The Unlikely Romance of Hackers and Government Suitors

Very little modern federal infrastructure is managed by the government — putting a substantial portion of potentially targetable attack surfaces under oversight of federal contractors.

Casey Ellis, Founder & Chief Strategy Officer, Bugcrowd

December 14, 2023

5 Min Read
The Capitol building in Washington, DC
Source: Craig Jack Photographic via Alamy Stock Photo

COMMENTARY

Each spring, the annual Hack the Capitol event brings together a diverse group of scientists, hackers, and policymakers to educate congressional staffers, scholars, and the press about the most critical cybersecurity challenges facing our nation.

Hack the Capitol has steadily grown in size and stature by raising awareness about the value of governments and businesses partnering with hackers to solve complex security problems. In serving as a committee member of the Hacking Policy Council, I have been struck by the growing convergence of artificial intelligence, security concerns, and policy efforts, especially since the launch of ChatGPT late last year. As these interrelated trends continue to merge, we are seeing more large, conservative enterprises and government agencies aligning their interests with the white hat hacker community.

The security industry finds itself very obviously in a tug of war against the adversary across multiple essential domains, including energy, healthcare, telecommunications, government/military, automotive, and aviation. And suddenly, the public seems to care about these issues, because artificial intelligence (AI) is not some futuristic sci-fi concept — even students are using AI chatbots to write their school papers.

This growing public support for new policy guardrails has reinforced government and industry involvement with bug bounties and vulnerability disclosure programs (VDP) to harness the collective power of crowdsourced threat researchers. This alliance is being driven by a realization that our opposing force is basically unlimited in potential access to skills and resources. Meanwhile, the white hat community is saying, "Hey, tag me in." The reason this unlikely romance is working is that it has become very clear that to outsmart an army of adversaries, we need an army of allies.

Addressing the Alarming Threats to Critical Infrastructure

One area where the rise of AI can inflict major damage involves attacks on critical infrastructure, including energy grids, water supplies, computer networks, transportation systems, and communications hubs.

In lieu of a critical event, conservative vertical sectors take longer to trust hackers. That has been their historical pattern. However, regulatory pressure is helping to encourage more crowdsourced security. Publicly accessible initial access vectors are the most common starting point, usually via a VDP or private crowdsourcing program. Unfortunately, aging critical infrastructure organizations have a lot of publicly accessible initial access vectors, but this problem is not unique to critical infrastructure alone. The expansion of access vectors is compounded for all types of organizations that pursue digital transformation.

Critical infrastructure adoption of hacker feedback is still lagging, but that is to be expected. Yet there is a lot more activity happening out there than you might think, and regulation is making this a "when and how" issue, rather than an "if" issue. Despite making considerable progress, we still have a long way to go, because cybersecurity is essentially a people problem, and technology just makes it go faster. Our idea for Bugcrowd was to connect a global supply of white hats with unmet demands and to build a vibrant environment for good faith hackers. Hackers have seized on this opportunity by putting their skills to work for positive change, and by building a viable career path for themselves in the process.

As for participants from big government and big business, the true value of a public bug bounty is twofold. One is the confidence of having code hacked by an outsider, and the other is ensuring proof across the organization that the boogeyman is real.

How did this current convergence come about? Security concerns came first, then policy reactions followed, and now AI has imposed itself on the consciences of people in retail politics who wonder if AI is an existential security threat to humanity. That change has collapsed all three trends together, creating broader public awareness, which raises the heat for policymakers to regulate these advances in a virtuous circle.

Government Agencies Step Up to Address New Threats

Hack the State Department, Hack the DHS, and other Congressional bills that acknowledge and encourage partnerships between hackers and the government date back to at least 2005. In recent years, members of the House and Senate have proposed bug bounty programs to be conducted internally for federal agencies, as well as for other departments of the federal government. The most active push for this legislation began in 2017, and has resulted in laws being passed to implement these programs in the Department of Defense, as well as enacted policies of the Federal Communication Commissions, Department of Commerce, and more. It has been encouraging to see the House's continued interest in enlisting hackers to serve as the Internet's immune system. Most recently, House members have attempted to extend their partnership with the security community by introducing The Federal Cybersecurity Vulnerability Reduction Act.

The reality of modern federal infrastructure is that very little of it is actually managed by the government. Federal contractors are an integral part of the IT infrastructure supply chain that supports the entire operation of the United States government. This means that a substantial portion of potentially targetable attack surfaces fall under the responsibility and oversight of federal contractors, and this bill reflects the likelihood that the most significant changes to the cyber-resilience of the United States government will likely come from this group. Along with the transparency and accountability benefits, the hacker community has been enlisted to provide a previously underutilized capacity to scale to meet the challenge.

Hackers On the Hill and the DEF CON policy department deserve a great deal of credit for initiating and normalizing these types of conversations, and it's important to note that bills like this one ultimately are the result of decades of consistent education and partnership between the hacker community and Capitol Hill.

About the Author

Casey Ellis

Founder & Chief Strategy Officer, Bugcrowd

Casey Ellis is the Founder and Chief Strategy Officer of Bugcrowd, as well as the co-founder of The disclose.io Project. He is a 20+ year veteran of information security who entered the space from a youth spent inventing things and generally getting technology to misbehave.

Casey pioneered Crowdsourced Security as-a-Service, launching Bugcrowd and its first bug bounty programs in 2012, and co-founded the disclose.io vulnerability disclosure standardization and adoption project in 2014. 

Since then, he has personally advised the US Department of Defense and Department of Homeland Security/CISA, the US Department of Justice around CFAA reform, the Australian and UK intelligence and policy communities, and various US Whitehouse, executive, and judicial branch legislative cybersecurity initiatives, including the US National Cyber Strategy and preemptive cyberspace protection ahead of the 2020 and 2024 Presidential Elections.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights