Federal cyber-security guidelines finally require agencies accept help from 'white hat' hackers

As the decade comes to a close, it's certainly a relief to see that the Cybersecurity and Infrastructure Security Agency (CISA) is continuing to adjust its policies and creating more "binding operational directives" (BODs) designed to encourage improved communication in response to possible new threats in the cyber-sphere. 

One BOD in particular will force government agencies to interact in a positive manner with voluntary bug reporters.  In the past, some agencies would treat these so-called "White Hat Hackers," who come forward with helpful information regarding system flaws and vulnerabilities, as criminals.  Under the proposed rules, federal agencies are required to provide and monitor channels for individuals to use in reporting security flaws.  Agencies will also have to respond and keep researchers updated on their efforts to fix identified security issues.

Additionally, agencies are no longer allowed to publish threatening language that may discourage white hat hackers.  They also cannot forbid hackers from publishing bugs after waiting out an "acceptable period."

This is important in consideration of all of the wide-ranging hacking attacks that have occurred in the millennium's second decade.  If nothing else, the last ten years was a sobering introduction to the vulnerabilities that exist within the mechanisms we've become dependent on for everything from messaging to managing our finances and even our shopping needs.  

In case you have forgotten, here are some of the more prolific and historically significant hacks and data breaches of the past 10 years:

  • In 2013, a group of hackers from Eastern Europe were able to obtain over 160 million records from companies including Nasdaq, 7-Eleven, J.C. Penney, and many others.  The hackers, who were eventually caught and charged by federal prosecutors, were affiliated with Miami-based hacker Albert Gonzalez, who was already serving a 20-year sentence for his previously committed cyber-crimes.
  • In terms of the sheer number of victims, one of the biggest recorded hacks ever was committed against the hotelier Marriott in 2018.  The attack netted hackers information on over a whopping 500 million guests of the hotel.  They obtained the names, addresses, credit card numbers, and phone numbers of the victims, as well as travel itineraries, including passport numbers and arrival and departure dates.  As a result of the attack, the company's shares dropped almost six points in the aftermath of the incident.
  • Facebook, the largest and most trafficked social media site in the world, manages to leave data on 540 million users unprotected on cloud servers.  This was in addition to another incident where at least 50 million users' data were confirmed as being at risk after hackers exploited a vulnerability that allowed them to obtain personal data.
  • In September 2019, a government technology contractor, Miracle Systems, which is based in Virginia, was hacked and saw its data put up for sale on the "dark web."  The contractor had ties to the U.S. Department of Transportation, the U.S. Department of Homeland Security, and the National Institutes of Health.  The contractor was hit by a malware strain known as Emotet, which is typically distributed through email attachments. 

The next decade will only bring more attacks like these from increasingly innovative criminal hackers.  In addition, we will probably see more instances of entities failing to guard data in the best possible manner.  Irresponsible internal policies and the harmful outdated sentiment from the security community toward helpful white hat hackers looking to disclose their findings on critical vulnerabilities should be left in the past.  With regard to our online security, modern times certainly require a shift to modern attitudes.  

Julio Rivera is the editorial director for ReactionaryTimes.com, a political columnist and commentator, and a business strategist.

Image credit: Pixabay.

As the decade comes to a close, it's certainly a relief to see that the Cybersecurity and Infrastructure Security Agency (CISA) is continuing to adjust its policies and creating more "binding operational directives" (BODs) designed to encourage improved communication in response to possible new threats in the cyber-sphere. 

One BOD in particular will force government agencies to interact in a positive manner with voluntary bug reporters.  In the past, some agencies would treat these so-called "White Hat Hackers," who come forward with helpful information regarding system flaws and vulnerabilities, as criminals.  Under the proposed rules, federal agencies are required to provide and monitor channels for individuals to use in reporting security flaws.  Agencies will also have to respond and keep researchers updated on their efforts to fix identified security issues.

Additionally, agencies are no longer allowed to publish threatening language that may discourage white hat hackers.  They also cannot forbid hackers from publishing bugs after waiting out an "acceptable period."

This is important in consideration of all of the wide-ranging hacking attacks that have occurred in the millennium's second decade.  If nothing else, the last ten years was a sobering introduction to the vulnerabilities that exist within the mechanisms we've become dependent on for everything from messaging to managing our finances and even our shopping needs.  

In case you have forgotten, here are some of the more prolific and historically significant hacks and data breaches of the past 10 years:

  • In 2013, a group of hackers from Eastern Europe were able to obtain over 160 million records from companies including Nasdaq, 7-Eleven, J.C. Penney, and many others.  The hackers, who were eventually caught and charged by federal prosecutors, were affiliated with Miami-based hacker Albert Gonzalez, who was already serving a 20-year sentence for his previously committed cyber-crimes.
  • In terms of the sheer number of victims, one of the biggest recorded hacks ever was committed against the hotelier Marriott in 2018.  The attack netted hackers information on over a whopping 500 million guests of the hotel.  They obtained the names, addresses, credit card numbers, and phone numbers of the victims, as well as travel itineraries, including passport numbers and arrival and departure dates.  As a result of the attack, the company's shares dropped almost six points in the aftermath of the incident.
  • Facebook, the largest and most trafficked social media site in the world, manages to leave data on 540 million users unprotected on cloud servers.  This was in addition to another incident where at least 50 million users' data were confirmed as being at risk after hackers exploited a vulnerability that allowed them to obtain personal data.
  • In September 2019, a government technology contractor, Miracle Systems, which is based in Virginia, was hacked and saw its data put up for sale on the "dark web."  The contractor had ties to the U.S. Department of Transportation, the U.S. Department of Homeland Security, and the National Institutes of Health.  The contractor was hit by a malware strain known as Emotet, which is typically distributed through email attachments. 

The next decade will only bring more attacks like these from increasingly innovative criminal hackers.  In addition, we will probably see more instances of entities failing to guard data in the best possible manner.  Irresponsible internal policies and the harmful outdated sentiment from the security community toward helpful white hat hackers looking to disclose their findings on critical vulnerabilities should be left in the past.  With regard to our online security, modern times certainly require a shift to modern attitudes.  

Julio Rivera is the editorial director for ReactionaryTimes.com, a political columnist and commentator, and a business strategist.

Image credit: Pixabay.