A culture shift within government is key for cybersecurity progress. In Silicon Valley, we say fail fast, fail early, fail often. We need to think that way about finding vulnerabilities in our systems.
REDWOOD CITY, Calif. (PRWEB) July 12, 2018
America is taking a new approach to cyber defense that puts us back on the offensive in order to protect the American people. While federal cyber investments increased 162% from 2006 to 2018, the number of federal cyber incidents were increasing at a rate of 1512% from 2006 to 2016. Further, our nation doesn’t have the talent we need; according to Cybersecurity Ventures, 3.5M cyber positions will be unfilled by 2022. The time is ripe for action. Almost every government agency and private enterprise is looking for new solutions to solve their struggle in scaling their security operations, hiring and retaining good cybersecurity talent, and securing their digital systems from cyber attack.
California Representative Ted Lieu, the sponsor of the Hack Your State Department Act, took part in a bipartisan, closed congressional briefing at the US Capitol Building on June 27th to discuss best practices for harnessing crowdsourced security to defeat the adversary. The panel of speakers brought together security leaders from the public and private sectors, including Shawn Turskey (Executive Director, U.S. Cyber Command), Ethan Steiger (CISO & VP, Domino’s), and Mark Kuhr (Co-founder & CTO at Synack, the government market leader in crowdsourced security).
According to Rep. Lieu, the US government isn’t capable of recruiting, vetting, and retaining security researchers fast enough to address the problem of growing cyber threats. Crowdsourced security addresses this problem by harnessing the world’s best security talent and leveraging their skill sets to find critical vulnerabilities in digital assets from an adversarial perspective. Crowdsourced security has already been widely adopted by the Department of Defense, including the Air Force and Army. The model’s success in the Pentagon has provided a strong use case for other agencies across government to adopt for themselves.
However, crowdsourced security must be approached in the right way. There are important trade offs between open bug bounty and private, managed crowdsourced penetration testing models worth noting, namely between efficiency, effectiveness, and control. Domino’s CISO and VP Ethan Steiger noted that their private, managed crowdsourced program provides unquestionable ROI for reducing their security risk:
- Efficiency: Domino’s can augment and scale their own team’s efforts without unnecessary operational burden. Private, managed crowdsourced testing helps them vet the hackers, triage vulnerability submissions, pay out bounties, and help verify patches so Domino’s doesn’t have to.
- Effectiveness: Domino’s doesn’t stop at finding and fixing vulnerabilities with their crowdsourced testing. They also get real-time intelligence from a private, managed approach to help them manage and reduce their security risk.
- Control: Domino’s decides how they want to activate the crowd; they have clear visibility into all testing activity and full ownership of all vulnerability findings and IP.
The private, managed model provided by Synack through their Hack the Pentagon project provides a diversity of skill sets, but with stringently vetted researchers, controls on testing activity, and a managed workflow to remove unwanted noise from the system. This model is attractive to government agencies in particular because it solves the talent gap problem without making Americans, or the country, more vulnerable. “Why does USCYBERCOM use crowdsourced security? Because this model leverages some of the best talent in the world that has some very specific skill sets. Our USCYBERCOM defenders are strong, but bug bounty security programs offer unique perspectives through a unique talent pool and is well worth the investment.” Shawn Turskey, Executive Director, U.S. Cyber Command said. “Crowdsourced security programs give USCYBERCOM the ability to scale, and has turned around critical vulnerabilities in a matter of days.”
Synack CTO and CO-Founder Mark Kuhr proposed using the scalable crowdsourced security model to strengthen the acquisition lifecycle. By integrating 3rd party testing into the development process, developers can receive an external perspective on their systems’ security before they are fielded - and catch fatal security flaws before the adversary does. “A culture shift within government is key for cybersecurity progress. In Silicon Valley, we say fail fast, fail early, fail often. We need to think that way about finding vulnerabilities in our systems.” Domino’s CISO and VP Ethan Steiger agreed, saying, “When our developers start building code, they know there will be a Synack pen test at the end of the road, and so now our development team will measure the time it takes Synack to find vulnerabilities in their code.”
Download the Full Summary of the Congressional Briefing here.
Synack, the leader in crowdsourced security testing, provides real security to the modern enterprise. We leverage the world’s most trusted ethical hackers and an industry-leading platform to find critical security issues before criminals can exploit them. Companies no longer have to choose between working with the best security talent and a lack of time, resources, or trust. Headquartered in Silicon Valley with regional offices around the world, Synack has protected over 100 global organizations by reducing companies’ security risk and increasing their resistance to cyber attack. For more information about Synack, please visit http://www.synack.com.