Why Don’t Companies Want to Hear About Their Security Problems?

We’ve got this locked down, guys.

You probably already realize that perfect security is an illusion. If someone really wants to get into a house, the deadbolts and window locks most of us have aren’t going to be enough protection. And the same holds true in cybersecurity. There’s a growing consensus that strong security actually comes from assuming the worst and viewing vulnerabilities as inevitable, instead of relying on traditional anti-virus software and patches alone. But in practice most institutions, like companies and governments, still use the outdated “patch and pray” approach. In a Washington Post story from June, Craig Timberg called this disconnect “a tragedy of missed opportunity.”

As large-scale corporate and government hacks grow increasingly common, though, it’s clear that this inertia will have to change one way or another. And instead of coming from within, change may actually come from outsiders.

Some companies have accepted scrutiny in the form of bug bounty programs. Security professionals or hobbyist hackers can submit vulnerabilities and potentially receive rewards for their discoveries. But until recently these dedicated communication channels were rare.

The shortage speaks to longstanding tension between institutions and hackers. A prominent example came in April when security researcher Chris Roberts tweeted from a United Airlines flight about his ability to access the vital controls of a plane through its in-flight Wi-Fi. He was met at the gate by FBI agents and banned from United.

Meanwhile, in August, the chief security officer of software company Oracle published a blog post/rant (which was removed a day later) about why she is frustrated by customer feedback about potential security bugs. She noted that she tells individuals who submit concerns, “Please comply with your license agreement and stop reverse engineering our code, already.”

In an attempt to address this gap, a new generation of services is trying to act as a middleman, creating platforms that organizations can use to easily get bug bounty programs up and running.  

One of these is HackerOne, a startup founded in 2012 to connect companies with the white hat (ethical) hackers who want to break sites and services in a good way. HackerOne does all the work of maintaining a bug submission platform, building a community of trusted hackers, and managing reward money. Companies just have to fund awards and be open to receiving feedback. (Disclosure: HackerOne’s chief policy officer, Katie Moussouris, is a cybersecurity fellow at New America; New America is a partner with Slate and Arizona State University in Future Tense.)

But why has it been so hard for companies to admit that vulnerabilities are inevitable in the first place? “It’s such a break from the norm in any other enterprise,” said Alex Rice, a HackerOne co-founder and the former head of product security at Facebook. “That’s just how most companies operate. It’s like ‘Yeah, we’ve got this one, we’re good.’ ”

And Rice says that even the security professionals within a company may not understand just how much risk there is unless they’ve dealt with a massive corporate breach firsthand. “They want to convey accountability and ownership over [security],” he said. “In most cases there’ll be some one-off thing, they’ll say that they’ve got it, and then the next breach won’t come up for another three years and for those three years it will look like they’re doing a great job.”

HackerOne doesn’t give its network of volunteer hackers any special insight or advantages. They have the same access a malicious hacker would. (Most volunteers work on bug bounty projects because they want to sharpen their skills or simply because they find it enjoyable. Reward money doesn’t hurt either.) And by using one of these bug bounty coordinator platforms, companies are preparing themselves to welcome inspection and critiques, rather than receiving it grudgingly, ignoring it, or deploying law enforcement.

The situation is far from resolved, though. As Kathleen Richards wrote on SearchSecurity in March, “The reality is most organizations still do not have mechanisms that enable ‘outsiders’ to safely report security flaws.”

It’s a bad climate for individuals, but a big opportunity for companies like HackerOne. When there’s a major breach, “It feels like it’s this failure by the company to have not prevented it,” Rice said. “But it’s really quickly shifting to the point where everybody’s had a breach at some point, and the real differentiator for companies is how they respond and how much confidence they build.”