15 November 2017

One Year Stronger: How the US Government and Synack’s Hacker-Powered Security Programs Are Setting a New Precedent

Anne-Marie Chun

Today, America turns one year stronger. In 2016, cyber incidents were up 1512% compared to the decade prior. Traditional methods of security weren’t holding up against the modern adversary. To get back on the offensive, the US government invited a group of ethical hackers to find and help fix vulnerabilities in their systems through Synack’s hacker-powered security platform. As hoped, the program was successful. What was unexpected, however, was the rate at which this model would take off.

In just one year, Synack and the US Government have taken a disruptive idea and made hacker-powered security an invaluable reality for federal agencies. It all started last year when the IRS approached Synack looking for a more effective, efficient way to conduct security testing. They had heard about Synack’s crowdsourced penetration testing solution, and they were interested in leveraging the diverse skillsets of a crowd of ethical hackers in a private, managed model. The Department of Defense quickly followed, partnering with Synack to launch the Hack the Pentagon program. The domino effect continued, and agencies began to realize that they could find more impactful vulnerabilities with less burden on their internal resources by harnessing the power of a highly vetted group of security researchers.

So one year ago today, on November 15, 2016, we launched Synack Government, a business dedicated to providing hacker-powered security and private, government-grade bug bounty to the federal government.

This first full year of deployment saw a series of firsts:

  • The first time the government partnered with external hackers to test internal, mission-critical government systems
  • The first time critical vulnerabilities in hardened, mission-critical assets had been discovered (i.e. zero days). If exploited, these vulnerabilities could have wreaked havoc, such as allowing an attacker to send a tank to the White House or to derail a mission-critical message being sent to warfighters on the frontlines.
  • The first time that government agencies were able to shorten the time from vulnerability discovery to remediation to 24 hours and the time from patch to verification to <72 hours
  • The first time the government was able to increase their security teams on-demand by over 10x

Using a hacker-powered approach to security testing quickly proved to be more effective and efficient than traditional methods. Synack consistently provides >53% ROI over a traditional penetration test. Based on these results, private, government-grade bug bounty has spread rapidly within the federal government. In the first year alone, the number of agencies engaging Synack has more than tripled, with additional agencies government-wide beginning to pursue this new model.

In other words, hacker-powered security is on track to achieve 10% adoption within its second year. For comparison, six years since the launch of the Federal Cloud First Policy, cloud computing has still only penetrated 10% of the total federal IT spend earmarked for cloud. In the commercial market, it took 30 years for electricity, 25 years for telephones, and five years for tablet devices to achieve 10% adoption among consumers. Simply put, hacker-powered security is quickly becoming the new standard.

There’s a reason why we are seeing a swift uptake of private, government-grade bug bounty programs on Synack’s platform. These programs are:

  • Trusted and controlled, using only the most skilled, trustworthy ethical hackers with complete auditability
  • On-demand, offering the ability to launch a program within 24 hours and receive real-time analytics and reporting on the actionable results
  • Efficient, augmenting and scaling internal security teams to completely remove the burden of vulnerability discovery, triage, and remediation
  • Effective, uncovering vulnerabilities unknown to an asset owner and highly coveted by the adversary

And now, Synack has seen its programs’ successes pave the way:

We look forward to another year in which we continue to push the boundaries of what our nation can achieve when we work together across Washington, Silicon Valley, and the global hacker community. For the next year, our goals are to:

  • Establish hacker-powered security as the norm: To get ahead of the adversary, hacker-powered security must become the new standard for how we protect our systems.
  • Measure our security with real security metrics: Simply checking compliance boxes or counting vulnerabilities found will not make a fundamental difference in the security. A healthy security environment requires actionable insights on vulnerabilities and suggested fixes to accelerate remediation and track system hardening over time. We will establish a new standard built on Attacker Resistance, which is comprised of:
    • Increasing the amount of time it takes for attackers to find vulnerabilities in your systems
    • Enhancing the skills required for attackers to find vulnerabilities in your systems
    • Reducing the number and severity of vulnerabilities that a hacker can find in your systems
  • Set the expectation of a continuous cadence: One test is not enough. Security requires a constant commitment and a continuous testing model to keep pace with changes in the environment and to scale across expanding digital attack surfaces.

We look forward to accomplishing even more with our government partners and Synack Red Team this year. Thanks to all that have been a part of the journey so far and have made America one year stronger.