It seems a week doesn’t go by that there isn’t news of ransom-seeking computer hackers shutting down a small municipality, a medium-sized hospital or a huge oil pipeline. That latest hit, on Colonial Pipeline, had some panicked Americans hoarding gasoline in plastic bags, leaving many to wonder how vulnerable U.S. companies and government entities are and if all of this is just the tip of the iceberg.
A task force is still assessing the damage done to some 100 companies and nine government agencies that were hacked in 2020.
If anyone knows how bad it could get and how successful prevention can be achieved, it would be Matthew Cornelius, the executive director of Alliance for Digital Innovation and former senior technology and cybersecurity adviser at the Office of Management and Budget.
“A lot of the big tech firms and now even non-tech firms have been using security researchers to test their systems to provide vulnerability reports and to help them improve the overall cybersecurity of their public facing, and in some cases, non-public-facing information systems,” he said.
At OMB, in an effort to hire talented cybersecurity professionals, they paid top dollar in order to compete with private-sector firms, Cornelius added. Then they had another idea.
“What if we didn’t have to pay these folks? What if we made it the policy of the federal government to enable security researchers to come and conduct authorized security research on federal information systems and provide those reports to agencies so that they could better understand their cyber posture,” he toldFederal Drive with Tom Temin.
With the growing sophistication of the hackers, Cornelius said that software development has a never ending lifecycle, where different approaches must be imagined and executed.
“Allowing folks who may have new skills or different skills or new ways of thinking about the technology that’s happening, the code that’s being written, to have them come and take their own look at this and so long as they’re doing it within a framework that the agency understands and authorizes, and commits to working proactively with the security researcher to understand the vulnerabilities they found, work with them to help remediate them. That just increases the baseline of cybersecurity across the federal government,” Cornelius said.
As hackers, both domestic and foreign, become more relentless in their pursuits, defensive tactics must change, leading to what Cornelius calls “the principle of it all: you don’t know until you know.”
“You have new people taking a look at a system or website or the software in a different way, you’re essentially sort of crowd testing how that works,” Cornelius said.
Don’t fear hackers, hire them.
“The best thing that government can do from a customer experience and usability standpoint is to make their websites and forums easier to use and to make sure that they’re not open to malicious attack and hacking, because no one’s going to want to give their information to the government or to sign up for a program or benefit or service on a federal website if they don’t feel that their information is going to be secure.”