Prior to 2016, the U.S. government turned to honest hackers to test vulnerabilities in its IT systems due to long-standing concerns about ulterior motives and a general reluctance to trust people “outside the tent.” I was shying away from the idea of doing so.
That has changed in recent years, as more government agencies have partnered with crowdsourcing communities to strengthen the nation's cybersecurity posture.
After years of resistance, governments are now using crowdsourced security to strengthen security through bug bounties, red team penetration testing, and vulnerability disclosure programs, and to outwit diverse groups of adversaries. We see it as a powerful counterforce to maintain balance.
The good news is that by improving the ability of federal agencies to not only listen to the internet's immune system, but also actively take its input and act on its advice, they can protect public IT infrastructure from danger. It's about inoculating yourself against threats.
Building on the public interest in generative artificial intelligence, the White House announced a major executive order on safe, secure, and trustworthy artificial intelligence in October. This executive order establishes strong standards and guidelines to protect AI systems before they are released to the public. The directive advances federal agency best practices to ensure data privacy for all citizens and protects employees from workplace discrimination due to the misuse of AI. We also support international cooperation to build frameworks that can protect people from the unethical use of AI.
The Executive Order calls for “AI Red Teaming,” which uses adversarial hacking techniques to identify flaws and vulnerabilities, such as harmful or discriminatory output from AI systems and potential risks associated with misuse of the systems. We clearly support the
hack the pentagon
Public-private security partnerships first emerged when Congress passed the Federal Information Security Modernization Act of 2014 (Public Law 113-283). The law supports “the development and conduct of targeted operational assessments, including threat and vulnerability assessments,” for government information systems. Shortly after, the Pentagon launched his 2016 “Hack the Pentagon” program, inviting public safety researchers to protect networks and IT systems from cyberattacks.
Congress authorized initial funding for crowdsourced security through the National Defense Authorization Act of 2020 (S 1790). The measure provided for “security testing, including vulnerability scanning and penetration testing performed by individuals, including threat-based red team exploitation and assessment with a Zero Trust assumption.”
Another major advance was in September 2020, when the Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operating Directive (BOD 20-01) to develop a Vulnerability Disclosure Policy (VDP). That's it. This directive establishes the first formal way for the public to provide cybersecurity support by finding and reporting vulnerabilities in a legally recognized manner. Such policies were created to support honest hackers who are willing to donate their time and skills to improve the state of national security.
The CISA plan was ambitious from the beginning. It sought to standardize the implementation of VDP across all federal civilian executive branch agencies using the “carrot” of implementation guidance and frameworks and the “stick” in the form of approval by the Office of Management and Budget. When the VDP platform launched in September 2021, adoption rates were in the low single digits. Currently, CISA participates with more than 40 federal agencies to provide ongoing VDP research results. Promising numbers include an average of 38 days to remediate over 1,100 known vulnerabilities and an 89% remediation rate for all verified vulnerabilities submitted to the program. Masu. Year-over-year growth in hacker submissions continues to increase year over year, with an estimated 80% increase in 2023.
The Securities and Exchange Commission took further action in March 2022, introducing rules to standardize disclosures by public companies about cybersecurity risk management, strategy, governance, and incident reporting. The SEC’s action to seek cybersecurity expertise on the board showed that the commission views cybersecurity through the same lens as other recent and unusual risks, such as human resources, arbitrage, and currency. .
In March 2023, the White House Office of the National Cyber Director adopted a broad National Cybersecurity Strategy to establish solid policies to protect the nation. The strategy document broadly states, “The administration will encourage coordinated vulnerability disclosure across the full range of technologies and sectors.”
enemy army
These public-private partnerships and new reporting processes have provided important benefits for government security, including:
: Deployment at scale and consistent results using a technology platform to manage VDP workflows and results. This paradigm is now being extended to bug bounties and crowdsourced penetration testing on the platform.
— Greater visibility for researchers and broader implications for governments. Public programs have brought more and more researchers to the mark to improve downstream reporting and remediation success.
— A practical template for successful public-private partnerships that other government agencies can adopt to mobilize crowds and leverage the Internet's immune system.
Why is all of this so important? Because the only real way to prevent malicious misuse of technology is to properly secure it at the technical level. The steady integration of cybersecurity into top-level government policy has seen cyber risk move from a poorly understood and exclusive domain of pure technologists to a core aspect of business risk management and to the board of directors. It shows that the theme has matured to the point where it is accepted as a mandatory theme from organizations to organizations. Houses of Parliament. As a result, these partnerships allow the U.S. government to continually improve protection for all citizens against ongoing cyberattacks.
Casey Ellis is the Chief Strategy Officer at Bugcrowd, a crowdsourcing security platform that has become one of the largest bug bounty and vulnerability disclosure companies.
