July 25, 2016
Can the overwhelming number of good actors in online hacking communities be creatively mobilized to combat the nefarious actors in their midst? Must we trade innovation for national security, or can they reinforce each other? And what happens when you drop military counterproliferation operators into the hacker spaces of Silicon Valley?

On July 14, the Atlantic Council’s Cyber Statecraft Initiative gathered a group of experts to seek answers to these questions. The panel brought together Leo Blanken, an associate professor in the Department of Defense Analysis at the Naval Postgraduate school, Jasmine El-Gamal, senior fellow at the Atlantic Council, Charley Snyder, senior cyber policy adviser at the US Department of Defense, and Katie Moussouris, private consultant for bug bounty programs for a discussion moderated by the Atlantic Council’s Beau Woods.

Following the success of bounty bug programs in private companies such as Microsoft and the recently concluded US Department of Defense program ‘Hack the Pentagon’, corporations and governments are growing increasingly comfortable in deploying citizens to report bugs and discover vulnerabilities in internal systems. According to Charlie Snyder, “When you open such programs up to the world, you open it up to different experiences, expertise and perspectives. The results are extremely diverse and interesting.”

Here are three things we learned from the discussion with some of the country’s leading experts:

1. People and communities are more important than technology
Understanding the communities in which technologies are innovated and diffused is a vital component of strengthening our defensive capabilities. Leo Blanken argued that one must recognize the norms and cultures of online white-hat hacker communities in order to understand what motivates their counterparts. Besides this, the approach of government regulatory bodies that detect these online communities must shift from a monetary-incentives based system to one that vitalizes their presence and constantly engages with them.

2. The good guys outnumber the bad guys in cyberspace
The panel emphasized that an overwhelming majority of hackers online are “good guys.” Yet, many agreed that the US government hasn’t done a good job in aligning its interests with those of the hacker communities to receive their help. That could be as simple as committing to taking the hackers’ findings seriously, and agreeing not to arrest those acting in good faith. Each vulnerability presents a decision-making moment for a hacker and while some actors will always act in a certain way, others tend to have different responses depending on the nature of the vulnerability. Snyder believes that the government should be more open, transparent and welcoming of the role of such hackers in cyberspace, to make sure that they serve the national security agenda and do not resort to illicit activities. In fact, according to Katie Moussouris, “whenever somebody tells me that hackers need a cash incentive in order to do ‘the right thing’, I actually point them to the fact that Microsoft certainly wasn’t poor, and yet the internet community was totally willing to secure the internet ecosystem based on essentially just wanting to get the flaws that they found to be fixed.” To support this, she said that Microsoft received hundreds of thousands of vulnerability reports per year, even before she launched their coordinated disclosure program..

3. There are self-regulating communities outside the cyber realm
The concept of self-regulating communities extends beyond the cyber domain. During the panel discussion, Jasmine El-Gamal drew an interesting analogy between ‘good’ hacking communities and the people dwelling in refugee camps. Her recent experience in a Greek camp that housed Syrian refugees exposed her to a society that protected families who were trying to flee the camps from government authorities. Such concerted efforts can have wider implications to help combat violent extremism within these camps, and some lessons learned could be borrowed when dealing with other types of self-regulating communities, such as in cyberspace.
The event was part of the Cyber Statecraft Initiative’s monthly “Cyber Risk Wednesday” series designed to convene cyber experts from various sectors to examine topics at the core of the initiative’s mission. The Christian Science Monitor’s Passcode was the exclusive media partner for the event.