PSA: If your security starts and ends with bug bounties, you're gonna have a bad time

Analysis Remember when Uber tried to cover up the fact its AWS datastore containing records on 57 million riders and drivers had been hacked? And that it bunged the hackers $100,000 to shut them up, and then disguised the expense as a bug bounty payout?

Who could forget? Certainly not shocked US lawmakers, who held a hearing in Washington, DC on Tuesday to consider whether anything has been learned from the sorry affair, and how legislation may help prevent future computer security cockups.

Given that Congress has all but forgotten about Equifax fumbling sensitive data on 143 million Americans, and millions of others around the world, you may be forgiven for thinking politicians don't actually care.

Well, the Senate's subcommittee on consumer protection, product safety, insurance, and data security at least went through the motions this week by inviting experts to testify, and an Uber executive to be contrite, on matters of hacking and whatnot.

It was suggested the proposed Data Security and Breach Notification Act could be effective in cracking down on corporations that are careless with people's personal files.

Introduced last November, the bill would "impose criminal penalties on corporate officials that willfully disguise breaches from the public," according to Senator Bill Nelson (D-FL), cosponsor of the legislation and a hearing participant.

For a sense of how many executives may be expected to go to jail over data breach deception if the bill becomes law, consider how many bank leaders responsible for the 2007-2008 financial crisis have been imprisoned: one.

In prepared remarks at a hearing titled, "Data Security and Bug Bounty Programs: Lessons Learned from the Uber Breach and Security Researchers," subcommittee chairman Senator Jerry Moran (R-KS) said his goal was to learn why Uber had not immediately notified people about its 2016 breach and to have a discussion about how vulnerability disclosure programs can improve cybersecurity.

Ignominy

Uber chief information security officer John Flynn, in prepared remarks, reiterated previous statements from the ride hailing biz's post-Kalanick leadership that "it was wrong not to disclose the breach earlier."

He told senators that Uber has learned something from the public ignominy and lawsuits the company has endured as a result of being hacked.

"We recognize that the bug bounty program is not an appropriate vehicle for dealing with intruders who seek to extort funds from the company," he said.

Flynn said Uber had quit using GitHub to store its proprietary code. The hacker who penetrated Uber's defenses found credentials for the company's AWS data store in a private GitHub repository, he explained, without detailing how the private repo was compromised.

He also said the transit-app biz has expanded its use of multi-factor authentication for AWS, implemented IP address whitelisting, refined its identity & access management permissions and authentication mechanisms, and implemented credential auto-expiration.

Extortion

Flynn and other hearing participants expressed support for bug bounty programs as a way to improve online security, though some feel legitimate vulnerability disclosure isn't always easy to separate from extortion.

While supportive of bug bounty programs in general, Justin Brookman, director of privacy and technology policy at Consumers Union, a consumer advocacy group, said that state data breach notification laws, which first came into being in 2002, need to be reconciled with vulnerability disclosure programs to avoid alarming people unnecessarily about security flaws.

Clearly, it would not be useful to mandate customer notifications every time a bug gets found, lest people start treating the messages like all the other app-oriented notifications they ignore.

Brookman also observed that there's nothing inherently wrong with lobbying for a better bounty, even as he allowed that, "At some point, a request for more money may convey an implicit — or explicit — threat to sell the exploit or compromised data elsewhere if the demands are not met."

He concluded that Congress needs to pass laws that provide companies with better incentives for investing in security.

Marten Mickos, CEO of HackerOne, a platform for vulnerability disclosure and bug bounty programs, came out in favor of rewarding hackers for security research – to no one's surprise.

"Hackers are truly the immune system of the internet," he said, citing numerous successful bug bounty hunting initiatives in government. He advocated for reform of the Computer Fraud and Abuse Act to remove penalties for actions that don't harm people.

He also called for the harmonization of state data breach notification laws and encouraged companies to develop better channels for reporting bugs.

Katie Moussouris, founder and CEO of Luta Security and the person who convinced Microsoft to abandon its long-standing antipathy towards bug bounties, told legislators to look beyond bounty programs, noting that rewards create more bug hunters but don't necessarily lead to more bug fixes.

She recommended that legislative priorities should include support for better security education in all grade levels, and particularly for anyone involved in computer science programs. People have to learn secure coding and practices from the get-go, in other words.

In a phone interview with The Register, Moussouris said, "Everyone has gotten so enamored of bug bounties that they maybe have forgotten other investments in security that they should do first or alongside bounty programs."

Bug bounty programs, she said, have been over-marketed as a solution to finding bugs. "They're not a cost effective replacement for penetration testing," she said.

Moussouris said the hearing accomplished its goal, examining the use of bug bounties with regard to Uber's payout. Flynn acknowledged Uber had made a mistake and didn't make any excuses, she explained. "That's what the public and Congress needed to hear," she said. "What Congress needed to show was eventually you will be held accountable."

The extent of that accountability depends on the letter of the law, and there Moussouris said legislators should proceed with care. Noting that Sen. Moran is working on a bill to harmonize the various different state breach notification laws, she said she advised him that any federal law should not aim to be a common denominator by adopting the weakest of state requirements.

She also said over-regulation would be equally problematic because it could encourage companies to remain willfully ignorant of being hacked to avoid liability.

"These are not easy problems to solve," she said. ®