The second-in-command at the US Department of Justice says every business should have its own program to let third-party researchers find and report bugs.
Speaking at the Cambridge Cyber Summit in Boston today, Deputy Attorney General Rod Rosenstein said bug bounty and white-hat research programs will help companies avoid large-scale network breaches and data thefts.
"Software and hardware vulnerabilities are one means by which your networks are compromised. Finding and eradicating those vulnerabilities is an important aspect of cybersecurity," Rosenstein told attendees. "All companies should consider promulgating a vulnerability disclosure policy, that is, a public invitation for white hat security researchers to report vulnerabilities found on your system."
Rosenstein recommended execs and other senior staff in the audience push their companies to look into setting up their own programs where both internal and third-party security can test and report security flaws back to the company and its tech suppliers, potentially closing holes before they can be exploited by hackers.
Deputy AG Rosenstein calls for law to require encryption backdoorsREAD MORE
He noted the DoJ already has its own guide for organizations on how to set up a bug-reporting platform. The hope, Rosenstein said, was that commercial outfits make themselves and the hardware and software they use more secure. and avoid breaches that the Feds would have to investigate.
"Many organizations find that the amount you can learn from 'crowdsourcing' your search for vulnerabilities in a controlled way is well worth it," Rosenstein said.
"The Department of Defense runs such a program. It has been very successful in finding and solving problems before they turn into crises."
At the same time, Rosenstein also talked up the need for policies that many developers argue will make software and hardware platforms much less secure: breakable encryption. The Deputy AG doubled down on his earlier calls to give investigators backdoors to decrypt data transmissions and stored info.
"We in law enforcement have no desire to undermine encryption. But the advent of 'warrant-proof' encryption is a serious problem. It threatens to destabilize the constitutional balance between privacy and security that has existed for over two centuries," Rosenstein said.
"Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, even when officers obtain a court-authorized warrant. But that is the world that technology companies are creating."
So open your doors to white hats before hackers find a way to break in. And then put in a backdoor anyway for black hats to find. Perfect sense. ®