HackerOne CEO Mårten Mickos On Bug Bounty Programs Shaping Cybersecurity

Hackers are experts at finding the weak spots in an organization's cyber defenses. As instances like the breach of HBO's network or the leak of stolen emails sent by French presidential candidate Emmanuel Macron show, attackers will find their way into systems and will take what they want.

Mårten Mickos is the CEO of HackerOne, the top bug bounty and vulnerability coordination platform. HackerOne is used by hundreds of top tech companies and other major organizations to connect with cybersecurity experts and disclose those potential security vulnerabilities before they can be exploited.

Prior to joining HackerOne, Mickos served as the CEO of Eucalyptus Systems, a cloud computing company that was acquired by Hewlett-Packard. Mickos also served as the CEO of MySQL AB from 2001 to 2008 and sat on the board of Nokia from 2012 to 2015.

International Business Times: How have bug bounty programs affected how organizations approach cybersecurity?

Mårten Mickos: There is a major shift going on in cybersecurity. Whereas previously companies kept everything secret with just very few people involved (and lots of expensive security hardware and other security products), today organizations of all stripes are short-staffed and realizing that the best cybersecurity help is on the outside. Bug bounty programs, and more broadly, vulnerability disclosure policies are making it possible to quickly fix the security holes in production systems.

As these programs become more widespread in the industry, we expect companies to start sharing security information with each other. This will allow the defenders to overpower the adversaries. Along with these changes, security is catching up with the state of tech. We have agile software development and continuous deployment. Now we can also do continuous security.

IBT: HackerOne participated in several programs this year with military and government agencies. Were those programs any different or produce different results than programs with corporations, and do you expect more government agencies to launch similar programs?

Mickos: The results from Hack the Air Force, Hack the Army and Hack the Pentagon have exceeded every expectation. Never before has the DoD been able to improve the security of their internet-facing production systems so fast. The programs we ran and run for the federal government are very much like the ones we run for large corporations.

But there are certain differences too. Government systems are oftentimes developed and managed by contractors, so bug fixing needs to be done by these same third parties. In the case of DoD, there are strict requirements on who can be rewarded for a security vulnerability. But overall the programs are the same as for any organization.

IBT: What current or growing trend in cyber threats should organizations be aware of and preparing for?

Mickos: Cyber threats are omnipresent and varied, so any defense needs to be varied and powerful. Phishing continues to be a major threat, and malware is on the rise. As companies move their software workloads onto public clouds, some previous threat vectors disappear and others emerge. It's important to re-adjust security when you change the deployment model of software.

Hacker-powered security may be the most promising development in cyber security today. Perhaps the most important insight is that security is a race against time. Adversaries are becoming faster, so the defense must become more agile. Real-time threat analysis and near-real time threat defense is on the rise. A great trend is the increasing willingness among companies to share threat intelligence and vulnerability information with each other.