Enticing Hackers to Work for Good

by Jeff Wiener on July 17, 2015

For several years now I’ve been writing articles about the ongoing cyber-war, most poignant of which, how we really have no hope of winning it. In the face of the looming threat of cyber-intrusion, companies have for years been throwing money at a problem that they both have no idea how to fix and no idea that there is no fix. But as I’ve long said, while comprehensive defence solutions may not be available in this ever-changing tech world, there are ways to mitigate the risk of cyber attacks, from changing data collection habits to employing technology usage guidelines for employees.

Then I stumbled upon a rather innocuous story this week about United Airlines rewarding “ethical” hackers with a substantial amount of free flights for finding security vulnerabilities in its systems, one that stood out not so much for its specific content, but for the theory of combating cyber intrusions.

While companies continue to try to find ways to stymie the efforts of hackers, United has taken a different tact, ostensibly contracting them to do security work and offering them rewards greater than those reaped through nefarious digital endeavours. As I’ve always said, cyber crime is a game of cost/benefit analysis, thus the only way to truly combat hackers is to lower the cost (i.e. the amount of effort involved in hacking) and increase the reward. Sure it has a feeling like a mob shakedown for “protection,” but my guess is that, for the time being at least; it may be the most effective response.

Granted employing hackers in a “bug bounty” contest—that is, encouraging hackers to find system vulnerabilities in exchange for a reward—is nothing new, but United has done something that I think supersedes any similar efforts that have come before, it has made the bounty worth while. The company announced that two hackers have been rewarded with 1 million flight miles, worth dozens of trips, for disclosing vulnerabilities to the company instead of making them public.

“Schemes like this reward hackers for finding and disclosing problems in the right way. That makes the internet safer for all of us,” said security consultant Dr Jessica Barker.

“Bug bounties are common in tech companies as they tend to understand online security a bit more, but other industries are catching up,” said Dr Barker.

While the tech industry has traditionally rewarded freelance hackers with cash, for the most part the rewards have been relatively paltry, so here United is again offering the business world a new take on discouraging cyber intrusions, give them something worth while.

Particularly for companies who don’t have the cash to pay hackers to do security work, United has demonstrated that goods and services work just as well, and while some will likely see it as paying off the bad guys, Dr. Barker disagrees” “It should be part of an overall approach to security, but it’s definitely a good approach…It encourages positive behaviour and shows young hackers that they can benefit from doing the right thing.”

In the end, the most effective deterrent in the cyber war may not be advanced security systems or copious amounts of highly trained security staff (although that’s all still necessary), but a proactive approach to utilizing the skills that hackers have in a positive way, letting them know that good deeds can reap better rewards than bad ones ever could.

Previous post:

Next post: