Hacking the Loophole
The figure of the hacker has long been repulsive. R&D looting, ransoms, personal data theft, jeopardized military or economic strategies, there is no limit to the damages hackers can do to society. But, what if we disentangled hacking from crime?
A hacker is someone who creatively overcomes difficulties. If you can fix your car engine with washing machine spare parts, you are hacking the automobile sector. A performant hacker, from a technical point of view, shall be extremely innovative with limited resources. What do you hack and for what purpose are the key questions. Because the best way to know if your fortress is impregnable is to be besieged and see if it holds, governments and companies are progressively accepting to work in partnership with “white hats” (legal, or ethical hackers) to protect themselves from outsiders’ attacks. The “Hack the Pentagon” competition rewards the hacker who would find vulnerabilities in the U.S. Department of Defense’s websites and software, among a selection of the world’s best hackers. It is a state of mind. Mr. Robot is our new superhero.
For long, companies have settled for their Chief information security officer (CISO) to take care of their full cyber-security. In a way, the CISO is just another hacker. But he is at the bottom of the food chain. The old saying (as old as the cyber-culture can be) was that he often lunches alone. His primary purpose is to scold you because you are never vigilant enough. But the truth is that staff mistakes can explain two-thirds of corporate attacks. Forget to update your programs, open the wrong mail, or download a flawed software, and you will pave the way to any Trojan horse waiting to invade your system. The CISO cannot control the people, and that is a fact companies tend to learn at their expense. When the WannaCry ransomware attack stroke last year, in May 2017, most of the computers affected were using an outdated version of Microsoft Windows operating systems. Don’t imagine your grandma was the target. Millions of computers got infected across 150 countries. None of the companies’ CISOs could do anything about it. The savior of the day was a 23-year-old British hacker, Marcus Hutchins, who stopped the WannaCry malware’s propagation.
Why are bug bounty platforms the only viable answer adapted to the contemporary cyber-reality? According to Fabrice Epelboin, co-founder of the French bug bounty platform Yogosha launched in 2015, this evolution can be compared with the competition between Uber and the old cab companies’ economic models. The digital transformation of the economy is a myth. There is no magic trick to turn a whole corporation into such a reactive, flexible, and modular shapeshifter as Uber. The tremendous advantage of a bug bounty platform (or a “hunting club” according to Yogosha’s branding) is that you can attract outstanding hackers to do what they do best and turn it into your own benefit. But how can you make sure that your hackers are reliable? “We only welcome hackers who have both passed an examination we conceived to spot the most appropriate profiles, and who have been co-opted by two members of the platform,” says Fabrice Epelboin. “You can be an IT genius; it is not sufficient enough to be a good professional. We look for people who can translate their expertise pedagogically into a language understandable to our clients, who need help to fix the loopholes the hacker found.” Yogosha (which means “defense” in Japanese) tends to use another vocabulary to designate this emerging business in Europe: the researchers.
The researchers don’t ransom the companies. They don’t even pressure their clients to negotiate their reward. Their bounty is calculated by a scientific and standardized measure, the Common Vulnerability Scoring System (CVSS). Most of the hackers of the World Wide Web are eager to participate to the greater good. In Europe, 70% of the hacking community is involved in the creation and improvement of open-source software, in accordance with the beautiful principle of Computerization for All (the final objective has not been reached yet, but on January 2018, the population of cybernauts hit 4 billion out of 5.5 billion of planet earth inhabitants of more than 15 years old).
Even if Europe still lags behind the United States in the cyber-security field, many institutions start to follow the new trend. Abertay University in Dundee (Scotland) recently launched its Abertay Cyber Security programme, a Masters programme in ethical hacking. The University of Valenciennes (France) also created a degree for ethical white hats.
Why is there such a need to form and deploy battalions of reliable hackers? Cyber-security is not a service anymore, it’s a process. As a company, especially if you have disruptive R&D going on, your antivirus software will not do the job. You will need the white hats to protect you, as long as human errors still limit security by design. The whole point of falling back on a community of hackers/researchers, and not just relying on one of them full-time, is that the crowdsourcing will permanently check your system, and not only once, on a time-paid mission.
Are the researchers the new knights of tomorrow? The Hack4Values movement seems to confirm it. White hats offer their hacking services to NGOs to make sure no humanist and non-profit organization, and those who beneficiate from their actions, would suffer from malevolent computer piracy.
