I was very happy when cybersecurity came up for discussion in Monday’s presidential debate. I’d been trying since the primaries to get some kind of response from the campaigns about cybersecurity and its importance to our overall national security.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iHowever, I wasn’t surprised by how poorly the candidates performed when providing responses. Subsequent articles I’ve read and conversations I’ve had since Monday evening showed that the candidates are on par with the American public when it comes to cybersecurity. We understand that cyberattacks are bad, but we don’t grasp how the average person plays into an attack (clicking on that link in the phishing email, for example) or how sophisticated cybercriminals and other cyber actors are. Not knowing, or defaulting to a naïve stereotype (the 400-pound person hacking from his bed), could put you at as much risk as not practicing good security hygiene.
There is also the assumption that hacking always equates something bad. When it makes news, like the Yahoo breach did, we know that the situation is not good. We also know that black hat hackers are already affecting this campaign season, and could do more that could actually rig the outcome of elections. We need to know who these actors are and what their bottom-line intent is.
But, at the same time, a new study from HackerOne reminded me that there are situations where hackers are necessary and are actually improving cybersecurity. The survey talked to more than 600 hackers who participate in bug bounty programs, and revealed in its 2016 Bug Bounty Hacker Report:
Fifty-one percent reported they hack to do good in the world, while 34 percent of hackers reported they will choose to participate in a company's bug bounty program because they like the company.
While not every company wants to make it public that an outside hacker has found vulnerabilities, smart business leaders understand that a) everyone has vulnerabilities, whether it is in their own proprietary software or in the technology they purchase and b) having a white hat hacker find the problem first can save a lot of headaches and dollars than if that same vulnerability is exploited by a bad guy.
Some believe that these bug bounty hackers could also help address the cybersecurity professional shortage, particularly within government agencies. Some of those agencies recognize the need for white hat hackers. Earlier this year, the Department of Defense held a “Hack the Pentagon” competition, which focused on public-facing websites. As Defense Secretary Ash Carter stated in a release:
We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference - hackers who want to help keep our people and nation safer.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba