Ethical Hackers Deserve Plaudits, Not Punishment

In cybersecurity, the helpful person who alerts government to a problem is frequently penalized. It shouldn't be this way.

December 23, 2021
2017-10-14-Ethereum Hackathon-6_web.jpg
ETHWaterloo hackathon at CIGI, 2017. Ethereum, like other mega-companies, rewards hackers who identify vulnerabilities.

If someone mentions you’ve left your car or house unlocked, your first thought is probably one of gratitude. Such good deeds deserve thanks, or maybe even a box of Timbits; surely, they don’t deserve to be reported to the police or filed with a criminal prosecutor.

Unfortunately, in the cybersecurity context, the helpful person who alerts you to a problem is frequently repaid by the government with the latter response. All too often, after an ethical hacker has notified a government, for example, about exploits and vulnerabilities in its online infrastructure, some thin-skinned politician seems to take the exposure personally and threaten criminal prosecution.

In fact, we should all be taking the opposite, Timbits-style approach. We should reward these ethical hackers with tokens of appreciation, honorifics and medals (if we cannot afford to reward them financially), as we do for other acts of good service by citizens.

The Dutch government has already adopted this approach, with wry humour. To hackers who have identified and disclosed vulnerabilities in Dutch government infrastructure, it offers a T-shirt with the slogan: “I hacked the Dutch government and all I got was this lousy t-shirt.” Many tech workers have celebrated their success at obtaining the shirt on social media.

Compared with the Dutch program, here’s a prime example of what not to do. On October 14, Missouri Governor Mike Parson announced he would file criminal charges against a reporter at the St. Louis Post-Dispatch. The alleged crime? The reporter had discovered and then notified the state government about a vulnerability in the Department of Education’s website that revealed teachers’ Social Security numbers in the website’s unencrypted HTML code. The newspaper held off on publishing the story while the government fixed the vulnerability.

The reporter’s decision to notify the government about the security weakness that he uncovered — a discovery Governor Parsons characterized as “hacking” — was a consummate act of good will. It saved teachers and the state from leaving private information lying around on the open web. Nonetheless, Governor Parson’s reaction was to refer this conduct to a prosecutor. On October 21, Parson “doubled down” on his commitment to pursue criminal charges against the reporter.

This precedent is a dangerous one. Punishing those who step forward to notify us about our vulnerabilities or to help in situations of danger — either online or off — is the fastest way to deter someone from doing so in the future. In the digital realm, it’s hard to think of a quicker way to undermine our cybersecurity posture. A different “hacker” might have sold such information to a hostile foreign or private entity, or even engaged in an act of ransom or extortion, as hackers recently did to Newfoundland’s health-care system.

A better route would be to set up systems that reward people like the reporter from the St. Louis Post-Dispatch for being good Samaritans. Liberal democracies such as Canada already do this in many other contexts. For example, Canada recognizes and honours volunteer service with Canada’s Volunteer Awards. Extraordinary Canadians are named to the Order of Canada for their contributions to the country. Centenarians even get a letter from the Queen for turning 100. And Canadian Forces members receive service medals or other individual honours for acts of valour and bravery.

We should do exactly the same thing for ethical hackers who identify exploits and vulnerabilities in our digital critical infrastructure when they report them to the Government of Canada. Just as Canada dispenses gratitude, recognition and honour in many other areas, it should reward ethical hackers for playing a part in keeping Canadians safe online. That recognition might take many forms — it could be as simple as a thank-you letter from the prime minister or minister of public safety, a medal, a certificate, a toque (to put a Canadian spin on the Dutch t-shirt), or even recognition in a Hacker Order of Canada or a Hall of Fame-style website hosted by the Communications Security Establishment. Regardless of the form it takes, acknowledgments recognizing the importance of protecting our cybersecurity could pay huge dividends in keeping Canadians safe and creating greater awareness of citizens’ role in safeguarding everyone’s security.

Lest the idea of public recognition for hackers sound far-fetched, consider that the costs of doing so would be minimal, compared with the costly alternatives. Mega-rich companies such as Apple, Meta, Google, Shopify and Tesla have a simple way of incentivizing hackers and developers to identify vulnerabilities and exploits in their systems. They dangle enormous “bug bounties” in front of hackers, offering cash to those who identify them. Many decentralized cryptocurrencies incentivize such work through the issuance of tokens and coins, and Ethereum even uses a video game–style “leaderboard” for hackers who identify vulnerabilities.

Several liberal democracies have started mimicking these financial rewards offered by big tech companies. For example, this year the European Union launched its own bug bounty program, and the US Department of Defense has also toyed with the idea. In July, President Biden even put out a $10 million reward program for information that identifies criminal hackers. The Biden administration has also sought to bolster requirements for the government’s tech vendors to notify the government if their systems are breached.

Unfortunately, Canada has neither the cash nor the interest, it seems, for a bug bounty program, and even its websites for reporting threats are pretty basic. (One also wonders how secure they are, given that Canada’s spy watchdog, the National Security and Intelligence Review Agency was hacked in March.) So, instead of using such programs, Canada should try something else — using its symbolic power. Leveraging recognition, thanks and honour is a simple way to support and encourage the work done by those who care about keeping the country’s online infrastructure safe. Such an effort would operate on the premise that money might be a powerful incentive, but it is not the only one.

Recognizing the contribution of ethical hackers puts them on the same plateau as volunteers, centenarians, veterans and other extraordinary Canadians. Anyone who thinks that’s a stupid idea probably needs to change their password, because cyberwarfare poses a major threat to Canada’s online infrastructure, as everyone in the Canadian nationalsecurity establishment keeps repeating.

Six months ago, hackers shut down the Colonial Pipeline, which delivers 45 percent of all fuel on the east coast in the United States. Likewise, the damage of the SolarWinds attack, which is not even a year old, is still being calculated, but Microsoft President Brad Smith has already called it “from a software engineering perspective…the largest and most sophisticated attack the world has ever seen.” It’s worth mentioning who alerted the US government to the SolarWinds attack — a private entity.

As data breaches of government websites and attacks on our online infrastructure become increasingly common, it is wishful thinking that Canada’s paid civil servants can do the work of keeping us safe all by themselves. Private individuals and entities have so much to contribute in this area. Rather than take their expertise for granted — or worse, punish them for it — we should honour them for their contributions.

It doesn’t cost much to say thanks, but making this little effort could pay enormous security dividends.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Matt Malone is a research associate at the Centre for Law, Technology and Society at the University of Ottawa.