The Washington PostDemocracy Dies in Darkness

Crowdsourcing America’s cybersecurity is an idea so crazy it might just work

President Obama talks next to Secretary of Homeland Security Jeh Johnson at the National Cybersecurity and Communications Integration Center. (Larry Downing/Reuters)

When it comes to protecting the nation’s cyber networks from the vast array of threats, the government has its hands full. President Obama, in his State of the Union speech, alluded to this, highlighting the importance of integrating intelligence in order to combat cyber threats. As a result, the next big innovation in the world of cybersecurity may not be a new piece of code or a new software tool to detect a threat, but rather, a fundamentally new approach in how we think about leveraging partnerships between the private and public sector to protect our nation’s cyber networks.

One idea that’s starting to bubble up from Silicon Valley is the concept of crowdsourcing cybersecurity. As Silicon Valley venture capitalist Robert R. Ackerman, Jr. has pointed out, due to “the interconnectedness of our society in cyberspace,” cyber networks are best viewed as an asset that we all have a shared responsibility to protect. Push on that concept hard enough and you can see how many of the core ideas from Silicon Valley – crowdsourcing, open source software, social networking, and the creative commons – can all be applied to cybersecurity.

Silicon Valley venture capitalists are already starting to fund companies that describe themselves as crowdsourcing cybersecurity. For example, take Synack, a “crowd security intelligence” company that received $7.5 million in funding from Kleiner Perkins (one of Silicon Valley’s heavyweight venture capital firms), Allegis Ventures, and Google Ventures in 2014. Synack’s two founders are ex-NSA employees, and they are using that experience to inform an entirely new type of business model. Synack recruits and vets a global network of “white hat hackers,” and then offers their services to companies worried about their cyber networks. For a fee, these hackers are able to find and repair any security risks.

So how would crowdsourced national cybersecurity work in practice?

For one, there would be free and transparent sharing of computer code used to detect cyber threats between the government and private sector. In December, the U.S. Army Research Lab added a bit of free source code, a “network forensic analysis network” known as Dshell, to the mega-popular code sharing site GitHub. Already, there have been 100 downloads and more than 2,000 unique visitors. The goal, says William Glodek of the U.S. Army Research Laboratory, is for this shared code to “help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.”

This open sourcing of cyber defense would be enhanced with a scaled-up program of recruiting “white hat hackers” to become officially part of the government’s cybersecurity efforts. Popular annual events such as the DEF CON hacking conference could be used to recruit talented cyber sleuths to work alongside the government.

And layered on top of these efforts would be the crowdsourcing of intelligence threats. Here’s where Silicon Valley could play an important role. For example, Threat/Stream is a “community-vetted threat intelligence platform” that bundles together intelligence about emerging cyber threats and then distributes this information to customers. Again, the core idea here is that one organization or agency no longer has the capability to deal with all the threats emerging in cyberspace.

There have already been examples of communities where people facing a common cyber threat gather together to share intelligence. Perhaps the best-known example is the Conficker Working Group, a security coalition that was formed in late 2008 to share intelligence about malicious Conficker malware. Another example is the Financial Services Information Sharing and Analysis Center, which was created by presidential mandate in 1998 to share intelligence about cyber threats to the nation’s financial system.

Of course, there are some drawbacks to this crowdsourcing idea. For one, such a collaborative approach to cybersecurity might open the door to government cyber defenses being infiltrated by the enemy. Ackerman makes the point that you never really know who’s contributing to any community. Even on a site such as Github, it’s theoretically possible that an ISIS hacker or someone like Edward Snowden could download the code, reverse engineer it, and then use it to insert “Trojan Horses” intended for military targets into the code.

Another very real concern is that the overhang from the NSA spying scandal would make just about anyone a bit circumspect about joining forces with the NSA, even if it’s a matter of national security. Hiring teams of white hat hackers may make sense for corporations such as Sony with billions of dollars at stake, but may not be something taxpayers embrace.

One thing is clear: the future is about more integration between government, military, corporations and the public. It’s not just intelligence about new threats that needs to be shared — it’s access to new code, new tools and new ways of defending against threats. As Glodek of the U.S. Army Research Lab points out, “I want to give back to the cyber community, while increasing collaboration between the Army, the Department of Defense and external partners to improve our ability to detect and understand cyber attacks.”

So think big, really big. Obama’s directive to Congress to come up with new cybersecurity legislation could open the door to unique crowdsourcing initiatives. Similar to the SETI Live project, which got astronomy enthusiasts to use their computers to help search for intelligent life in the vast universe, the government could get cybersecurity enthusiasts to use their computers to help search for malware in the equally vast cyber universe. When a project is just too big or too complex, the crowd can play an important role.