Security expert wants feds to recruit volunteer pen testers
But before you call for Jeremiah Grossman, CTO and founder of application security firm WhiteHat Security, to stand trial for treason, there's one caveat: These hackers have to report any vulnerabilities they find and promise not to break or steal anything.
Grossman, in a blog post on Wednesday, said .gov and .mil websites contain hordes of security flaws, most of which are not getting caught.
"Those [within government] who do acknowledge and wish to address the problem often lack the budget or authority to initiate a [remedial] project," he wrote. "Consequently, enemies, both foreign and domestic, are likely to know more about what and where our government's website vulnerabilities are than the defenders do."
As a result, Grossman's idea is to assemble a team of volunteer penetration testers who would agree to search for and disclose bugs to the government, while not harming anything in the process.
"I believe there are hundreds, maybe thousands, of vulnerability researchers ready and willing to volunteer themselves to find and disclose vulnerabilities -- for free -- if only allowed to do so," he wrote "...That's right, let us hack .gov and .mil...How cool would that be! It is not like anyone is being prosecuted for simply finding a government website vulnerability, so no loss there."
Grossman added that corporations such as PayPal, Microsoft and Google already have adopted similar approaches.
"Their policies state that as long as researchers follow the rules of engagement -- essentially, not doing any damage or defrauding the system and discreetly disclosing their findings so the companies can create a fix -- no legal measures will be taken," Grossman wrote (he could not be reached by phone on Thursday).
Experts interviewed by SCMagazineUS.com on Thursday said they agreed with the premise of Grossman's idea, but worried that such an initiative is treading on dangerous ground.
"The state of web security in private and government systems is pretty bad, but you just can't say, 'Hey anybody try to break into my car if you promise to tell me you found a vulnerability and not steal my car,'" said John Pescatore, a Gartner vice president and research fellow.
Marcus Sachs, director of the SANS Internet Storm Center, said such an undertaking would have to be tightly regulated to avoid criminals becoming involved.
"There are many controls that would need to be in place to prevent this from becoming a disaster," Marcus Sachs, director of the SANS Internet Storm Center, told SCMagazineUS.com in an email. "If they want to let volunteers 'test' the web applications, there would need to be some sort of training and vetting process to protect both the government and the volunteer. Otherwise, it would be too difficult to tell legitimate testers apart from malicious actors, thus unnecessarily raising the workload for the few defenders and criminal investigators that government [already] has."
Mano Paul, the international software assurance adviser for (ISC)2 and the global education committee chairman for the Open Web Application Security Project, agreed that this "could potentially do more harm than good."
Specifically, Paul said he believes legalizing the hacking of these sites could attract untrained researchers who could damage government systems. Meanwhile, malicious foreign hackers would have no obligation to follow any of the rules of engagement, he said.
"By legalizing hacking, you have no teeth to go after them," Paul said. "Even without hacking being legalized, it seems like there is little that is legally enforceable when it comes to transborder incidents, since international jurisprudence needs to factor in political considerations as well."
The security of government and military web applications could be better hardened through more robust code development, Paul said.
Though everyone is not ready to endorse Grossman's proposal, security observers agree that the government's web applications are not being as thoroughly tested as they should be.
"They've tended to rely on yearly audits versus some sort of continual or fairly regular pen testing-type approach," Pescatore said, adding that laws need to be passed requiring more application monitoring.