world to find and fix vulnerabilities before malicious actors exploit them. As of January 2019, over 300,000 white hat hackers have registered with HackerOne to defend customers,—among them, the United States Department of Defense—removing over 80,000 vulnerabilities and preventing an untold number of breaches in the process.

Today's cybersecurity practices are severely outdated, in contrast to the cyber threats that society faces. When exploited for criminal purposes, even just a single and relatively unremarkable security vulnerability can create havoc, as the Equifax data breach grossly reminded us in 2017. In 2018 many other breaches have made the press, including the WannaCry ransomware attack.

For financial institutions, fraud incidents both online and offline increased by more than 130% in 2018, resulting in significant monetary and reputational losses. In the U.K., the number of cyber-attacks against U.K. financial services reported to the U.K.'s Financial Conduct Authority has risen by more than 80% in the last year. It is an unfortunate fact that in the digital realm, society is currently failing to provide its citizens with what societies were established for: safety and security.

I would like to talk now about hacker-powered security—a scalable model that can be used to prevent cyber-attacks in society as a whole, especially in the financial industry and national security. Whatever protections and defences we build into our digital assets—and we should build a lot of them—there's one practice that covers every possible cause of cyber breach. There is an immune system that will approach the digital assets from the same direction as adversaries and criminals, from the outside. There is a mechanism that, at scale, has the opportunity to ultimately detect every hole, every weakness and every security vulnerability in a system or product built by humans.

This practice is often called hacker-powered security. Hacker-powered security covers any cybersecurity-enhancing services and automations that are partially or wholly produced by independently operating security experts outside the company or organization in question. It is a model that invites external and independent security researchers and ethical hackers to hunt for vulnerabilities in computerized systems. These are individual experts who have signed up to help corporations and organizations detect and fix their security weaknesses.

The most fundamental function of hacker-powered security is a vulnerability disclosure program, also called responsible disclosure or coordinated vulnerability disclosure. A vulnerability disclosure program is essentially a neighbourhood watch for software. The motto is “If you see something, say something.” Concretely, if and when an ethical hacker finds a security vulnerability in a company or government organization's website, mobile app, or other computer system, this person will be invited to disclose to the system's owner the vulnerability that was found.

Most human beings are ready to help their neighbour, so the impetus for vulnerability disclosure is enormous. Issues of legality and trust, however, make vulnerability disclosure more complicated than a regular neighbourhood watch. To solve this issue, leading companies have created their own policy frameworks for the disclosure of vulnerabilities to them, and others turn to companies such as HackerOne to organize and coordinate such programs.

When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program is called a bug bounty program. Bug bounty programs have existed since at least 1983. The practice was perfected by Google, Facebook and Microsoft over the past half-dozen years.

Hacker-powered security programs have demonstrated their effectiveness compared with other methods of vulnerability detection. Hiring full-time employees or external service or product vendors to test for vulnerabilities is more expensive. No other method for validating software or manufactured products in use by consumers has been shown to produce similar results at such a favourable economic unit price.

Hacker-powered security is a scaled model. Today, there are over 300,000 registered ethical hackers on our platform alone, and over the coming years, we hope that this number will grow to over one million. The army of hackers will be able to take on the work of the entire digital realm of our society.

Thanks to the diversity and scale of the hacker community, hacker-powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not. Existing models are good at finding predictable security vulnerabilities, but even more important is to find the unpredictable ones: the unknown unknowns. Given a large enough hacker community and enough time, such vulnerabilities will be identified.

Entities that operate such vulnerability disclosure or bug bounty programs include Adobe, AT&T, the U.S. Department of Defense, Dropbox, Facebook, General Motors, Google, Microsoft, Nintendo, Starbucks, Shopify, Twitter and United Airlines. Specifically in the financial industry, American Express, Citigroup, JPMorgan Chase, ING and TD Ameritrade have public VDPs.

The U.S. Department of Defense and HackerOne pioneered the first federal government bug bounty program. Since the program's inception, more than 5,000 security vulnerabilities have been safely resolved in DOD critical assets with hacker-powered security. While the majority of the vulnerabilities reported through the DOD were without financial compensation, hackers have been awarded hundreds of thousands of dollars in bug bounty payments by the DOD.

A question I get a lot is, who are these hackers? Security experts may be described using a variety of titles, including ethical hacker, white hat, security researcher, bug hunter and finder. One title is conspicuously absent: criminal. Hackers are not criminals. Specifically, bug bounty programs offer no benefit to someone with criminal intent. On the contrary, HackerOne will record data about every hacker on the platform and only reward action that followed the rules. For these reasons, criminals go elsewhere.

Hackers are driven by a variety of motivations, many of which are altruistic. The security advocacy organization I Am The Cavalry summarizes these motivations as to protect—make the world a safer place; puzzle—tinker out of curiosity; prestige—seek pride and notability; profit—to earn money; and protest or patriotism—ideological and principled. A 2016 study by the U.S. National Telecommunications and Information Administration within the Department of Commerce found that only 15% of security researchers expect financial compensation in response to vulnerability disclosure.

Hacker-powered security not only improves security, but the model democratizes opportunity and offers meaningful work to anyone with the inclination and drive to be a useful, ethical hacker. Many hackers are young adults. They can do their work from anywhere. The money hackers make is used to support families, pay for education and catapult them into successful professional careers.

Hacking brings meaning and mandate to enterprising people irrespective of their location. Hacking brings positive societal impact across the nation.

In conclusion, we need hackers. Our goal must be an Internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security. Hackers are truly the immune system of the Internet. They are a positive power in society. We must enable them to encourage contribution. This requires a safe legal environment, encouraging all individuals to come forward with vulnerability information, no matter what the circumstance.

To close, I will repeat the words of numerous experts that a ubiquitous “see something, say something” practice for vulnerabilities is a vital and critical step towards improving cybersecurity for consumers. The absence of a formal channel to receive vulnerability reports reduces a vendor's security posture and introduces unnecessary risk. Corporations and the government should welcome input from external parties regarding potential security vulnerability. The Canadian government should encourage, if not require, that behaviour.

Thank you for the opportunity to testify on this important issue.

Throughout the country I've done some training. I do many conferences on cybersecurity. As I teach professionally, I can tell you, the utmost necessity is to have people stop and take the time to read about whatever they're doing.

We're laughing about the fact that we never read any manuals. That's true, but they're often superseded by statements of legal liabilities and obligations that discourage anyone from reading beyond that point. People will just figure it out. The graphical user interface has been so successful that people just intuitively make their way through and use maybe five or ten per cent of the full capacity of software.

I saw that transition when secretaries moved from WordPerfect 5.2 to Microsoft Word. They had to take courses, because those were two separate kinds of software. They were masters at WordPerfect, while nobody was afterwards in Word.

They could not read the manual, because it was so complicated. It was such a complete package, it would have been a week-long course. They went to those week-long courses, but they were divided into three different levels of difficulty: beginner, advanced, and then expert level. These were secretaries who were at the expert level on one software. Now the new software comes around, and they are at the beginner level. That reduces the efficiency of the workforce and slows down the effectiveness of the economy, I say.

Let's say that Windows version 15 is around the corner next year. How many people will be able to know how it works? The adaptation curve has been very steep.

I would like to point out that in recent years the behaviour of consumers has changed radically. Up until five years ago, our data used to be at large organizations who would have large teams who would help us consumers protect against data breaches and protect our privacy. I think consumer behaviour has changed such that we have become responsible for our own privacy, and as Mr. Waterhouse pointed out, we do not take responsibility to the point that is necessary today.

What I would like to add is that I don't believe it is up to the consumer to guarantee their own privacy. I believe that the organizations should help consumers and help organizations to protect consumers and their own users from these data breaches.

As I said earlier, however, with those users now being responsible themselves, it is important that we do quizzes such as the phishing test you were referring to, to make people aware of some of the risks that happen when they store their data either in a certain system or with a certain organization. That is a problem that we need to address from both the consumer side as well as the standpoint of the organizations that have a copy of that data.

That's a great question. In the U.S., there is the Computer Fraud and Abuse Act, passed in the 1980s, that says something to the effect that you can't hack and enter into a company's digital assets in an unauthorized manner. It has not been updated since. I believe Canada has a version of that law as well.

We would encourage Canada to pass a law to encourage all organizations with a digital asset to adapt some form of policy to invite the public—and you don't even need to call them hackers—to report any bugs and vulnerabilities they happen to find. That is just inviting them in, saying what's in scope and what is permitted and what isn't, as well as what you might specifically be looking for. Then, importantly, the organizations should offer a communication channel within it and set up a process in which to receive that information, as well as the resources to fix it.

That's what we would generally encourage the government to do, to pass a law to encourage that type of behaviour.

There's a process called vulnerability coordination, where you would work together with the vendors themselves to coordinate that vulnerability, to disclose it to other organizations using the same vulnerability.

There has yet to be a government that is immune to cybersecurity threats. The U.S. has some of the most developed cyber-practices in the world, as does Canada, as Mr. Waterhouse pointed out. It is also home to the companies with the most mature security practices in the world. Even so, hacks may still happen. So we're up against a race.

The Internet is a very complex system with a lot of people contributing to it. Everything is tied together. Systems and networks change or contain hundreds of thousands of individual hardware and software components and thousands of lines of code. Every time code is updated, which may happen multiple times a day, new vulnerabilities may be introduced. There will always be unknown unknowns and the only way to uncover these unknown unknowns is to invite good hackers to test the system. Even with systems that have been proven to be very secure, changes may happen overnight either because of an internal or external change, and vulnerabilities may arise.

Good hackers come across new technology every day. They will have to familiarize themselves with new technology to be able to find security vulnerabilities in it or in the components that are built on top of technologies like 5G. With our diverse customer base, there are a lot of opportunities and incentives for the hacker community to dive into these new technologies. As 5G becomes mainstream, we believe that more people will be capable of auditing the security of such components.

At this time, multiple customers of HackerOne are launching components on top of 5G and are exposing that technology to some in the hacker community, which we believe is the right way to uncover some of these security vulnerabilities that are currently unknown to us or the United States.

All the hackers who have participated in the DOD-related programs were hand-selected by the DOD and HackerOne because of our expertise and track record. We complement what our customers and government are already doing. We have a proven track record in hacker-powered security, and having coverage in both the government and private sectors strengthens our mission, which is to empower the world to build a safer Internet.

To this day, over 5,000 vulnerabilities have been uncovered in the U.S. DOD systems, the majority of which have been reported to the DOD without any monetary incentives. We believe that a vulnerability disclosure program, or establishing a process to do so, is our recommendation to every government on this planet to ensure that they can work with the hacker community according to the “see something, say something” principle.

The financial institutions say yes. From my point of view as a customer of a financial institution, I say no. Often, customers go to their financial institutions, where they are given tools that the institutions guarantee are secure. The clients go home or to work with a tool, an application, to access the system, but they really do not know how it works. All the risk then falls on their shoulders. If they make a mistake, it's their fault, not the fault of the financial institution, which has no problem proving it.

That is the shame. I was somewhat preaching the need to know one's operating system. Will the next Andoid phone be up to the task? People will not know how to use it any better. The training will focus on one application only and people will have to adapt when the application changes its look and its feel. This is what the market has been forcing on us for 30 or so years. As soon as the look and feel of an application changes, you have to work at adapting to it. There is no update, and no one holds our hand to help us become familiar with the new application.