Members of the House of Commons Standing Committee on Public Safety and National Security, thank you for inviting us to speak today. I look forward to providing you with our perspective on cybersecurity and bug bounty programs.
I am vice-president of business development and policy of San Francisco-based HackerOne, the world's leading provider of hacker-powered security. I'm here with Jobert Abma, the founder of HackerOne. He founded the company when he was 23 years old and has been hacking since he was 13.
HackerOne operates bug bounty programs that connect companies and governments with the best white hat hackers in the world to find and fix vulnerabilities before malicious actors exploit them. As of January 2019, over 300,000 white hat hackers have registered with HackerOne to defend customers,—among them, the United States Department of Defense—removing over 80,000 vulnerabilities and preventing an untold number of breaches in the process.
Today's cybersecurity practices are severely outdated, in contrast to the cyber threats that society faces. When exploited for criminal purposes, even just a single and relatively unremarkable security vulnerability can create havoc, as the Equifax data breach grossly reminded us in 2017. In 2018 many other breaches have made the press, including the WannaCry ransomware attack.
For financial institutions, fraud incidents both online and offline increased by more than 130% in 2018, resulting in significant monetary and reputational losses. In the U.K., the number of cyber-attacks against U.K. financial services reported to the U.K.'s Financial Conduct Authority has risen by more than 80% in the last year. It is an unfortunate fact that in the digital realm, society is currently failing to provide its citizens with what societies were established for: safety and security.
I would like to talk now about hacker-powered security—a scalable model that can be used to prevent cyber-attacks in society as a whole, especially in the financial industry and national security. Whatever protections and defences we build into our digital assets—and we should build a lot of them—there's one practice that covers every possible cause of cyber breach. There is an immune system that will approach the digital assets from the same direction as adversaries and criminals, from the outside. There is a mechanism that, at scale, has the opportunity to ultimately detect every hole, every weakness and every security vulnerability in a system or product built by humans.
This practice is often called hacker-powered security. Hacker-powered security covers any cybersecurity-enhancing services and automations that are partially or wholly produced by independently operating security experts outside the company or organization in question. It is a model that invites external and independent security researchers and ethical hackers to hunt for vulnerabilities in computerized systems. These are individual experts who have signed up to help corporations and organizations detect and fix their security weaknesses.
The most fundamental function of hacker-powered security is a vulnerability disclosure program, also called responsible disclosure or coordinated vulnerability disclosure. A vulnerability disclosure program is essentially a neighbourhood watch for software. The motto is “If you see something, say something.” Concretely, if and when an ethical hacker finds a security vulnerability in a company or government organization's website, mobile app, or other computer system, this person will be invited to disclose to the system's owner the vulnerability that was found.
Most human beings are ready to help their neighbour, so the impetus for vulnerability disclosure is enormous. Issues of legality and trust, however, make vulnerability disclosure more complicated than a regular neighbourhood watch. To solve this issue, leading companies have created their own policy frameworks for the disclosure of vulnerabilities to them, and others turn to companies such as HackerOne to organize and coordinate such programs.
When an entity decides to offer financial rewards to finders of vulnerabilities, the vulnerability disclosure program is called a bug bounty program. Bug bounty programs have existed since at least 1983. The practice was perfected by Google, Facebook and Microsoft over the past half-dozen years.
Hacker-powered security programs have demonstrated their effectiveness compared with other methods of vulnerability detection. Hiring full-time employees or external service or product vendors to test for vulnerabilities is more expensive. No other method for validating software or manufactured products in use by consumers has been shown to produce similar results at such a favourable economic unit price.
Hacker-powered security is a scaled model. Today, there are over 300,000 registered ethical hackers on our platform alone, and over the coming years, we hope that this number will grow to over one million. The army of hackers will be able to take on the work of the entire digital realm of our society.
Thanks to the diversity and scale of the hacker community, hacker-powered security finds vulnerabilities that automated scanners or permanent penetration testing teams do not. Existing models are good at finding predictable security vulnerabilities, but even more important is to find the unpredictable ones: the unknown unknowns. Given a large enough hacker community and enough time, such vulnerabilities will be identified.
Entities that operate such vulnerability disclosure or bug bounty programs include Adobe, AT&T, the U.S. Department of Defense, Dropbox, Facebook, General Motors, Google, Microsoft, Nintendo, Starbucks, Shopify, Twitter and United Airlines. Specifically in the financial industry, American Express, Citigroup, JPMorgan Chase, ING and TD Ameritrade have public VDPs.
The U.S. Department of Defense and HackerOne pioneered the first federal government bug bounty program. Since the program's inception, more than 5,000 security vulnerabilities have been safely resolved in DOD critical assets with hacker-powered security. While the majority of the vulnerabilities reported through the DOD were without financial compensation, hackers have been awarded hundreds of thousands of dollars in bug bounty payments by the DOD.
A question I get a lot is, who are these hackers? Security experts may be described using a variety of titles, including ethical hacker, white hat, security researcher, bug hunter and finder. One title is conspicuously absent: criminal. Hackers are not criminals. Specifically, bug bounty programs offer no benefit to someone with criminal intent. On the contrary, HackerOne will record data about every hacker on the platform and only reward action that followed the rules. For these reasons, criminals go elsewhere.
Hackers are driven by a variety of motivations, many of which are altruistic. The security advocacy organization I Am The Cavalry summarizes these motivations as to protect—make the world a safer place; puzzle—tinker out of curiosity; prestige—seek pride and notability; profit—to earn money; and protest or patriotism—ideological and principled. A 2016 study by the U.S. National Telecommunications and Information Administration within the Department of Commerce found that only 15% of security researchers expect financial compensation in response to vulnerability disclosure.
Hacker-powered security not only improves security, but the model democratizes opportunity and offers meaningful work to anyone with the inclination and drive to be a useful, ethical hacker. Many hackers are young adults. They can do their work from anywhere. The money hackers make is used to support families, pay for education and catapult them into successful professional careers.
Hacking brings meaning and mandate to enterprising people irrespective of their location. Hacking brings positive societal impact across the nation.
In conclusion, we need hackers. Our goal must be an Internet that enables privacy and protects consumers. This is not achievable without ethical hackers taking an active role in safeguarding our collective security. Hackers are truly the immune system of the Internet. They are a positive power in society. We must enable them to encourage contribution. This requires a safe legal environment, encouraging all individuals to come forward with vulnerability information, no matter what the circumstance.
To close, I will repeat the words of numerous experts that a ubiquitous “see something, say something” practice for vulnerabilities is a vital and critical step towards improving cybersecurity for consumers. The absence of a formal channel to receive vulnerability reports reduces a vendor's security posture and introduces unnecessary risk. Corporations and the government should welcome input from external parties regarding potential security vulnerability. The Canadian government should encourage, if not require, that behaviour.
Thank you for the opportunity to testify on this important issue.
Thank you to the committee for the invitation to share insights on some of the problematics perceived by fellow citizens with their access and/or security of their earnings or savings versus computer technologies.
First, I will give you a brief introduction of where I come from. After serving with the Canadian Armed Forces and DND for 23 years, I was privileged to be among the first cyber-soldiers in the country to manage networked information systems, from a LAN size of about 250 users to a MAN size of about 5,000 users on multi-sites at a base level in its early stages of integration. This was in order to provide the right information to the command structure in what was previously a paper-based process, from normal day-to-day office tasks to the academic activities I was doing at CMR Saint-Jean as well as in operations. More recently, my job has been educating and training professionals and the public on how to apply best practices in information technology and to explain, in plain language—as we will do today—what is happening in the cyber space that affects everyone and everything on almost a daily basis with the news media. I shall present these insights to you now.
The situation is that it is a quarter past midnight.
This is the 21st century, as you all know. We are more connected than ever and our lives are more and more automated. In large part, the country's economy depends on the use of technology, by small and medium-sized companies and by big business. Even government services have turned a technological corner. The reality, however, is catching up with us more and more.
The few examples listed in the document I submitted to the committee demonstrate that the problems will continue as time goes on, but they are still of concern now. For example, the smartest programmers and IT experts are designing improper configurations in order to give themselves an unfair advantage in their stock market transactions.
Anyone who takes the time to learn about using, or even hacking, technology can find on the Internet techniques to find loopholes and to get around security, The latest techniques can be used to exploit the flaws, most of the time in order to get one's hands on information that will lead to financial gain.
In recent years, especially in 2017 and 2018, we have heard that ransomware is pervasive and virulent. It can attack not only individuals, but also any organization at all without exception. This type of scam still affects us because people are poorly informed and unable to identify the threats. The wrongdoers, moreover, have refined their methods, so that it is more and more difficult to identify the malware in a real email message.
Today, financial institutions are asking, not to say demanding, that their clients conduct their financial transactions only from their personal computers, their mobile phones, or by some other connected means. They expect everyone, employees and customers alike, to know how to work Windows 10, or the most recent version of Microsoft Office.
People do not have the training or the knowledge to use the basic tools used in those transactions. Most of the time, the transactions are conducted when security measures are not the best and the connectivity is dubious. Public Wi-Fi connections in hotels or Internet cafés are not secure at all. Cell phones, while they are hacked into less, are just as lacking in security.
The delay in deploying the promised high-speed connectivity to our regions reinforces the cynicism that come from the lack of access to a speed decent enough to allow financial transactions. The cynicism come from the fact that businesses and residence in Port-au-Prince, Haiti, have or, in the coming years will have, access to fibreoptics, well before those only 50 kilometres from Montreal.
What should we do, or what can be done? Well, I say take the lead and lead by example. It was with much enthusiasm that I heard about the set-up of the Canadian Centre for Cyber Security last October. This distinction of “cyber” as a separate component of “security” needed to be on its own to underline its importance. Too often I have encountered in large enterprises, as well as SMBs, “computer security” being considered as under the responsibility of the first appointed volunteer in the room. It's a necessary evil to many, but by having the federal government proceeding this way, few reasons can be found by any enterprises to set aside matters of cybersecurity and, hence, put the matters front and centre.
The CCC's recent changes in resources devoted to cybersecurity were long overdue. Canada used to be the nation of telecommunications firsts. Now we are dragging behind the rest of the world; we are trying to keep up with a technological wave of innovations. We used to have the best telecommunications equipment maker in the world called Nortel. It was taken away from us. Canada was one of the first nations to stand up as a leader in quantum security for computer networks. Most of that research was taken from us recently.
Strengthening the government's information systems has helped greatly to ensure their availability. Everyone can consult their information at any given time. As you have come to know, the prime target in computer exploitation is the weakest link, which to this day is the human component, particularly for the average citizen, whether at home or on the road.
The emphasis is on having a strong economy while using IT. This can be achieved by using information technology and by taking a live rather than a computer-based approach to educating those who use that technology. That means pretty much everyone nowadays. This approach reassures and gives the citizen or user immediate feedback.
Every day, Mr. and Mrs. Everyone are using incomplete software and hardware brought to this market without any guarantees that it will work—or that it won't fail. When cars are sold in this country, they come with all sorts of seals of approval, and Transport Canada oversees their safety. You can buy a set of Christmas lights anywhere in the country and they will come with a seal of approval from the CSA. Industry Canada oversees their application and safety. Who applies the same controls and validation to computer code or electronic hardware?
These devices on which we depend each day—also known as IoTs—are roaming freely all around us, without any form of safety certification. Insulin pumps are an example. Although the importation and sale of such devices seems to be regulated by Health Canada, who oversees the code used by these devices to keep people alive? Are they doing the right thing? Are pacemakers in the same situation? I believe they are.
Who certifies the computer code for ATMs to ensure that Canadian citizens have access to their money when needed, or smart dolls? We hear that they are being sold in North America even though they have been declared illegal spying devices in Germany due to privacy issues with kids. Who is supposed to protect our children's privacy from these immoral devices, if not the Privacy Commissioner?
Hardware and software code should be overseen by an independent government agency like CSA, as an example. Ideally, this agency would have a say about what's distributed for life-critical devices and would impose stiff penalties for non-conforming products—or simply ban them from the market.
In that matter, we are now confronted with a new dynamic in today's economy, the use of biometrics to do business. In July last year, the Chinook Centre in Calgary was caught embedding facial recognition cameras in the mall's interactive panels. It was documenting the clientele without their knowledge, with no warning whatsoever.
Complaints were made to the privacy commissioners of Canada and Alberta. To this date, none of the reports from these investigations, started in August 2018, have been published. I just came from the Promenades Gatineau, where I documented the presence of these panels, though not from the same company. They embed cameras on the panels without warning people they are being documented at that place.
We are now confronted with a similar situation at Place Laurier, where four stores are openly using facial recognition with the goal of documenting clients' feedback through their biometric characteristics. This kind of tracking is already happening with cellphones, of course, and the fidélité cards that consumers use in stores.
It would certainly be beneficial to everyone if the OPC were to grant authorizations, after a proper accreditation process, to organizations and businesses for the use of biometric technology. This would minimize the cost overruns of inquiries and also reassure citizens that the government has their backs with respect to privacy matters.
Is it too late? No, I believe that there is still time to do things right.
As for any tool, we must take the time to read the manual before we use it. Who among you has used or read the manual for Windows 10, Windows 7 or Windows XP? My feeling is that none of you did. They are very large documents. People are afraid of them and run a mile. At that point, third-party assistance becomes necessary. The human beings using the machines still need other human beings to train and guide them.
Your enlightened study of this issue will certainly be appreciated and will allow for improvements to what is not working well. That will create the impetus we need for the various participants to contribute to a better economy and it will help us once more to become the leaders that, fundamentally, we are.
I am now available to answer questions in both official languages.
Formally we are at the end of our questions, but I see that my colleagues are very keen. I hope that the witnesses will have a little bit of flexibility with respect to their times. My intention is to run to about 5 o'clock, but I'm going to take the chair's prerogative here and ask a question about cryptocurrency.
In this morning's news there was a story about a company called QuadrigaCX. It was a cryptocurrency company apparently worth about $250 million. The owner was about the same age as Mr. Abma, and he died. He had all of the passwords on his laptop. It strikes me as passingly bizarre that a $250 million company is completely locked up because nobody can open up the passwords on his laptop.
My first question is whether this is a challenge for HackerOne.
Some hon. members: Oh, oh!
The Chair: Is this, on the face of it, a massive disregard of people's security?
The second question has to do with blockchain. Even if you were able to get to the passwords, is blockchain technology such that even the skills of HackerOne or HackerOne on steroids couldn't play with the security of that technology?
I apologize for these being ill-formed questions, but this does strike me as a situation where what we're supposed to be studying, financial security, comes together with a massive technological failure. It may not turn out so badly in that no ill can come from a blockchain technology that, I think, can't be cracked. Am I right or am I wrong?