COMMENTARY | Contractors who work on government systems need to be able to accept vulnerability reports from ethical hackers
Dr. Craig Martell, the Defense Department's chief digital and AI officer, told an audience at cyber conference DEF CON this August that, "I'm here today because I need hackers."
If that sounds like a strange thing for a government employee to say, it shouldn't —ethical hackers, also known as white-hat hackers, work with organizations to identify and address vulnerabilities before they are exploited by malicious actors. Ethical hackers are a well-established and essential part of improving the nation’s cybersecurity posture.
In recognition of this, Rep. Nancy Mace, R-S.C., recently introduced the Federal Cybersecurity Vulnerability Reduction Act of 2023. This legislation requires that all federal contractors implement a Vulnerability Disclosure Policy, inviting ethical hackers to find and report vulnerabilities — a crucial step for keeping government systems and information safe.
Broad adoption of vulnerability disclosure policies will help protect national security
In 2016, the Defense Department launched the first government program with ethical hackers, hosted on the HackerOne platform, which exceeded all expectations. More than 1,400 hackers signed up to participate in the program. The first vulnerability was identified in 13 minutes, and 200 reports were submitted in six hours. Because of this success, the Pentagon implemented its VDP, through which it has identified and remediated multiple exploitable vulnerabilities, any one of which could have been leveraged by a bad actor to cause considerable damage to our nation. More than 47,000 vulnerabilities have been identified since the program's launch.
After the launch of “Hack The Pentagon,” support for government-sponsored VDPs has grown and has been reinforced by each of the last three Presidential Administrations. In 2020, the White House Office of Management and Budget began requiring VDPs for all federal agencies, stating that VDPs are “among the most effective methods for obtaining new insights regarding security vulnerability information and provide high return on investment.”
The Cybersecurity and Infrastructure Security Agency followed with a Binding Operational Directive, directing every federal agency “to develop and publish a VDP and maintain supporting handling procedures.”
And yet even though VDPs are now standard practice for government agencies, they have not to this point been mandated for all federal contractors who work with government data or have access to government networks. And until they are, government data and networks — the entire federal digital ecosystem — will be vulnerable. VDPs for federal contractors are critical to both our national and economic security. This is why Congresswoman Mace's proposal is so necessary: it aims to finally close that gap.
How federal contractors can ensure a more secure future
As the federal government has known for some time now, ethical hackers are integral to the overall security of their networks because these hackers have the skills and experience to identify vulnerabilities combined with the motivation to make the nation a safer place. They know the tricks that allow attackers to penetrate vulnerable systems and regularly put that expertise to good use.
The companies who support the government and who have access to government systems and data should, at minimum, have the same defenses as the government itself. Ethical hackers represent a vast network of law-abiding individuals who can efficiently and economically support companies with overburdened IT security teams to enhance their cybersecurity posture. That makes VDPs good for cybersecurity and invariably good for business.
All organizations need to take appropriate steps, mandated or not, to protect the information and systems they leverage to deliver their mission capabilities. Mace's legislation represents an important step forward and should be embraced for its ability to enhance cybersecurity for the nation.