Governance & Risk Management , Incident & Breach Response , Security Operations
Why Indian CISOs Aren't Ready to Embrace Ethical Hackers
Analysis: A Missed Opportunity to Fight CyberattacksA 15-year-old boy in Delhi finds a one-time password bypass at a bank and informs the financial institution. Instead of rewarding or appreciating the effort, the bank sends him a legal notice. The boy is forced to sign a non-disclosure agreement with the bank. Meanwhile, the affected bank rectifies the problem with the help of a third-party vendor.
See Also: Gartner Market Guide for DFIR Retainer Services
Unfortunately, this isn't an aberration but quite the norm for white hat hackers in India.
"White hat hackers are more like vulnerability penetration testers who understand the mindset of hackers. They can work with firms to combat attacks from hackers," says Rahul Tyagi, vice president at Lucideus, a global IT security services and solutions company. But many Indian CISOs still are reluctant to expose their systems to white hat hackers. As a result, much of the hacker community in India prefers to work for foreign firms or relocate abroad.
A CISO of a large bank in India, who asked to remain anonymous, says: "We can't compare ourselves to the U.S. Our culture is different and people here aren't mature enough to handle open hacking. If I reveal to the world that a vulnerability was found in my bank's system, I will lose customers and receive bad press. The media will publish a long negative article and we will lose our brand value."
This pretty much sums up the mentality of Indian CISOs and government when it comes to utilizing the services of white hat hackers. This is despite the fact that India reportedly produces more ethical hackers - those who break into computer networks to expose, rather than exploit, weaknesses - than anywhere else in the world.
The Current Scenario
The best way to reward white hackers is usually through bug bounty programs. These offer individuals recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities.
In the U.S. and some European countries, bug bounties are common. Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than to those in any other nation.
Case in point: Bangalore-based Surya Prakash, who reported a bug in Facebook when he was 17 years old. "The company is fair in its payment structure to us. There are clear guidelines on the do's and don'ts," Prakash says. "From my experience, I can say that most ethical hackers in India aren't assured of payment. I have personally informed banks about certain bugs in their server, but the information never reached the top management." Too often, he claims, the matter is "brushed under the carpet at the CIO/CISO level."
Shashank Kumar, a white hat hacker working with trading firm Binary.com, complains that the Indian government is way behind in embracing ethical hackers. "Almost all the government websites never had proper security checkups," he says. "Indians top the bug bounty programs by Facebook, Google etc. But the government has no idea of the talent residing in the country."
Although some private companies in India have started approaching ethical hackers, there is still a long way to go. "They aren't willing to pay like other big companies outside India do," Kumar says. "And for those who are reluctant to pay for security, the recent Zomato's hack was an example of what hackers can do if not rewarded adequately."
In May, Zomato, a restaurant search company, suffered a breach when a hacker stole 17 million user records from its database. The hacker threatened to sell the information unless Zomato, valued at hundreds of millions of dollars, offered bug hunters more than just certificates of appreciation for their honesty.
Why Is India Hesitant?
The reluctance to use white hat hackers stems from a lack of trust.
Companies and government bodies in India fear that white hat hackers will not reveal all bugs to them, says J. Prasanna, director at the Cyber Security & Privacy Foundation Pte Ltd. "They fear that hackers will sell hackable bugs on the dark net," he says. "Companies and government bodies here suffer from insecurities and don't want to tell people that they are vulnerable."
Some companies see bug bounty programs as opening up their infrastructure to the public for damage. "They don't trust the white hat hacking community or simply doesn't want an anonymous tech junkie to be fiddling around with their million dollar infrastructure," says Himanshu Sharma, founder of BugsBounty.com, which provides crowdsourced security solutions.
Another concern about bug bounty problems is the cost.
"The bug bounty programs generally have a minimum bounty of $100. The average bounty paid to a researcher is $500 for a single report which is generally a month's pay for a junior security analyst in an organization in India," Sharma says. "It doesn't make much economic [sense] to add extra expense per bug when companies are anyway spending so much by outsourcing their security."
In the case of the government, it's a bit sketchy to open up internal infrastructure to public bug hunting because it requires a massive amount of pre-organization to ensure that the program doesn't backfire.
Tyagi says it's difficult for the government to trust hackers who aren't certified. "Hackers are usually school and college students," he says. "In India we have a different culture. The government can't make itself vulnerable in front of these hackers. Though bug bounty programs are good, it might take time in a country like India where payment for each bug found isn't very high."
Although RBI claims to be working with white hat hackers, some industry insiders have doubts. "They keep speaking but it's not the truth - they engage with security vendors who claim they have white hat hackers," Prasanna says.
Some white hat hackers, faced with minimal or no payments for their work, turn to the dark net for income, he adds. "I know of ethical hackers who never got paid despite issuing alerts to organizations. Instead they were threatened with legal consequences. In such a scenario, they are forced to sell on the dark web. We are making criminals out of talented people."
What's the Next Step?
Some security experts say companies and government bodies alike should start hiring white hat hackers to help in the fight against crime.
In addition to improving security, hiring white hack hackers would help boost interest in careers in ethical hacking, Kumar contends.
Hiring hackers and creating bug bounty programs is a better approach than simply relying on a small cybersecurity team to thwart the latest threats, Sharma says. "A thousand brains working toward a single goal is obviously better than five of them."