Hacking and why it can be good for cybersecurity [Q&A]
Hacking tends to have something of a bad name, but there are many hackers who do good work, identifying flaws before they can be exploited in cyberattacks.
However, many of these people operate in the shadows for fear of being prosecuted for violating legislation. We talked to Laurie Mercer, director of sales engineering at security platform HackerOne, to discuss whether ethical hackers need to be more open about their activities in order to bring about change and how ethical hacking is making organizations safer.
BN: Why are hackers often misrepresented in the media?
LM: Despite existing biases and misconceptions, it is increasingly recognized that including hackers in your cybersecurity strategy reduces risk. The US Department of Defense, for example, has been a pioneer in embracing an outsider mindset to protect national security. Since the launch of Hack the Pentagon in 2017, hackers have identified over 45,000 vulnerabilities for the DoD.
Similarly in the UK, both the NCSC and Ministry of Defence have been harnessing the creativity of hackers to build their resistance to attack.
Although the idea of relying on hackers to secure government organizations may have seemed unconventional at first, it has gained acceptance in countries such as the US, Singapore, and the UK, where ministries of defense value hacker insights to strengthen national security. Embracing unique and innovative ideas like these is crucial to stay ahead of ever-evolving cyber threats.
To remain competitive in today's landscape organizations must focus on two pressing requirements: speed and cost. While managing budget constraints, keeping up with cybercriminals may necessitate stepping outside your comfort zone and exploring new approaches to support true security innovation. It's time to be open to new strategies to effectively safeguard against cyber threats that may cost you in the long run.
BN: What are ethical hackers, and what makes a good one?
LM: Ethical hackers are information security experts tasked with identifying vulnerabilities within an organization's IT system to allow security professionals to address gaps in protection and remediate them before malicious hackers get a chance to expose those weaknesses.
Inviting ethical hackers into your business allows you to find and fix the flaws before they’re exploited and is the best solution to keep up with the innovation of cybercriminals.
Organizations are in search of a solution that can effectively adapt to the constantly evolving threats in the cybersecurity landscape. Hackers can play a crucial role by helping organizations scale their cybersecurity efforts by providing continuous testing, identifying vulnerabilities that may be missed by scanners, and uncovering exploitable weaknesses that cybercriminals can take advantage of.
The latest data in our Hacker-Powered Security Report, shows that hackers are motivated by learning (79 percent), money (72 percent) and the mission to build a safer internet which is illustrated in the 70 percent that hack part-time alongside a career in some cases. A hacker finds joy in the intellectual challenge of creatively overcoming limitations -- 56 percent hack for the challenge. This mindset is inherent in all of us -- everyone has a hacker within. By recognizing and embracing the hacker mindset and channeling it towards societal benefit, we can address the challenges of digital trust currently causing societal distress and economic harm.
BN: How does hacking benefit the cybersecurity industry?
LM: Inviting ethical hackers to test your organization's assets allows you to gain visibility into all aspects of your codebase. Hackers don't just look at what you want them to see; they scrutinize your entire code and assets, including what your organization may have overlooked or is unaware of. Transparency is essential in cybersecurity, as it builds trust with customers, the hacker community, employees, and partners, which is why HackerOne has always emphasized the importance of transparency and public disclosure to foster trust.
The security-through-obscurity mentality, which suggests that secure software and systems can be built by hiding how they work, is flawed and means concealed vulnerabilities lead to breaches. Ethical hackers are the best solution to counteract the ingenuity and inventiveness of cybercriminals. With organizations facing budget constraints and staff reductions, the most scalable solution is to leverage the expertise, knowledge, and diverse approaches of hundreds or thousands of hackers.
Cybersecurity isn't only about mitigating current risks, but also understanding emerging attack surfaces and new threats. Hackers are always experimenting and can go beyond the testing of known threats that scanners can find. According to our insights, 92 percent of hackers claim they can discover vulnerabilities that scanners cannot -- a significant argument for man versus machine. Hackers on the HackerOne platform report a vulnerability every two minutes.
BN: How difficult is it to establish the boundaries of how far ethical hacking should go?
LM: Bad actors are going to be looking for vulnerabilities whether you give them permission or not, so you may as well engage ethical hackers to find those vulnerabilities first. Hackers take the outsider mindset, meaning they're coming to your systems with the same tools, resources, and access as an attacker. It's riskier to not ask hackers for help than to have them help. With that said, 50 percent of hackers have not reported a bug they've found, for 12 percent of those, it's because an organization had threatening legal language on their website. Establishing clearer legislation around good faith security research would better to support hackers in protecting companies and society against malicious threats.
BN: As the UK looks to review its Computer Misuse Act, what do legislators need to do to distinguish between good and bad hacking?
LM: The Belgian government has recently announced a new law that will allow ethical hackers to hack any Belgian company without prior permission. Historically, ethical hacking codes of conduct state that a hacker must have prior approval to hack an organization.
Additionally, the recent changes to the US Department of Justice's Computer Fraud and Abuse Act (CFAA) to increase hacking protections provides an all-encompassing protection for good faith hackers fearing prosecution.
It seems change is afoot for legislation around hacking, but what neither law accounts for is civil suits brought by companies against hackers. We need to make hackers feel fully confident about reporting vulnerabilities, and companies must be involved.
The biggest reason (42 percent) preventing hackers from disclosing valuable vulnerability information is that an organization does not have an easily discoverable method of reporting a vulnerability.
To enable ethical hackers to do their best work, every digital organization operating in the UK should have a Vulnerability Disclosure Programme (VDP). A VDP is a centralized process for anyone to report security flaws in an organization's internet-facing applications and a trusted methodology for them to receive and triage these reports. A fully managed VDP gives you a reliable way to receive and track vulnerabilities.
The Computer Misuse Act (CMA) should be in place to support ethical hacking and therefore reformed to better define and protect security research.
We submitted a letter to the UK's cyber policy unit earlier this year, asking that the revision of the CMA makes clear and unquestionable that the operation of a Vulnerability Disclosure Program (VDP), and the act of finding and reporting a vulnerability through that VDP, is an officially sanctioned and even encouraged practice.
Particularly, the revised CMA should clarify that independent security research undertaken in good faith for the purpose of finding and having security vulnerabilities fixed is not subject to criminal sanction under the CMA, ultimately encouraging responsible vulnerability research and disclosure.
Image credit: nialowwa/depositphotos.com