Many businesses live in fear of having their systems hacked. After all, who wants their customers' data to spill out onto the internet or have their confidential plans and intellectual property stolen by online criminals? But more and more organizations like Google, Facebook, and Amazon are actually welcoming attempts to test their security in the hope that researchers will report vulnerabilities to them responsibly before a malicious hacker exploits a weakness to inflict damage. Of course, the devil is in the details. The likes of the US Army and the Pentagon, which have previously announced competitions to test the security of their networks, websites and applications, don't want to encourage attacks on mission-critical systems, and they require participating hackers to be pre-registered and approved to take part. After all, they're unlikely to look kindly upon uninvited hackers based in China and Russia probing their systems.... All the same, inviting so-called "ethical" hackers to test systems in the search for bugs and vulnerabilities in exchange for a bug bounty seems a very sensible step to take, that is, rather than waiting for a maliciously-minded hacker to gain unauthorised access or steal data. So it's actually not such a surprise to read on CNN that two US senators have introduced a bill establishing a formal bug bounty program for the Department of Homeland Security, a government agency which is responsible for securing government websites and critical infrastructure. In a press release, Senators Maggie Hassan and Rob Portman described the bill, which they have given the attention-grabbing name of the "Hack Department of Homeland Security (DHS) Act". As Portman put it:
"The networks and systems at DHS are vital to our nation’s security. It’s imperative that we take every step to protect DHS from the many cyber attacks they face every day. One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats."
As with the "Hack the Pentagon" and "Hack the Army" initiatives, white-hat hackers interested in participating in any future DHS bug bounty program must first pre-register and submit to a background check as well as agree to a number of other strict conditions to avoid the initiative causing more harm than good. Obviously, the ideal scenario would be to find flaws and security holes before a website or online service went live, but we all know that in the real world that's not always possible. My expectation is that we will see more and more public sector organizations and private companies recognize the benefits of working closely with ethical hackers and penetration testers The message is clear: hack yourself (or get help from ethical hackers to do it for you) rather than wait for a malicious actor to exploit put your organization in peril. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
