Cyber Security is of vital national importance. As the United Kingdom places more of its infrastructure onto the Internet, bugs and glitches go from minor inconveniences to full scale national emergencies.
Suppose, for a moment, that a hacker were to interrupt payment processing for banks, or tamper with the UK’s water supply, or cut off the phone lines. The economic damage alone could run into the billions.
Anyone discovering such a flaw could illegally exploit it for their own gain, or sell the vulnerability to the highest bidder.
The computer industry’s solution to this problem is the “Bug Bounty“. Any security researcher / hacker who finds a security bug in, say, Facebook – is then able to disclose that bug directly to Facebook in return for cold, hard cash. And a generous “thank you” note. This provides an economic incentive to find and safely reveal bugs.
Some companies band together to provide bug bounties for critical Internet infrastructure. The giants of Capitalism banding together in Socialism to protect their interests. Lovely!
Ideally, I think, Governments should compel businesses to provide bug bounties. Think of it like a form of punitive fine – inapplicable to responsible companies. Force the privatised utilities, large companies, and infrastructure providers to pay up for security flaws in their software and hardware.
It’s not so unreasonable; the Government already fines companies for breaches of the Data Protection Act – so why not fine companies for breaches of a future “Computer Security Act”.
But that will be a long time coming. Let’s start closer to home.
Why doesn’t the UK Government offer a bug bounty for its services?
Imagine that you’ve just found a gaping huge security flaw in HMRC. With a single command from your computer, you can subtly alter your tax status – or see how much tax an individual has paid – or erase evidence that someone has paid their owed tax.
Ignoring the illegal aspect of acting on your findings – where’s the incentive to responsibly report the problem? After all, you’d get a huge pay-day from selling it to the criminal underworld.
Let’s step back a bit – how would you even successfully report your findings to the Government?
Assuming you’ve even heard of Office of Cyber Security and Information Assurance the only way of contacting them is via email. They don’t offer a PGP key, so there’s no way of contacting them securely. Oh, and based on my experience, they don’t reply.
One could also try contacting the affected Government agency. But again, based on my experience, they won’t have the first clue of how to respond to a reported security flaw.
Finally, one could try escalating to GCHQ’s GovCertUK – the security agency charged with protecting vital national computing infrastructure. They do offer a PGP key – but its validity expired at the end of January 2014…
Wouldn’t it be brilliant if our shiny new GOV.UK were to offer an easy to use form for reporting security vulnerabilities? Obviously, they would need a team acting as a clearing house for all the reports they receive, and the legal authority to test the vulnerabilities reported.
Finally, if a bug was found within the Government’s IT infrastructure, they could force it to be fixed and offer the reporter a suitable reward. It needn’t be monetary, of course, it could just as easily be a medal, an honour, or a Peerage – whatever they deem suitable for strengthening the nation’s security.
Is this something the Government should be involved in? Or should citizens simply exhaust themselves trying to report bugs with little prospect of them being fixed and no prospect of a “thank you” – let alone a reward?
Without a bug bounty, what incentive does the Government have for keeping its electronic infrastructure secure? Or do they just believe that the “stick” of criminal sanctions is larger than the carrot of rewarding decent behaviour?