This blog was co-written by Kent Wilson and Roland Hansen.
The Department of Defense (DoD) and public sector at large confronts a cybersecurity landscape where asymmetric threats are the norm rather than the exception. Threat actors, wielding the element of surprise and the cloak of anonymity, often leave cyber defenders in a perpetual game of catch-up.
The DoD and public sector can flip this dynamic with the integration of crowdsourcing as a pivotal component of their cybersecurity arsenal.
Crowdsourcing as a ‘force multiplier’
There is an inherent power of crowdsourcing to level the battlefield against asymmetric cyber threats. The concept of the ‘force multiplier’ is well-understood within military strategy, denoting a factor that dramatically increases (multiplies) the effectiveness of an item or group. In the context of cyber defense, we propose the crowd—a global, diverse, and agile assembly of cybersecurity enthusiasts, professionals, and hackers—as this critical force multiplier. By harnessing the collective intelligence, creativity, and skills of the crowd, the public sector can enhance its defensive capabilities far beyond what could be achieved through traditional means alone.
Benefits of leveraging crowdsourced security in the public sector
There are several key areas where crowdsourcing offers tangible benefits to cyber defense strategies in the public sector and beyond.
- Accelerated vulnerability discovery–Crowdsourcing accelerates vulnerability discovery in systems out to the tactical edge. Crowdsourced security programs, such as bug bounties and vulnerability disclosure policies, have proven their worth in the commercial sector by identifying and mitigating risks at a pace unattainable by in-house security teams alone. Applying these models within the public sector can significantly shorten the window of exposure to new threats, thereby reducing the adversary’s advantage.
- Enhances security of AI systems–The crowd enhances the security of AI systems, which are increasingly at the heart of public sector operations. As AI technologies evolve, so do the strategies of those who seek to exploit them. Crowdsourcing can facilitate a continuous, dynamic testing environment for AI systems, ensuring they are robust against both current and future threats.
- Better skill and knowledge transfer–Crowdsourcing addresses the challenge of skill and knowledge transfer. Crowdsourcing initiatives not only serve as a mechanism for threat detection and mitigation, but also as platforms for learning and collaboration. By engaging with the crowd, the public sector can tap into a wellspring of knowledge, staying abreast of cutting-edge techniques and technologies in cybersecurity and AI.
Learning from CISA’s success
The Cybersecurity and Infrastructure Security Agency (CISA) is a great example of the success the public sector can achieve using crowdsourced security. CISA’s BOD (Binding Operational Directive) 20-01 requires all Federal Civilian Executive Branch (FCEB) agencies to develop and publish a vulnerability disclosure policy. CISA has partnered with industry to provide a platform enabling agencies to run Vulnerability Disclosure Programs (VDP) powered by Bugcrowd. Since launching in July of 2021, 40+ FCEB agencies have onboarded to the platform—including NASA, the National Labor Relations Board, the Department of Treasury, and Homeland Security.
In 2022, 4,091 unique reports from hackers were submitted to FCEB agencies, with 1,330 unique validated vulnerabilities, 274 critical or severe vulnerabilities identified, and 1,119 vulnerabilities were remediated. The total number of vulnerabilities has already reached over 15,000 in less than 33 months. The best part of this is that the global crowd is doing a public service for these FCEB agencies through VDP programs.
“Our agency’s VDP hardly received any researcher attention prior to onboarding. We went from very little activity to a lot of activity, just by joining the VDP Platform,” the Department of Labor said.
Getting started with crowdsourced security
As the public sector looks to implement crowdsourced security, they can lean on the expertise at Bugcrowd to provide a strategic framework, including guidelines for engaging with the cybersecurity community, ensuring ethical and secure collaboration, and advice for leveraging outcomes to foster a culture of innovation and resilience.
The public sector is standing on the precipice of a paradigm shift in how it approaches cybersecurity. Upgrade your cyber defense mechanisms from solitary reflexes to a coordinated immune system response, from isolated fortresses to a network of defenses, and from static defenses to adaptive resilience. Embrace the crowd as your most powerful ally in the fight against cyber threats.