As you may already suspect, my proposal for increasing cybersecurity is transparency.
A transparency borne of crowdsourcing cybersecurity.
What are the consequences of the current cult of secrecy around cybersecurity?
Here’s my short list (feel free to contribute):
- Governments have no source of reliable information on the security of their contractors, vendors, etc.
- Corporations have no source of reliable information on the security of their contractors, partners and others.
- Sysadmins outside the “inner circle” have no notice of the details of hacks, with which to protect their systems.
- Consumers of software have no source of reliable information on how insecure software may or may not be.
Secrecy puts everyone at greater cybersecurity risk, not less.
Let’s end cybersecurity secrecy and crowdsource cybersecurity.
Here is a sketch of one way to do just that:
- Establish or re-use an agency or organization to offer bounties on hacks into systems.
- Sliding scale where penetration using published root passwords are worth less than more sophisticated hacks. But even a minimal hack is worth say $5,000.
- To collect the funds, a hacker must provide full hack details and proof of the hack.
- A hacker submitting a “proof of hackability” attack has legal immunity (civil and criminal).
- Hack has to be verified using the hack as submitted.
- Upon verification of the hack, the hacker is paid the bounty.
- One Hundred and Eighty (180) days after the verification of the hack, the name of the hacked organization, the full details of the hack and the hacker’s identity (subject to their permission), are published to a public website.
Finance such a proposal, if run by a government, by fines on government contractors who get hacked.
Defense contractors who aren’t cybersecure should not be defense contractors.
That’s how you stop loss of national security information.
Surprised it hasn’t occurred to anyone inside the beltway.
With greater transparency, hacks, software, origins of software, authors of software, managers of security, all become subject to mapping.
Would you hire your next security consultant from a firm that gets hacked on a regular basis?
Or would you hire a defense contractor that changed its skin to avoid identification as an “easy” hack?
Or retain a programmer who keeps being responsible for security flaws?
Transparency and a topic map could give you better answers to those questions than you have today.