Policy Analysis: Tapping into the Wisdom of the Cybersecurity Crowd

Abstract

In May 2017, Warren Buffet called cyberattacks “the number one problem with mankind”. Cyberattacks are occurring with alarming frequency, sophistication, and scale. The credit reporting company Equifax disclosed in September 2017 that hackers had stolen the personal information of about 143 million United States consumers by exploiting a website vulnerability. Earlier that year, the WannaCry and NotPetya ransomware used a tool stolen from the NSA to attack hundreds of thousands of vulnerable machines and hold them hostage.

These attacks had in common the exploitation of software vulnerabilities by cybercriminals. According to the CERT Coordination Center (CERT/CC) of Carnegie Mellon University’s Software Engineering Institute (SEI), over 90 percent of reported security incidents are the result of exploits against software design or coding defects. Determining the best way to tackle software vulnerabilities is an ongoing challenge. I argue in this policy analysis that a focus on eliminating or reducing software vulnerabilities is a key pillar in the fight against cybercrime, and that engaging the community of independent white hats in this undertaking provides the highest chance of success.