24 September 2018

The White House Secures the American Way through Crowdsourced Testing


The White House National Cyber Strategy

Recently, the NotPetya and WannaCry hacks have wreaked havoc across private and public sectors. The NotPetya hack alone caused an estimated $10 billion in total damage. It’s no surprise that the White House is calling for hardening government assets and utilizing human and machine intelligence through widespread adoption of crowdsourced security.

Securing the American Way with a strong cybersecurity strategy is a top priority for the White House. For the first time in 15 years, the White House released a comprehensive National Cyber Strategy of the United States of America last week. The White House strategy takes a strong stance on offensive operations, crowdsourced security, and requiring agencies to remove software vulnerabilities and security risks.

The National Cyber Strategy of the United States of America reads as follows: “The United States Government will also promote regular testing and exercising of the cybersecurity and resilience of products and systems during development using best practices from forward-leaning industries. This includes promotion and use of coordinated vulnerability disclosure, crowd-sourced testing, and other innovative assessments that improve resiliency ahead of exploitation or attack.”

What’s significant here is that the federal government called out “crowd-sourced testing and other innovative assessments” as a “best practice”. For the last two years, Synack has been the leader in the federal government crowdsourced testing market with a >78% market share. Thanks largely to successful partnerships with the Defense Digital Service (DDS), IRS, Air Force, Army, and other private military and civilian agencies, controlled bug bounty programs have become increasingly mainstream in the federal government.

Synack is committed to its researchers (the most elite, trusted hackers in the world) and a platform that gives the customer full access to all the intelligence learned without compromising complete control. We have built our solution to work for the most capable teams at the Department of Defense as well as agencies that are under-staffed, or under-resourced. We look forward to engaging further with the federal government to strengthen and harden our nation’s assets against cyber attacks through crowdsourced security. Here are three areas highlighted in the National Cyber Strategy of the United States of America where we are already partnering with the federal government to help secure the American Way:

  1. Federal Contractors – Crowdsourced testing shouldn’t just be limited to government systems; the entire ecosystem needs to be hardened. During Hack the Pentagon, Synack established a number of best practices including the importance of acquisition reform and asking contractors to separate the development and independent testing process before fielding new technologies. Whether we are talking about submarine weapon systems, or polling booths, government systems are only as secure as the contractors that supply the servers, software, hardware and often weapons systems themselves.
  2. Sensitive Assets – In this strategy, one area that stood out due to its sensitive and critical nature is “cyber-related threats to space assets and supporting infrastructure.” Space cybersecurity is an important agenda item for the current administration, and is one of the driving forces behind an increase in NASA’s budget for FY2019 by $400 million from $19.5 (FY2018) to $19.9 billion. The administration called out the critical nature of assets that provide “intelligence, surveillance, and reconnaissance (ISR)” as well as other functions. Synack has a background in protecting some of the most sensitive assets in the Department of Defense as part of its Hack the Pentagon contract and encourages NASA to consider crowdsourced testing as a way to test their sensitive assets.
  3. Re-Skilling the Federal Workforce – Last, but not least, the cybersecurity strategy highlights the importance of “Expand[ing], Re-skilling and Educational Opportunities for America’s Workers.” Today, some agencies use Synack’s hacker-powered security testing platform to train their internal teams to recognize, respond to, and defend against attacks. For example the Defense Department brought their defensive team onto the Synack platform during the Hack the Pentagon program to monitor how Synack’s crowd of top-tier ethical hackers discovered and tested vulnerabilities and learn from a realistic attack. 300,000 estimated federal employees over the next few years will need to be re-skilled partly to combat the growing global cyber crisis. Cybersecurity skills are a huge component of reskilling especially as threats continue to grow.

A Call to Action: White House to Take the Lead on Agency Adoption of Crowdsourced Security

As The White House establishes crowdsourced security as a best practice, we consider it as a promising first step. Synack encourages the federal government to consider new policies to help standardize and fund federal agency adoption of crowdsourced security and bug bounties, which provide significantly higher ROI than traditional pentests (based on efficiencies and results delivered), augment the efforts of under-resourced security teams, and have already provided many successful use cases for testing everything from web-facing assets to weapons systems.

So far, Congress has led on encouraging agencies to adopt this approach through legislation including the Hack the State Department Act, the Hack the Department of Homeland Security Department, and more. Both bills have been successful at increasing awareness about crowdsourced security and may be signed into law within the year. The Hack the Department of Homeland Security bill passed the Senate two weeks ago and the House will likely pass it as well. Hack the State Department has not reached the House floor, but has been heralded as a potential solution to the State Department’s data security challenges in The Hill.

Now that crowdsourced security has been established as the testing standard for more efficient, results-driven testing that helps expedite remediation, the White House has an opportunity to lead on this issue and encourage agency leaders to be proactive instead of reactive when it comes to strengthening/hardening their assets. As the White House starts to consider its priorities for cybersecurity in FY2020, we hope it will consider standardizing, implementing and funding crowdsourced security programs with the right controls in place across federal agencies.