Hacker-Powered Security: Voices on Coordinated Vulnerability Disclosure

The event “Hacker-Powered Security: Voices on Coordinated Vulnerability Disclosure” hosted at the Atlantic Council’s headquarters on Tuesday, September 18, 2018, celebrated the launch of the comic book, It Takes a Village: How Hacktivity Can Save Your Company—an endeavor of the Atlantic Council’s Cyber Statecraft Initiative supported by HackerOne, a company that connects ethical, white-hat hackers with companies and government agencies to find and disclose vulnerabilities through bug bounties or Vulnerability Disclosure Programs (VPDs).

The event took the form of a panel discussion with Coordinated Vulnerability Disclosure (CVD) leaders in the sectors of government, industry and security research. The event featured opening remarks by Marten Mickos, CEO of HackerOne and a keynote by Evelyn Remaley, Deputy Associate Administrator for Policy Analysis & Development with the National Telecommunications & Information Administration (NTIA) before turning over to the panel.

The crux of the panel discussion, which was also central to the comic book, was to tackle misconceptions surrounding CVD to turn CVD policy into a new national or even international norm for both industry and government, no matter the size of the organization. One of the most common myths surrounding CVD that Ms. Stempfley brought up was “what is a vulnerability is clear, obvious, and persistent.” Instead, as Ms. Wilkerson pointed out, “your network is really not your network anymore. […] You have to worry about everybody that you’re connected to.” Indeed, cybersecurity and more specifically CVD constitutes “a wicked problem” (Stempfley), which necessitates fluidity and adaptation to an ever-changing online ecosystem. As Mr. Nims stated with good humor, “you will never get to the end of the day and say ‘check! Security done.’”

Another myth that the panel debunked was that security researchers are primarily motivated by money. To dispel this popular fallacy, Mr. Woods cited five key motivation profiles included in the comic book, which are Protect, Puzzle, Prestige, Profit and Patriotism. Mr. Bailey corroborated the Puzzle component based on his experience with the US Department of Defense’s Hack the Pentagon program: “[hackers] are folks who often are smarter than many of us, but certainly want to demonstrate that.” Ms. Wilkerson regularly sees Protect profiles with security researchers in the healthcare sector, who are “really just in it because they want to save lives.” As Ms. Stempfley and Mr. Nims pointed out, many ethical hackers simply want to see that their work has an impact, so one way to reward them accordingly is to provide a swift response and keep them in the loop throughout the process of resolving the vulnerability. Thus, it is important for organizations to build trust into their relationships with security researchers.

In order to implement a successful CVD program, the panelists shared insights into best practices for CVD policy based on real-life experience. First of all, vulnerability disclosure policies should aim at promoting coordination between security researchers and organizations: to illustrate this point, Mr. Nims said that it is never pleasant to learn about a security breach through a researcher’s Tweet. Instead, as Mr. Bailey pointed out, hackers should be aware that they may be temporary custodians of third-party information, so discretion and sound judgement is key. However, once a security gap has been repaired, Ms. Wilkerson stated that the public may place more trust in an organization that choses to reveal the behind-the-scenes work that went into fixing a breach rather than keeping the information behind closed doors. Furthermore, Mr. Woods sees such public information sharing as a crucial step towards better cross-organizational collaboration to enable other organizations that may have similar breaches to resolve them. For future advances in this direction, the audience and panel spoke of automating information sharing mechanisms; however, the automation software is not yet sophisticated enough.

The panel highlighted a relatively recent growth in public awareness of cybersecurity issues—Ms. Wilkerson stated that WannaCry, a 2017 ransomware attack, was a watershed moment for cybersecurity awareness. Therefore, these are relatively productive times for policy discussions surrounding cybersecurity, and more specifically CVD. As Mr. Mickos pointed out, today, “not having a vulnerability disclosure policy amounts to cybersecurity negligence.”

The panel was comprised of a diverse set of perspectives, including Leonard E. Bailey, Special Counsel in the Criminal Division for the US Department of Justice; Chris Nims, Senior Vice President and Chief Information Security Officer with Oath Inc.; Bobby Stempfley, the Director of the Computer Emergency Response Team (CERT) Division at Carnegie Mellon University; Jessica Wilkerson, Professional Staff Member for the House Committee on Energy and Commerce and Beau Woods, Cyber Safety Innovation Fellow with the Atlantic Council’s Cyber Statecraft Initiative. 
 Sarah Anne Aarup is an intern with the Atlantic Council’s Cyber Statecraft Initiative.

Related Experts: Beau Woods

Image: L-R: Beau Woods, Leonard Bailey, Bobbie Stempfley, Jessica Wilkerson and Chris Nims.