5 February 2018

America is losing the cyber war: Here's how to turn the tide

By Michael Chung 

When I served as a commissioned officer in the Navy and in Operations Enduring and Iraqi Freedom, we fought battles on three fronts: air, sea and land. Our country is now faced with a fourth battlefront -- one that has already made its way into the private lives of many American citizens: cyber warfare.

This battle has significant potential to be the most elusive, challenging and dangerous. There are no front lines, no established territories, and an enemy that is invisible to us. The weapons are computer keyboards and lines of code. The collateral damage is ultimately sensitive data and personal information.

Recent breaches -- both in the public and private sectors -- have exposed just how vulnerable IT systems are and the significant exploits we face both within our own borders and across them. It is the federal government's responsibility to protect private citizens from these threats -- people who may not have the technical know-how to protect themselves.

Although some federal agencies are making headway on this mission, much of the government's technology is outdated. There is also a huge talent shortage as agencies struggle to compete with private companies offering lucrative salaries for cybersecurity resources.

Our cyber enemies are evolving at a breakneck pace, and they range from government-sponsored hackers and so-called "hacktivists" to the standalone hacker motivated primarily by money. Many organizations have struggled to keep up, and let's face it: software development is not the government's strong suit. But it doesn't have to be this way.

The federal government doesn't fight land, sea and air battles entirely on its own, and it shouldn't try to tackle cyber threats that way, either. There is a global community of skilled hackers and researchers with the capabilities and desire to protect private data. All we need to do is tap into it, so that legions of researchers and experts, sometimes called "white hat" hackers, can be utilized to implement "crowdsourced security."

I've seen firsthand the power of the white hat "crowd" during my time at the Department of Defense. I ran the department's "Hack the Pentagon" program, the first federal program to utilize the bug bounty security testing model.

The program was designed to identify and address security vulnerabilities in public-facing DOD websites. More than 1,400 hackers registered to participate in the program, which offered bounties, or cash rewards, to those who could identify legitimate vulnerabilities. I was overwhelmed by the results.

Not only were we surprised by the number of vulnerability reports, we were blown away by the number of hackers who were passionate about making a positive difference. Bug bounty programs and vulnerability disclosure programs have been used successfully by both private and public organizations to identify security vulnerabilities. At the most basic level, having a program like this for your organization will encourage better software development practices and more secure code that prevents security exploits.

There is a real opportunity here to change the tide of the ongoing cybersecurity battle by leveraging the expertise of researchers within the private sector. Every government agency should implement a bug bounty program utilizing the Pentagon's blueprint.

We must encourage hackers and professionals to support their government and help to protect national assets. They are ready and willing to help; now it's on us to open the door. If we don't allow white hat hackers to find vulnerabilities within our most important digital infrastructure, then it's only a matter of time until malicious actors do.

No comments: