The global cybersecurity crisis: Are hackers the answer?

What is the state of the cybercrime landscape in 2023?

According to the World Economic Forum, cybercrime now poses the most significant threat to businesses worldwide. Moreover, entire populations are at heightened risk, with critical infrastructure increasingly being targeted by nation-states. Our own 2023 Hacker Powered Security Report states that ninety-eight percent of ethical hackers focus their efforts on websites. However, other technologies are also becoming of increasing interest to hackers, with seven percent specialising in GAI tools. Ethical hackers’ outsider mindset represents the same focus that threat actors have when looking to penetrate organisations’ cybersecurity measures. Reports for misconfigurations have also increased by 151% in the past year, along with other vulnerabilities common in cloud infrastructure, like improper access control and authorisation.

The methods employed by today’s digital threat actors have baffled even the most seasoned cybersecurity veterans. Everyone remembers the 2017 casino hack, where threat actors used a fish tank’s temperature sensors to hack the casino’s network and access sensitive information. Another example is attackers hacking the Twitter accounts of multiple high-profile individuals, such as Elon Musk and Joe Biden, to post Bitcoin scam messages.

The advanced and increasingly destructive methods used by threat actors demonstrate a level of sophistication and savvy that is hard to match. Given the pressures that organisations face to combat these cybercriminals, it seems reasonable to expect them to embrace every cybersecurity tool at their disposal. However, many organisations are still failing to take full advantage of one of the most effective and time-tested tools available: the ethical hacker.

Given that HackerOne’s own research shows most cybersecurity pros believe ethical hackers can have a positive impact on cybersecurity, why are businesses still slow to implement them into their strategies?

By this point in 2023, I had hoped that the global hacker community would be widely recognised and embraced as an essential part of every company’s cybersecurity arsenal. I imagined a scenario where hackers would be as routine and uncontroversial as firewalls or security hygiene training. It shouldn’t be a surprise, considering that hackers have been an integral and respected part of the cybersecurity world for nearly three decades now. In fact, the concept of bug bounty programs originated all the way back in 1995 when Netscape pioneered the first one.

Over the years, tech giants like Microsoft, Facebook, and Google have not only implemented their own hacker-centric initiatives but have also doubled down on them. These are not organisations known for willingly exposing themselves to risk. The UK’s National Cyber Security Centre has already adopted a vulnerability disclosure reporting program, and the UK Ministry of Defence (MoD) is working with the hacking community to build out its bench of technical talent with these diverse perspectives. In addition, the U.S. Department of Defense (DoD) has benefited from the expertise of a global community of nearly 5,000 hackers, receiving over 46,000 actionable vulnerability reports. These highly fortified and technologically advanced entities, staffed by intelligent individuals who are strongly motivated to protect their employers, have recognised the value that ethical hackers bring.

So, why is there still hesitancy from many organisations to fully trust hackers? In part, it boils down to a branding issue. For too many people, the term “hacker” still carries negative connotations associated with malicious behaviour. It’s time to move past this outdated perception. Hackers have made significant contributions to the safety of our current cybersecurity landscape. Holding onto this misinformed image in 2023 not only perpetuates an unfair stigma but also hinders the future safety of the internet.

As emphasised by Gartner, effective cybersecurity programs must be human-centric. Failing to recognise and leverage the skills of ethical hackers leaves companies at a higher risk of attack. It is crucial for organisations to understand that trust in hackers is critical for their own security. By embracing and integrating hackers into their cybersecurity strategies, companies enhance their ability to proactively identify vulnerabilities and better safeguard their systems and data. It is time to shift our perspective and appreciate the role that hackers play.

What’s the problem with the word ‘hacker’?

The world’s leading dictionaries define “hacker” in different ways, but they all point to the act of hacking as being on the wrong side of the law. The terms “unauthorised”, “illegally”, and even “unskilled” appear in their definitions. Cambridge Dictionary goes so far as to point to “related words, phrases, and synonyms in the topics: Miscellaneous criminals”!

We disagree with those definitions. And we think most of those in the infosec community would as well. We surveyed security professionals at the RSA 2023 conference, where 86% of respondents said there is a difference between ethical hackers and cybercriminals. However, 42% of those respondents say they still associate the word “hacker” with ‘cybercriminals that illegally hack systems with malicious intent,” which shows that more education is needed.

Despite this, the number of companies accepting the inclusion of ethical hackers in their security practices continues to rise. It is now widely accepted that ethical hackers are indispensable to ensuring robust cybersecurity. In fact, 88% of cybersecurity professionals at RSA 2023 acknowledged the positive impact that ethical hackers have in this field.

Among the remaining holdouts, a common concern voiced is the challenge of finding and coordinating the right hackers. However, this worry is now outdated. Numerous companies have emerged with the specific purpose of taking on these responsibilities. These companies can handle all the necessary work, making it seamless for organisations to leverage the expertise of ethical hackers.

Can you provide any examples of how ethical hackers are a force for good?

Hackers are creative people who look for innovative ways to get around limitations – the way we’d consider a “life hack” to be a clever trick to make life easier, hackers are making the internet a safer place. A hacker simply takes an outsider’s mindset when it comes to security and helps organisations see where they could be vulnerable to an outside attack – they can uncover vulnerabilities that would remain undiscovered by any other method. Furthermore, they spare your IT teams from being overwhelmed by irrelevant and distracting false positives, which are common in many cybersecurity programs.

Real-life testing, carried out by hackers, is essential because you simply cannot achieve the same results through any other means. While it is sensible for companies to test their code before production, it is important to recognise that many security vulnerabilities only emerge once the code is deployed and out in the real world. Since hackers are external to your organisation, their perspective is free from biases that may arise from working on the same product over an extended period. This is particularly significant considering that 95 percent of applications or systems have at least one vulnerability.

Moreover, in-house limitations, partially due to the ongoing IT skills gap, prevent most companies from conducting the continuous testing necessary for comprehensive security. In contrast, the supply of hackers is virtually limitless, thanks to the large worldwide community comprising experts with diverse and complementary skill sets. This enables continuous testing by a wide range of specialists.

Hackers’ research and responsible reporting have prevented countless crises over the years, and they continue to do so. For example, the zero-day security vulnerability in the prevalent Java logging library Apache Log4j was exploited in 2021 and allowed attackers to take complete charge of the impacted servers. Designated as CVE-2021-44228, this vulnerability fell into the category of high severity, sanctioning remote code execution without authentication and increasing the frequency of cyberattacks deploying Log4j every day. HackerOne’s community submitted over 1350 reports to customers and were awarded more than $142,000. By doing so, they helped organisations complete their remediation and protect themselves during a very small and critical window where attackers were still developing effective exploits and ramping up attack volume.

As a result, it is essential to discard false and outdated notions about hackers that could jeopardise the safety of your company.