The rise of ransomware has forced local governments to take more aggressive action to protect their systems and data from attack. One novel approach involves crowdsourcing ethical hackers to find bugs and vulnerabilities.
In early May, the city of Baltimore was struck by a ransomware attack that completely crippled the city’s computer networks and online services. Five weeks after the attack, the city was only able to restore one third of employees’ emails and the city’s billing system for water services was still offline. By July, email access for employees was finally restored, according to the Baltimore Sun, but the city’s email archive was still not accessible. Experts estimate that the Baltimore ransomware attack will cost the city approximately $18 million to restore all systems, yet the perpetrators of the attack demanded just $80,000 in cryptocurrency.
While Baltimore continues to make headlines, smaller cities and government agencies are also generating news about ransomware attacks. Three additional cities in Florida have been attacked and two of them — Lake City and Riviera Beach — agreed to pay the ransom, ranging from U.S. $500,000 to $600,000.
There have been at least 24 U.S. municipalities that have fallen victim to ransomware attacks in the first half of 2019 alone. By comparison, ransomware attacks affected 54 city and municipal government agencies in 2018. The number of ransomware attacks this year will likely surpass last year’s and criminals will continue to target smaller local and regional governments, many of which tend to run outdated or unpatched systems, making their systems more vulnerable to cyberattacks, and have limited resources to defend against such attacks, which are only expected to get more sophisticated, more frequent and will continue to make headlines.
In the wake of Baltimore’s ransomware woes, the city of Memphis is doing something rather unconventional to address the growing threat of ransomware: hiring hackers. Memphis is one of the first cities in the United States to take action to address a serious security problem that’s been plaguing local governments across the nation. In fact, the city even published a Request for Proposal for security penetration testing in May and plans to hire ethical hackers by July to look for vulnerabilities across their computer networking systems and digital assets.
So, why hire hackers? Hacker-powered security is any technique that utilizes the external ethical hacker community (i.e., security researchers, pen testers, white hat hackers) to find unknown security vulnerabilities and reduce cyber-risk. Hackers submit bugs or security vulnerabilities to organizations and in turn are either recognized or rewarded financially based on the severity and impact of the bug. By leveraging external researchers for security testing, any organization can bolster their cybersecurity defenses by identifying high-value security flaws before the criminals do, and at a much faster pace. This is exactly what Memphis is doing, and it’s a smart, proactive move that other cities should follow.
Traditional penetration testing, or “pen testing,” is limited to one or a few ethical hackers testing a computer system, network or Web application to find security vulnerabilities that an attacker could exploit. Pen testing can be expensive, as the individuals doing the testing are usually paid for the number of hours spent to conduct the test. This means that the pen testers get paid regardless of the type of results they produce. A pen test can quickly become very expensive for only producing low-hanging fruit results or non-critical vulnerabilities. Moreover, the results of traditional pen testing can also be limited by the specialized skill set of the one or few individuals performing the pen test.
Hacker-powered security is the crowdsourced version of pen testing and usually involves using a bug bounty platform to invite a group of ethical hackers ranging from 20 to 500-plus vetted hackers to test the target properties and applications in three to four weeks, while internal security teams and/or outside experts triage incoming reports. In return, the hackers receive monetary rewards or “bounties” ranging in price depending on the severity of the vulnerability that was reported. They are not paid for time spent, just results.
For example, a hacker can be paid $250 for a low severity bug and $15,000 or more for a vulnerability with critical severity. The benefit of working with a platform provider is strength in numbers. Platforms provide access to thousands of hackers with diverse skill sets. Another benefit is that hackers are vetted based on their activity on other programs as well as their reputation for submitting valid security reports. This is measured by their Signal, Impact and Reputation scores. Every action by every hacker is tracked and incorporated into their Reputation.
A full-blown bug bounty program is the next level of hacker-powered security in which an organization offers monetary rewards or bounties to hackers for valid security flaws via a continuous testing program. While penetration tests are time bound and have a specific goal in mind, a bug bounty program offers continuous testing with no time limits. The bounty program can be private or public, with most organizations starting out with a private program in which a small group of vetted hackers are invited to participate and test systems for vulnerabilities. The benefit of running a continuous ongoing bug bounty program is that it provides better coverage and exposure to hackers who are continuously testing systems for security flaws.
At the very least, the easiest way to engage with hackers is to implement a Vulnerability Disclosure Program (VDP). A VDP is commonly referred to as the “see something, say something” of the Internet, and is an organization’s formalized method for receiving vulnerability submissions from the outside world without offering financial rewards. A VDP sets the policy for how an organization deals with accepting vulnerability reports and provides a direct channel for anyone to report a vulnerability.
Recently, government and industry organizations have begun to publish VDP how-tos, templates, standards, and related guidance on how to implement, manage, and audit these important programs. A good resource is the National Telecommunications and Information Administration’s (NTIA) Coordinated Vulnerability Disclosure Template.
Hacker-powered security has been proven to be effective in the government sector and many government agencies are moving to the crowdsourced model because the benefits are outstanding. Organizations get more from their budgets as they only pay for results, not time spent; and they can leverage the benefit of the crowd — more diverse, numerous and specialized hacker skill sets.
The U.S. federal government has been deploying hacker-powered security solutions since 2016, starting with its first crowdsourced security initiative dubbed “Hack the Pentagon.” Approximately 1,400 ethical hackers participated in this effort. Based on the success of this initiative, the federal government has since operated several other initiatives involving the military and the General Services Administration. The Department of Defense (DoD) also runs an ongoing Vulnerability Disclosure Program, providing a legal avenue for security researchers to disclose vulnerabilities in any public-facing DoD system. More than 5,000 valid security flaws have been reported and mitigated through this program.
The fact that Memphis is looking to hire hackers is a signal to other cities. The word “hacker” for decades has been portrayed in pop culture as one with malicious intent, as seen in Hollywood movies, sci-fi books and in news headlines. That perception is finally changing as more and more organizations are looking to hire hackers to solve one of our most pressing issues of our time: cybercrime. In an era where government agencies are under siege by ransomware attacks that are crippling essential government services and costing millions of dollars to remedy, cities and local governments should be engaging more with the ethical hacker community.