“Technology is changing much faster than our ability to secure it,” Katie Moussouris, a hacker and a pioneer in vulnerability disclosure, told CyberNews.
“The rule that we have with our customers is no bug bounty botox. We don’t want people doing bug bounty programs if they are not ready,” Katie Moussouris, American computer security researcher, entrepreneur, a pioneer in vulnerability disclosure, and the founder of Luta Security told CyberNews.
Katie has been programming computers since she was 8, she helped Microsoft develop its bug bounty program, and worked with the US Department of Defense on the government’s first bug bounty program ‘Hack the Pentagon’.
Katie is also fighting the misconception that ‘hacker’ means ‘criminal’.
“We, hackers, really love showing off our tricks to other people. So it’s hard to be a criminal if you actually want to tell other people how you did it,” she told CyberNews.
So, you got your first computer at the age of 8. Did you know from the beginning that you and computers were just meant to be?
My mother was a scientist, and she was the one who knew that computers would be the future of science, and so she was the one, as a single mother, who bought me a computer. It was a Commodore 64. Back then, there wasn’t really a computer industry or a cybersecurity industry that we have today. I couldn’t have pictured what I do today back then. It was my mother, the scientist, who knew that computers would be important no matter what job I had.
From your previous interviews, I got this feeling that you were quite excited about computers and left your dolls aside?
I was really into programming my computer, and I wrote a text-based adventure game, sort of like choose your own adventure book. I really loved reading those kinds of books. There was no internet at that time. I wasn’t able to find very many people to play with on my computer until I was a teenager and I got a modem. I started talking to other young people online and learning more about hacking and computers.
But I chose to study molecular biology and mathematics in college. I did not study computer science. So I was resisting for a very long time moving back into computing.
Were you ever called a geek or a nerd? Have you ever felt like one? Even now, there are not that many women in cybersecurity.
I was called a geek, but it was more because of my vocabulary than my math or science skills. I was a pretty well-rounded geek, and I was a nerd in all areas. I was definitely called a geek.
Today, I don’t feel like my nerdiness is a problem. It’s more where people can accept that I’m as nerdy as I am. I’m still very nerdy. And I think there’s a misconception that women, especially women who wear a lot of pink and glitter, like I do, can’t also be incredibly nerdy at the same time. If I’m helping to break that stereotype that you can be extremely pinkly feminine in certain ways and incredibly nerdy, and that’s feminine too. I want that to be something that is acceptable among anyone, no matter how they present themselves.
I think there’s a misconception that women, especially women who wear a lot of pink and glitter, like I do, can’t also be incredibly nerdy at the same time. If I’m helping to break that stereotype that you can be extremely pinkly feminine in certain ways and incredibly nerdy, and that’s feminine too.
How did you become interested in cybersecurity? Why didn’t you choose, for example, game development or something else?
We, hackers, really love showing off our tricks to other people. So it’s hard to be a criminal if you actually want to tell other people how you did it. One of my very first hacks was in my computer lab in high school, and it was simply answering the question incorrectly when Tetris asked you if you have a joystick or not. If you didn’t have a joystick, but you answered the question yes, it would slow down the input of Tetris, and I could cheat the game. I wasn’t going to be shy about it. So I changed all the high scores on all the computers in the lab and made sure that everybody knew what I’ve done.
I mostly enjoy the puzzle, and the fun, and the mischief that you can do with hacking, and most of my contemporaries all have the same feeling. We were not doing this for the crime. Our crime was curiosity. We were curious, we wanted to play with these new toys, and those new toys hadn’t been secured yet. Frankly, even today’s toys are not very secure, so there’s still a lot of room to play.
In 2016, you said that most of the Forbes2000 list companies didn’t even have an email to report a vulnerability. Has the situation changed significantly in the last four years?
Unfortunately, not that much. Now, maybe only about 12-13% of those companies have a contact form, email address, or a web form to report a security hole. And the real reason for that isn’t because it’s hard to create email addresses. The real issue is that it takes a lot of work internally to digest all of those bugs that come in and fix them while you are still trying to run your business. Forbes Global 2000 does invest a lot in security measures, but that particular process is more complicated than it looks.
Tell me the difference between vulnerability disclosure and bug bounty programs. I guess that for some companies, a vulnerability disclosure system is enough?
Both are the same complex underlying process. The only difference between a bug bounty and vuln disclosure is that bug bounty offers cash, and it might speed up the rate of vulnerabilities that you might see. If your process isn’t set up internally, most organizations aren’t even ready for vulnerability disclosure programs. A lot of people think that vuln disclosure is easy, whereas bug bounty is hard, and that’s really misunderstanding that the only difference is money. You are just changing the speed at which you receive bugs, but you are not changing the underlying structure, processes, and people that you still need to handle those bugs and fix them.
So, which companies should do bug bounty programs and offer cash? Is there a rule?
The rule that we have with our customers is no bug bounty botox. We don’t want people doing bug bounty programs if they are not ready. To get ready, they need very strong vulnerability disclosure programs, and they need to demonstrate that they have already analyzed the kinds of bugs that come in so that they don’t make the same vulnerabilities over and over again. It’s one thing to have somebody report bugs to you, but it’s another thing about taking those lessons and learning from them and making sure you don’t make the same mistakes over and over again.
The companies that should run bug bounties are the ones that made those investments that understand how they already are creating different processes and hiring different people internally to prevent certain classes of bugs. At that point, they can use the bug bounty to steer the friendly eyeballs of the hackers in the world to uncover problems that their own security efforts missed. But if they start a bug bounty before they have invested internally in the security, they will have a problem of too many bugs too fast while at the same time trying in parallel to build those strong internal processes.
You once said that it is impossible to find all the bugs yourself. Does this mean that external research could help, and an outsider could spot bugs easier?
Occasionally, being an outsider does bring a fresh perspective. But that depends on how much the organization has looked for all of the easy low-hanging fruit bugs. We see a lot of organizations that start vulnerability disclosure programs or bug bounty programs too soon, and all these external eyes are wasted because they're very common types of vulnerabilities that could be found by anybody, and nothing very unique. So you have to clean your house first and then have other folks come in and point out the specks of dust that you missed.
Since the Pentagon developed the bug bounty program Hack Pentagon, I wonder how the cybersecurity landscape has changed because of that?
The US Department of Defence embracing hackers was a major turning point for public perception across government and private industry, and we've seen a lot more organizations interested in productively working with hackers. But there are still legal risks.
A few years back, I testified before the US Congress because some hackers tried to use a bug bounty program to basically cover up a huge data breach at Uber, and they ended up getting paid 100,000 dollars, which was ten times the bug bounty amount that Uber was offering everybody else. And they were paid as part of the cover-up of the breach because they downloaded 57 M records. (Threat actors were paid $100.000 dollars in ‘hush money’, and the payment was disguised as bug bounty reward - CyberNews).
The attitudes have definitely changed, but there’s still a lot of room for interpretation on what’s allowed in bug bounties and what’s acceptable in security research.
If you are interested in the Uber breach, here you can find Katie’s testimony before the US Congress.
Are companies still reluctant to admit that they hire hackers?
I think that is going away. Journalism has a lot to do with how people view hackers and the word ‘hacker’. A lot of journalists for the last 25 years have used the term ‘hacker’ when they really mean ‘criminal’. I remember getting trained as a spokesperson for Symantec back in 2004 when they acquired a small company @stake where I worked. They asked me if I was a hacker. And I proudly responded that yes, I am. They said that I can’t admit to being a hacker because they don’t hire hackers. Well, I thought you just acquired a whole company of hackers, so you will have to rethink that.
The attitude of using that word and what that word really means have started to change, and I signed on with a letter with a number of other prominent security researchers, folks, and policymakers, asking various news publications to please stop using the word hacker when you mean criminal. We consider ourselves more like locksmiths than burglars, and you are calling us all burglars when we are not.
You were working for Microsoft. Why did you decide to start your own company?
All start-up founders are a little bit crazy. I think that it’s because I was crazy about creating a different type of company culture. I could certainly go and work for a different company and change its culture. And certainly in Microsoft, over my 7 years there, I did change their culture quite a bit, but it sometimes makes sense to give it a try and see if you can take your own vision for how things should go in an area where you are passionate and try to build something.
So we are building a different kind of company. We haven’t taken any external investment or venture capital money, and we are free to steer our company the way that we want. We take Fridays as paid days off, and we treat contractors and full-timers the same when it comes to paid days off like that and holidays. For me, I wanted to create the best company that I could in the time that I had, and I wanted to create a company where I myself wanted to work, and hopefully to create a new model for how to be a successful and profitable company in computer security doing technical work.
Is it easier to be an innovator as an entrepreneur or while working at a big company with resources like Microsoft?
Microsoft was a very interesting place to work. It was very strange to me. Formally I had been a professional penetration tester, but before that, I was a Linux developer, so Microsoft was a really weird place for me to end up. The way I looked at it was resources is one thing, but the size and the scope of the problems that they have to solve are bigger than anyone else’s on earth. So if I wanted to solve problems at scale and take into account all of these different pressures like you want to fix things fast, but if you fix them too quickly, you might make a mistake, and you might make people less secure. I wanted to be able to use that kind of leverage and insight and learn while changing the world for the most users that I could at the time.
If I would be looking at big companies now, I would be looking towards mobile ecosystems like Apple and Google. They have the biggest impact, most users in the world, and the biggest problems to solve.
You will get certain benefits from working in a big company, like dealing with big problems and having a lot of resources. But everything takes a long time, and the impact is so huge. Whereas in your own company, you have ultimate freedom, but unless you can get momentum and can get the market to agree with you and your ideas, then you are stuck.
The downside of big organizations is that you don’t have as much autonomy and as much freedom. You can’t just snap your fingers and make a decision and make a change for better or for worse. Everything takes a lot longer.
You will get certain benefits from working in a big company, like dealing with big problems and having a lot of resources. But everything takes a long time, and the impact is so huge. Whereas in your own company, you have ultimate freedom, but unless you can get momentum and can get the market to agree with you and your ideas, then you are stuck. It’s a risk with a potentially faster way to change the world and have a big impact, but that all has to do with momentum and market positioning. I already had some name recognition, and it was only a few months ago that we hired marketing people for the very first time in our company history of almost 4.5 years. We never needed any marketing before this period.
It is a risk to do it as your own company, but potentially if you get the right combination of luck and great people, then you can make changes happening in the world faster. And that’s what we are hoping for.
Three years seems like a long time to create something. The pandemic accelerated the shift towards digital life, and 5G is just around the corner. Are we prepared for this from a cybersecurity point of view?
We could be much better prepared than we are now. One problem is that technology is changing much faster than our ability to secure it. In parallel, we have a problem with training and growing cybersecurity capabilities. My generation of hackers just grew up playing on these machines before there was anything really depending on them. We were able to take them apart, learn how they work, learn how to program, learn how to hack when there was no online banking, and when there was no online healthcare, no pandemic.
Our ability to just make up jobs as we went along has largely been taken away by certifications. A lot of entry cybersecurity jobs require many years of experience that you can’t get unless you have a cybersecurity job, or someone is willing to take a chance of cross-training you. Maybe you are a software developer, and you want to learn cybersecurity. Maybe you are an IT administrator, and you want to learn network security. All of these things can be taught, and that is how we learned.
But we are coming into a crisis of not having enough trained or experienced cybersecurity people embedded inside the organizations to help them defend themselves. Everybody just wants to fantasize about the hacker side of the equation, but that’s an unbalanced equation. I was on the hacker side of the equation, and I had to switch to an in-house, to the defense side of the equation. And it’s not like everybody is going to switch sides, but we need to stop romanticizing one side and not training the other side.
Can bug bounty be a feasible career these days with all the artificial intelligence and automation in place? Do we still need people to find bugs and vulnerabilities?
Is bug bounty a viable living for someone? That depends on where you live in the world and how much time you are prepared to hunt bugs. Because bug bounty programs only pay the first person to find the bug. You may find a thousand bugs, but you may be number 2 or number 3 who reported the bug, and you don’t get paid. There’s a huge risk in assuming that you can make a full-time living doing bug bounties. The biggest platform in the world that hosts the most registered users, I think there are up to 800,000, only about 9 thousand of them have ever been paid a bug bounty at all. That should tell you that it’s not so easy, per se. It might be easy to find the bug but getting paid for it is another matter.
I think that we are far away from having AI replace humans in terms of finding bugs, and especially in human use cases. A lot of times, the designers of the system, they might be able to design test cases for the system that they have imagined, but when it goes to the real world, users will surprise you. Having human insight is always going to be valuable in finding bugs, and especially looking at the big picture of how these systems can be abused.