Government officials and cybersecurity experts are arguing that companies need to embrace vulnerability disclosure programs to guard against hacking amid pushback from the largest voting machine company in the United States, which has portrayed efforts to test their systems as a tactic of foreign spy-craft.
Vulnerability disclosure programs that invite hackers to test computer systems are a show of strength, participants in a Sept. 18 event at the Atlantic Council argued.
“Not having a vulnerability disclosure program amounts to cybersecurity negligence,” said Marten Mickos, the head of Hacker One.
It’s a myth that companies can test their systems on their own, said Chris Nims, chief information security officer at Oath, a cybersecurity company. Even large companies who perform penetration testing on their own products cannot catch all vulnerabilities, he argued. “The reality is that is simply not true."
Many companies sponsor vulnerability disclosure programs that give monetary rewards for reporting flaws in software or hardware. Perhaps the best known program is Hack the Pentagon, which began in May 2016 under then Secretary of Defense Ash Carter.
“It’s hard to be a network owner and say ‘I have something that is more valuable than the Department of Defense,’” said Leonard Bailey, special counsel for national security at the Department of Justice. “It is an industry standard that there is somewhere between 15 and 50 errors per thousand lines of code and most of the commercial products are tens of millions of lines of code … there are vulnerabilities in the system.”
But amid heightened attention on foreign interference on the upcoming mid-term elections, a key voting manufacturer has cast doubt on these practices. Election Systems and Software, a company that sells voting machines, software and services to the United States and Canada, has criticized efforts to hack their equipment.
The DEFCON conference in Las Vegas in August featured an entire voting machine village dedicated to hacking election equipment. Hackers there found that machines made by Election Systems and Software had several vulnerabilities, including the possibility to control the entire machine by removing the back panel.
Leaders from Election Systems and Software did not appreciate the effort.
“Forums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” Tom Burt, the CEO of the company wrote in an August letter to lawmakers.
“Ignorance of insecurity does not get you security. We need to examine voting machines, SCADA systems, IOT and other important items in our lives," tweeted Rob Joyce, a senior National Security Agency official Aug 28. “The investigation of these devices by the hacker community is a service, not a threat.”
But experts and government officials argue that vulnerability disclosure programs and other testing efforts can only boost security.
“If you have a company that is mature enough and confident enough in its own products and its own fix to admit that they have a vulnerability, to me that says ‘This company gets it,’” said Jessica Wilkerson, a staff member on the House of Representatives Committee on Energy and Commerce, during the Atlantic Council event.