White-Hat Hackers to the Rescue

Shutterstock

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By The Pew Charitable Trusts
 

Connecting state and local government leaders

By The Pew Charitable Trusts

|

There are reasons more aren’t using the service: Some states might not have the money, or might be nervous about allowing white-hat companies to try to breach their networks.

This article was originally published by Stateline, an initiative of The Pew Charitable Trusts and was written by Jenni Bergal.

Hackers aren’t always sneaky, black-hat cybercriminals out to steal information and wreak havoc. Sometimes, they’re the good guys—ethical hackers who uncover security flaws to help prevent the bad guys from winning.

That community of white-hat hackers is exploding, from tech-savvy high school students who discover bugs on websites to large companies that help businesses and government uncover vulnerabilities within their computer networks.

Some states have for several years turned to white-hat companies to see if they’re able to penetrate their systems. Now a handful are also considering edgier “bug bounty” programs that use networks of hackers and reward those who find hidden security flaws.

“The cyber threat is only growing. States are looking at ways to do things creatively,” said Jeffrey McLeod, director of the National Governors Association’s homeland security division. “The goal is to find vulnerabilities before something happens.”

Some of those vulnerabilities are discovered by those on the outside. Nearly half of state information technology officials reported in 2016 that they sometimes used third parties to try to penetrate their systems; one third said they did so at least once a year, according to a study by the National Association of State Chief Information Officers and the consulting firm Deloitte & Touche LLP.

There are reasons more aren’t using the service: Some states might not have the money, or might be nervous about allowing white-hat companies to try to breach their networks.

But states that have been doing it say it’s a valuable exercise.

“It’s peeling back the onion. We’re challenging the company to do what any competent hacker would do to try to break into our systems,” said Elayne Starkey, Delaware’s chief security officer, whose office hires white-hat companies to do penetration testing regularly at a cost of $10,000 to $25,000.

They have simulated threats. They have set up phishing scenarios and sent fake emails to employees. One time, they even had a tester put on a uniform and pretend to be a delivery man to see how far he could get inside the data center, Starkey said.

“The results of these tests allow us to tighten up our defenses and close gaps before the real bad guys find them.” How far the fake delivery guy got, she wouldn’t say.

Missouri also hires white-hat companies. One conducted exercises this year in which hackers pretended to be black hats trying to get into the network any way they could, without the knowledge of state employees. The idea was to test staffers’ readiness and how they would respond to well-armed bad guys. The state paid about $90,000 for the tests, which lasted several weeks.

“This gives you a good idea how well your organization can respond to a sophisticated adversary,” said Missouri’s chief information security officer, Michael Roling.

Bug Bounties

Hackers and cybercriminals have become increasingly sophisticated and are constantly scanning state computer networks looking for vulnerabilities. In recent years, they have stepped up attacks on those networks, which contain personal information such as the Social Security, bank account and credit card numbers of millions of people and businesses.

In Missouri, Roling said the state’s firewall each day blocks 95 million unwanted attempts to get into the computer network. That compares with about 100 million to 120 million legitimate connections a day. So far, the state hasn’t had a major data breach, but Roling knows that could change at any moment.

That’s why he is interested in trying a more nontraditional method of connecting to white-hat hackers: bug bounties. His office is in discussions with multiple bug bounty services to figure out how the procurement process would work; then it will examine the legal implications.

With bug bounties, ethical hackers are given rewards, usually money, for finding and reporting undiscovered “bugs,” which are errors, flaws or faults within computer networks and data systems. Reporting a bug can earn bounty hunters from several hundred to tens of thousands of dollars.

“It’s crowdsourcing hacking,” said Dan Lohrmann, chief security officer for Security Mentor, a security training firm based in Monterey, California, that works with states. “You’ve got a global audience out there. There are people doing this full time, sitting in Norway next to a snow drift, making a living off of it.”

Some cybercriminals send phishing emails to try to gain access to state networks. Some use hacking tools to crack passwords to try to get administrative privileges, or launch denial-of-service attacks.

Big tech companies such as Google, Facebook and Microsoft have been using bug bounties for several years. The U.S. Department of Defense has used them too, launching Hack the Pentagon and later Hack the Army and Hack the Air Force. The federal programs awarded bounty hunters more than $300,000 in total for discovering vulnerabilities.

While some companies contact bug bounty hunters directly, others, including the federal government, go through broker-type businesses such as HackerOne and Bugcrowd, both based in San Francisco. They act as middlemen who turn to a network of hackers they say have been vetted. The companies manage the program, triage the hackers’ submissions and try to ensure that clients get only verified, well-documented reports. They pay hackers a bounty on behalf of their clients.

Bug bounties may be popular in the private sector, but they’re a somewhat controversial concept for states, said McLeod of the national governors group.

“You’re inviting folks to come and hack your system. That raises red flags for folks,” he said. “Obviously, optics matter. If they find some big gaps in the system, it doesn’t look good for the state.”

Nonetheless, Delaware hopes to start a bug bounty program later this year, said security chief Starkey. If it does, it apparently would become the first state to do so.

To start, the state is creating a disclosure policy and plans to add a link to every Delaware.gov webpage allowing people to click on a button and report a vulnerability. It will set up ground rules for ethical hackers who spot software bugs on public websites and apps but don’t know how to report them.

The policy will make it clear the state is committed to following up promptly, Starkey said, which is important because hackers can get frustrated if they point out a problem and no one gets back to them. It also will include warnings about what hackers are not allowed to do, such as misuse data or shut down a website. Hackers who report legitimate vulnerabilities may be awarded a certificate of recognition.

Once those changes are completed this summer, Starkey said her office will seek approval to hire a bug bounty company. Initially, it would pay management expenses, not bounties, and only offer hackers public recognition. “Hiring one of these companies is not the Wild West,” she said. “Hackers have to be registered and vetted. We know who they are. There’s a lot more structure to it than meets the eye.”

Red Flags

Doug Robinson, executive director of the state chief information officers group, said states that want to start such programs need to perform lots of due diligence.

“You need to have a pretty tight contract that deals with potential liability or injury to the state if they turn out not to be white hats,” he said. “Sometimes these hackers were black hats before. I’d be concerned about that.”

Some cyber experts caution that states may not be able to deal with all the problems that bug bounty hunters may uncover.

“You have to have people who can fix the bugs that are found,” said Katie Moussouris, founder and CEO of Luta Security, a cybersecurity consulting firm based in Kirkland, Washington.

Moussouris, a former white-hat hacker who started Microsoft’s first bug bounty program and was involved in creating Hack the Pentagon, said states already may be too busy struggling to deal with vulnerabilities they already know about to take on those they don’t.

But state cyber officials interested in bug bounties say they’d rather be proactive and do everything they can to prepare for the inevitable.

“The bad actors are coming after you either way,” Roling said. “So if we can get the white hats on our side, that’s a good thing.”

Network security Case Studies
Powered By
Browse The Atlas full case study database or read more case studies about Network security.
Oklahoma Zero-Trust Security Model Secures Remote Network for 35,000 Employees
Oklahoma
Baltimore Police Department Cuts Network Monitoring Time by 85% and Improves Cybersecurity
Baltimore, MD
Los Angeles County champions a collaborative approach to increasing voter participation and access
Los Angeles County, CA
BROWSE LOCAL GOV CASE STUDIES

NEXT STORY: Digitizing VA processes from the ground up

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.