Crowdsourced cybersecurity innovation: The case of the Pentagon’s vulnerability reward program

Abstract

The U.S. federal government and its agencies face increasingly sophisticated and persistent cyberattacks from black hat hackers who breach cybersecurity for malicious purposes or for personal gain. With the rise of malicious attacks that caused untold financial damage and substantial reputational damage, private-sector high-tech firms such as Google, Microsoft and Yahoo adopted an innovative practice known as vulnerability reward program (VRP) or bug bounty program which crowdsources software bug detection from the cybersecurity community. In an alignment with the 2016 U.S. Cybersecurity National Action Plan, the Department of Defense adopted a pilot VRP in 2016. We use the Pentagon’s VRP case to examine how it fits with the national cybersecurity policy. Our case study results show the feasibility of the government adoption and implementation of the innovative concept of VRP to enhance the government cybersecurity posture as well as the need to develop sophisticated cybersecurity policy and enhanced cybersecurity capability.

Keywords

Crowdsourcing vulnerability reward program bug bounty program government cybersecurity U.S. Pentagon Department of Defense

1. Introduction

With today’s increased digitization and datafication in government, many government services depend on data to operate effectively and efficiently. Governments at all levels have considerably increased their web (or online) presence through the operation of Web 2.0 e-government websites with search engine optimization, in some cases the operation of open government data portals as well. Governments are also increasing their social presence through the adoption of social media platforms (Abdelsalam, 2013; Chatfield et al., 2013; Mergel, 2013) and social tools in government, such as Google Maps, Facebook, Twitter, Flickr, YouTube, and Pinterest as well as the operation of a variety of mobile apps. The concept of social presence may be defined as “the degree of salience of the other person in a mediated communication and the consequent salience of their interpersonal interactions” (Short, 1976). While the increased online presence and the increasing social presence of government offer the potential benefits of increased citizen engagement and citizen co-production, they can also increase the potential risks of increased government endpoint security vulnerability that correlates with the increased diversity in the Internet and mobile connectivity, and hence the increased initial entry points for data breaches and malicious hacker attacks.

Brutal distributed denial of services (DDoS) attacks and high-end data breaches against large private-sector firms are not new. In 2011, Sony’s PlayStation Network hacking attack resulted in the theft of personal data of 77 million users (Quinn, 2011). It was reported that it took seven days for Sony to inform the world of the magnitude of the data theft, because security analysts speculated that the hackers had uncovered a fundamental vulnerability in Sony’s networks which was expensive and time-consuming to fix (Stuart, 2011). Akamai’s State of the Internet report found that hacker attacks on websites went up 75% in the final quarter of 2013 (Akamai, 2013). Hackers in May 2014 managed to steal eBay’s 233 million users’ personal data, including usernames, passwords, phone numbers, and physical addresses (McGregor, 2014). These big hacks hit high profile targets. In 2015, the data breach of Ashley Madison.com that provides married individuals with the premier cheating platform for finding partners for secret affairs resulted in the theft of personal data. Hacker(s) publicly released 32 million accounts’ details of the customers including names, passwords, addresses, and phone numbers (Wired, 2015). Even high-tech firms are vulnerable to big hacks. In 2016 CISCO, Oracle, LinkedIn, Dropbox and Yahoo were hacked. Less than three months after revealing a 2014 data breach that impacted 500 million users, Yahoo discovered the data breach of one billion Yahoo accounts in December 2016, making it the largest data breach by hacker(s) in history (ZDNet, 2016). These private-sector hacks and data breaches caused untold financial damage as well as substantial reputational damage, demonstrating the importance of understanding cybersecurity in government.

Against these seemingly unstoppable streams of malicious hacks and high-end data breaches, private-sector firms have explored innovative cybersecurity defense practices, which is often referred to as vulnerability reward program (VRP) or more colloquially as bug bounty program. A VRP is also known as a “security bug bounty program” at Google and other high-tech firms. In this paper, we define the concept of a VRP as a cost-effective model of crowdsourced cybersecurity vulnerability detection, assessment, and reporting from the global security community. In this paper, we examine the government as the “crowdsourcer” (Moore, 2014, p. 197) in crowdsourcing cybersecurity vulnerability detection, assessment, and reporting from “white hat hackers” – ethical hackers – who do not exploit their superior technical knowledge and skills for advancing self-interest or financial gain. In contrast, the term “black hat hackers” refers to dark-side hackers who breach cybersecurity for malicious purposes or for personal gain (Moore, 2014).

On the one hand, the longevity and diffusion of VRP practices in the private sector suggest the utility and transferability of the innovative concept to the public sector where there has been the rise of serious hacks and data breach incidents which has led to an awareness of the need to enhance government cybersecurity programs and to reduce government cybersecurity vulnerability and minimize risks to government networks, high-impact computerized information systems and data in a way which the government can protect the government cybersecurity posture and citizens’ personal privacy and security (GAO, 2016a, 2016b). On the other hand, there is a clear lack of published research on VRP practices in government. Given clear and present danger of cybersecurity vulnerability and the rise of government hacks, the overarching aim of this paper is to raise an awareness of VRP concepts and practices among the digital government security research community. Specifically, we draw on the theory and practices in crowdsourcing to examine the feasibility of adopting the innovative private-sector VRP practices to enhance government cybersecurity posture. In so doing, this paper draws on the literature on cybersecurity controls and crowdsourcing to address the following two interrelated research questions:

RQ1: RQ1:
What is the role of crowdsourcing in relationship to cybersecurity innovation?
RQ2:
How does the role of the Pentagon’s VRP fit with the existing national cybersecurity policy?

We will answer these two research questions through a case study of the U.S. Pentagon, which has launched an innovative proof of concept pilot VRP in the spring of 2016.

Table 1
Hacking incidents against government

Year Government Hack/data breach

2015 U.S. National Security Agency (NSA) NSA’s Juniper Networks’ the secret backdoor was hijacked by hackers to compromise the agency’s secure communications (Wired, 2015).

2015 U.S. Federal Office of Personnel Management (OPM) The Chinese hackers stole 21.1 million personal data including the SF-86 forms of indi- viduals who applied for security clearance (Nakashima, 2015).

2015 U.S. Internal Revenue Service Hackers accessed through the website’s Get Transcript feature more than 300,000 taxpayer accounts (Wired, 2015).

2016 U.S. Department of Justice Hackers breached the Department of Justice’s database to release 10,000 Department of Homeland Security employees’ personal data and 20,000 FBI employees’ personal data. The hackers angry about the U.S. relations with Israel tweeted from the account @DotGovs that it took one week for the Department of Justice to discover their database had been compromised (CNN, 2016).

Figure 1.
Number of reported cyberattacks.

The rest of this paper is organized as follows. Section 2 outlines the rise of government hacks. Section 3 reviews the literature on traditional cybersecurity controls and explains the emergence of crowdsourced vulnerability detection and assessment reports from the global security community as an innovation in cybersecurity. Section 4 discusses a case study methodology using the secondary source data. Section 5 presents our case study analysis of the Pentagon’s innovation adoption and diffusion of a bug bounty hunter program with the partnership with HackerOne. Section 6 then presents the discussion of our answers to the two research questions. Finally, Section 7 describes our conclusion about the case study including our research contributions, lessons learned, research limitations, and future research directions.
2. The rise of government hacking

Year	Government	Hack/data breach
2015	U.S. National Security Agency (NSA)	NSA’s Juniper Networks’ the secret backdoor was hijacked by hackers to compromise the agency’s secure communications (Wired, 2015).
2015	U.S. Federal Office of Personnel Management (OPM)	The Chinese hackers stole 21.1 million personal data including the SF-86 forms of indi- viduals who applied for security clearance (Nakashima, 2015).
2015	U.S. Internal Revenue Service	Hackers accessed through the website’s Get Transcript feature more than 300,000 taxpayer accounts (Wired, 2015).
2016	U.S. Department of Justice	Hackers breached the Department of Justice’s database to release 10,000 Department of Homeland Security employees’ personal data and 20,000 FBI employees’ personal data. The hackers angry about the U.S. relations with Israel tweeted from the account @DotGovs that it took one week for the Department of Justice to discover their database had been compromised (CNN, 2016).

The rise of malicious hacking attacks against governments mirrors the increased hacking incidents we observe on a regular basis in the private sector. Figure 1 shows the increase of approximately 1,300 percent in the number of reported cybersecurity incidents, including cyberattacks against the U.S. federal government networks, computerized information systems and government data from fiscal year 2006 to fiscal year 2015 (GAO, 2016b).

Figure 2.

Rating of cybersecurity protection services.

The term, government hacks, means substantially differently from another term, “govhack” hackathon, which refers to citizen engagement in generating ideas or app developments using open government data that is freely provided by the government. Table 1 shows a selective list of the recently reported big hacks against U.S. government agencies and their estimated and reported damages.

The U.S. federal government enacted the Federal Information Security Modernization Act of 2014 and its predecessor, the Federal Information Security Management Act of 2002 to provide a legal framework for protecting federal government information security and IT assets (GAO, 2016a). GAO is the U.S. Government Accountability Office and supports the Congress in helping to improve the performance and accountability of the federal government. The implementation of this legal framework by federal agencies and departments is governed by the Office of Management and Budget (OMB) which is responsible for developing and overseeing implementation of policies, principles, standards, and guidelines for federal information security. However, the head of each federal government agency is responsible for overall information security protections, with the agency chief information officer (CIO) as delegated authority in compliance of the legal framework requirements such as IT infrastructure security. In the case of the 2015 OPM hacking incident mentioned earlier (Table 1), the OPM’s inspector general publicly accused the agency CIO’s uncooperative behavior which impeded the agency inquiry into the hacking and the data breach damage (Thielman, 2015).

In another report on its audit of 18 federal agencies including OPM, NASA and Department of Homeland Security, GAO reported that OPM had fully implemented its risk assessments of “high-impact systems” which would have suffered catastrophic damage if a cyberattack occurs, while its security plans, access controls assessments, and remedial action plans are only partially implemented (GAO, 2016b). The 18 agencies reported that cyberattacks executed via an email message or attachment, attacks executed from websites, and improper use of high-impact systems (by employees and contractors) are the most serious and most frequently experienced threat vectors that affect their high-impact systems and cybersecurity postures. To mitigate these threats, the U.S. federal government provides a number of cybersecurity protection services to federal agencies and departments. Figure 2 shows how the usefulness of the existing cybersecurity protection services was rated by the 18 agencies in improving their cybersecurity postures (GAO, 2016b). The 18 agencies rated Information Security and Identity Management Committee, Federal Cybersecurity Coordination Assessment and Response Protocol, and CyberStat as the top three very useful cybersecurity protection services. In addition to these top three cybersecurity protection services, the 18 agencies rated the United States Computer Emergency Readiness Team (or US-CERT) as the fourth very useful services. US-CERT was established in 2003 to protect the US Internet infrastructure. The US-CERT portal regularly discloses newly identified vulnerabilities and provides analytical tools.

Despite the legal framework for federal information security protections and the past recommendations made by GAO, Greg Wilshusen, the Director of Information Security Issues for the GAO, testified before the President’s Commission on Enhancing National Cybersecurity on September 19, 2016 with his overall assessment that the implementation of the framework has been inconsistent and the U.S. federal agencies and departments remain vulnerable to malicious computer security hacking attacks. One of his recommendations is to “improve capabilities for detecting, responding to, and mitigating cyber incidents” (GAO, 2016b).1

p. 2, Italics added for emphasis.

The other recommendation is to increase cyber workforce and training efforts.

3. Literature review

3.1 In-house cybersecurity controls

The Center for Internet Security (CIS)’s Critical Security Controls V6.0 provides a comprehensive framework for in-house technical cybersecurity controls within the organization (CIS, 2016). For this paper, we classify the twenty cybersecurity controls into three types: (1) application software and data cybersecurity controls, including Application software security (CSC18), Penetration tests and red team exercises (CRS20), Continuous vulnerability assessment and remediation (CSC4), and Data protection (CSC13), (2) cybersecurity controls capability development, including Security skills assessment and appropriate training to fill gaps (CSC17), Incident Response and Management (CSC19), and Data recovery capability (CSC10), (3) access control, including Inventory of authorized and unauthorized software (CSC2), Inventory of authorized and unauthorized devices (CSC1), Secured configurations for hardware and software on mobile devices, laptops, workstations, and servers (CSC3), Secured configurations for network devices such as firewalls, routers, and switches (CSC11), Wireless access control (CSC15), Account monitoring and control (CSC16), Boundary defense (CSC12), Controlled access based on the need to know (CSC14), Controlled use of administrative privileges (CSC5), Maintenance, monitoring, and analysis of audit logs (CSC6), Email and web browser protections (CSC7), Malware defenses (CSC8), and Limitations and control of network ports, protocols, and services (CSC9). All these existing cybersecurity controls including application software cybersecurity controls are normally carried out in-house, with alternative expensive IT outsourcing options of some of security audits and vulnerability detection assessments outsourced to external IT consulting firms.

In addition to this comprehensive framework for cybersecurity controls, more specific types of cybersecurity controls against the diverse cyberattacks have been studied in nuclear facilities (Zavarsky, 2015; Zavarsky et al., 2015), the U.S. Federal Aviation Administration (Morris, 2015), and a decision support approach to simulate cybersecurity control-games between the defender and the attacker (Panaousis, 2014).

However, the increased frequency and diversity of cyberattacks and large-scale data breaches have prompted cybersecurity experts to argue for the critical role of government in establishing an appropriate legal, social, and ethical framework to enhance the existing technical cybersecurity controls. They also argue that cybersecurity as a public good at the federal government level also requires the coordinated implementation of good cybersecurity controls by federal, state, and local governments, businesses, and individuals (Asllani, 2013).

3.2 Theory and practices of crowdsourcing

In his 2006 article published in an online magazine, Wired, Jeff Howe coined the term crowdsourcing (Howe, 2006). Crowdsourcing is a new and emergent theoretical concept that encompasses different practices, varying definitions and many academic disciplines. In this paper, we adopt a definition of crowdsourcing as “a type of participative online activity in which an individual, an institution, a non-profit organization, or company proposes to a group of individuals of varying knowledge, heterogeneity, and number, via a flexible open call, the voluntary undertaking of a task. The undertaking of the task, of variable complexity and modularity, and in which the crowd should participate bringing their work, money, knowledge and/or experience, always entails mutual benefit. The user will receive the satisfaction of a given type of need, be it economic, social recognition, self-esteem, or the development of individual skills, while the crowdsourcer will obtain and utilize to their advantage what the user has brought to the venture, whose form will depend on the type of activity undertaken.” (Estellés-Arolas & González-Ladrón-De-Guevara, 2012, p. 197). In public administration and e-government fields, similar concepts exist such as citizen co-production (Whitaker, 1980) and “citizen sourcing” (Linders, 2012, p. 447).

The rise of crowdsourcing practices has been accelerated by the increased adoption of Web 2.0 technologies in many countries, online labor market websites such as Amazon’s Mechanical Turk (Mason, 2012) and Threadless.com (Brabham, 2010), and the enormous scale and reach provided by social media platforms used by millions of citizens in society.

The idea of crowdsourcing is not only being implemented in business, but also being applied in government. Crowdsourcing in government allows for the capability to compile useful information, ideas, and opinions from citizens on problems that are faced by society that has the ability to create better quality policies as well as increased acceptance of those policies (Charalabidis et al., 2014). Taking a different approach in crowdsourcing such as a more passive approach from government can produce valuable information. With the government taking on the role of just listening and not posing questions of discussion allows for citizens to debate, participate, and produce content more freely that increases citizens’ engagement and opens the floor to more groups to voice opinions that can lead to policy implementation (Charalabidis et al., 2014; Spiliotopoulou et al., 2014). Governments participating in this approach will see how the immense amount of user-generated content that is created and produced in various Web 2.0 social media supports the government in understanding the needs of citizens and how citizen knowledge that can lead to more advanced approaches on the issues facing society in order to create better policies citizens can support (Charalabidis et al., 2014; Spiliotopoulou et al., 2014).

The U.S. government has been using Web 2.0 social media such as blogs and wikis that has led to the creation of records, to publicize and circulate information, and more importantly communicate with the public and also between other agencies for years (Carlo Bertot et al., 2012). An example of the government using social networking to publicize information is with the case of the US Department of Veterans’ Affairs (VA). The VA and its traditional e-government presence now has multiple social networking mediums and uses these mediums to connect with the younger returning service personnel, particularly those retuning from Iraq and Afghanistan to participate in the services and access information the VA offers (Bertot et al., 2012).

Having the government treat the public as partners and not customers increases the role of the citizen from consumers of public services to more actively involved partners that can assist in helping address and provide innovative ideas to solve societal problems (Linders, 2012). With this government-to-citizen relationship established pushes new problem solving doors open that encourages and invites citizens to utilize their skills that can help solve challenges the government faces (Linders, 2012). For example, the Challenge.gov initiative that the US government issued engaged citizens to solve challenges and problems of government agencies with the best solution being awarded a prize (Spiliotopoulou et al., 2014).

Crowdsourcing in government is not limited to using social media to actively engage citizens and promote transparency, but also addresses the challenges of climate change, poverty, and armed conflict globally (Bott & Young, 2012). For example, the Transformative Innovation for Development and Emergency Support (TIDES) created by the National Defense University’s Center for Technology and National Security Policy (CTNSP) is a Department of Defense research project committed to information sharing that helps support populations that are post-conflict, post-disaster, or impoverished (Becker & Bendett, 2015). TIDES is a great example of crowdsourcing in government because it not only includes the US government, military, and contractors, but international counterparts, a diverse range of private, public, and NGO-sector organizations, start-ups and individuals to help provide humanitarian aid, emergency response services, and disaster relief (Becker & Bendett, 2015). Crowdsourcing not only benefits the government and government efforts, but also populations in need of help in post-conflict or post-disaster zones (Becker & Bendett, 2015).

Social media provides a platform for government to improve citizen participation. Crowdsourcing plays a critical role due to the continuous growth of the users signing in to voice their needs and opinions (Bott & Young, 2012). Crowdsourcing in government with the use of social media can provide positive outcomes such as promoting citizen engagement and contribution, facilitating collaboration of materials and information between governments and citizens, and improves solutions and innovations to challenges presented in government (Bertot et al., 2012).

However, crowdsourcing practices in government are relatively newer than those in the private-sector. Recently, however, the emergence of crowdsourcing by government is noteworthy. For example, the U.S. National Weather Service (NSW) in Norman, Oklahoma adopted an innovative Twitter-based practice of crowdsourcing hazardous weather reports from citizens during the 2013 EF5 intensity tornado (Chatfield & Brajawidagda, 2014). Other government crowdsourcing practices are found in the areas of urban planning (Brabham, 2010) and health services improvement (Adams, 2011). This study is different from the existing literature given that the entry barrier for crowdsourcing for cybersecurity is much higher than what the existing literature that has examined issues of emergency management, urban planning, and health information research. However, VRP was consistent with other Obama era federal government initiatives of using the private sector for open innovation.

Figure 3.

Google vulnerability reward program dashboard.

3.3 Vulnerability reward program

Vulnerability Reward Programs or bug bounty programs are being utilized by companies such as Microsoft, Google, and Mozilla. These software companies are paying and incentivizing security researchers who discover and present security flaws in their systems (Denning, 2015). VRPs are attracting software vendors and offering incentives to security researchers to scan for vulnerabilities within software company systems (Finifter et al., 2013). This has allowed for more eyes looking for vulnerabilities, makes the jobs of attackers much more difficult, and allows for these vulnerabilities to be fixed before a breach can occur (Younis et al., 2016).

Some incentives can be in the most common form such as monetary incentives, which are based on the severity of the discovered issue or companies will publicize white hats’ contributions in order to boost their reputations (Zhao et al., 2015). For example, HackerOne published that white hats contributed around 1,653 vulnerabilities that needed to be addressed. HackerOne either rewarded the white hats with monetary rewards or published their reports to increase their reputation. This option was only possible if released from both HackerOne and the white hat (Zhao et al., 2015). White hats working for HackerOne not only strive to build their reputation, but to make the Internet safe. Thirty-three of the public programs on HackerOne do not give monetary incentives, but still obtain 1201 valid reports from the white hat community (Zhao et al., 2015).

On March 2nd, 2016, the Pentagon announced the unveiling of its first bug bounty program and provided incentives to hackers that can break into its systems and report vulnerabilities for a reward (Maillart et al., 2016). This addresses the need for monetary incentives to be set in place in order for security researchers and hackers to use their skills and perform their duties in a resourceful manner that brings benefits to the organizations they serve. Reports claim that the discovery of vulnerabilities by external researchers is cost effective for vendors compared to hiring in-house security researchers. This creates the important value of establishing incentives for vulnerabilities because if the reward is not as expected to the researcher or hacker there is a strong possibility for that hacker to publish the vulnerability or sell it in the black market (Pandey & Snekkenes, 2014). Through proper monetary rewards established will keep security researchers from selling their results to malicious actors and make it more difficult for black hats to find vulnerabilities to exploit (Finifter et al., 2013).

For example, looking at Google Chrome, their VRP is a success due to offering researchers monetary rewards ranging from $500 for critical bugs to $1337 for clever bugs. (Finifter et al., 2013). Another positive example is Mozilla’s VRP that began awarding researching $500 to an upwards of $3000 for high and critical vulnerabilities (Finifter et al., 2013). As stated by Finifter, VRPs provide an economically efficient mechanism for finding and reporting vulnerabilities with a reasonable cost/benefit trade-off. More vendors should take the opportunity to integrate VRPs to take full advantage of the benefits that can be offered (Finifter et al., 2013).

VRP in the private sector is the application of a crowdsourcing concept to enhance some of the firm’s in-house cybersecurity controls. Some of the early adopters of a VRP in the private sector include Netscape Bug Bounty in 1995, iDefense in 2002, Mozilla client apps in 2004, ZDI TippingPoint in 2005, Google Chrome VRP in January 2010, Google Web & Barracuda in November 2010, and Mozilla Web in December 2010 (Mein, 2011). Today the most visible VRPs include Google, Microsoft, Facebook, Firefox/Mozilla, and Yahoo (Massimini, 2016).

Figure 3 shows “Google Vulnerability Reward Program” dashboard which outlines its VRP rules regarding any Google-owned web services, such as *.google.com, *.youtube.com and *.blogger.com, that involve sensitive user data as the scope of its VRP. Google varies reward amounts depending on the impact of vulnerabilities (Google, 2017b). For example, Google pays $20,000 for bugs in applications that allow a black hat hacker to control a Google account through remote code execution. If bugs are reported on non-integrated acquisitions and other sandboxed or lower priority applications, the reward is in the lower range of $1,337–$5,000.

Google VRP also qualifies vulnerabilities related to Google Chrome (Google, 2017a). The Chrome VRP has paid approximately 2.5 million reward money from 2010 to 2016 3 ${}^{\rm rd}$ quarter, including $500,000 rewards in 2015 (Chromium, 2016). The Chrome VRP’s participating white-hat hackers and security experts came from China, Finland, France, Italy, Japan, Netherlands, Poland, Russia, Spain, Sri Lanka, USA, Vietnam, among others (Mein, 2011).

A Google Chromium team identified the benefits of the Google Chrome VRP: (1) there were many (low-reward range) bugs which the internal security teams would have found it harder to find; (2) there was better value for money than outsourced security audits; (3) the VRP built a sense of community among the participants of the VRP, developing relationships with the new bug reporters; (4) the VRP provided Google hiring opportunities; (5) Google uncovered greater diversity of cybersecurity talents and bug classes; (6) Google Chromium.org and Google were seen as industry leaders in VRP; and (7) Google produced follow-on benefits to other applications (Mein, 2011). However, the team also found negatives of the Chrome VRP: (1) low-quality reports that were motivated for cash rewards; (2) some “unsavory” characters; (3) new resources required to triage and administer; (4) surge in the internal tasks for timely fixing the reported bugs; (5) the “not a bug” argument and (6) increased dependency on the external bug hunters for application security.

Cybersecurity academic research on VRP is relatively new. However, when the utility and benefits of crowdsourcing software vulnerabilities from both white hats and black hats were critically examined, a critical issue was raised that effort spent crowdsourcing software bugs might not significantly increase software quality, with questionable social benefits (Rescorla, 2005). Furthermore, Schneier (Schneier 2012) observes that while VRP originally resulted in software bugs being fixed, criminals and some rouge governments buy software vulnerabilities for private exploitation. These exploiters can benefit when the software bugs are not fixed and the details of these vulnerabilities are not publicly disclosed. With increased markets for buying software vulnerabilities by the criminals and rouge governments, there is an increasing risk of “zero-day exploits (or “0-days”). Zero-day exploits leverage vulnerabilities in a target software program, in which the vulnerabilities are not yet known by the developers of the target program or other third parties, and hence software bug fixes are not yet known (Egelman, 2013). Despite these serious issues raised by cybersecurity researchers, case study research on VRP seems to be lacking in the literature.

4. Research methodology

In order to raise an awareness of VRP concepts and practices among the digital government security research community, we draw on the theory and practices in crowdsourcing to examine the feasibility of adopting the innovative private-sector VRP practices to enhance government cybersecurity posture. Specifically, we address the following research questions:

RQ1: RQ1:
What is the role of crowdsourcing in relationship to cybersecurity innovation?
RQ2:
How does the role of the Pentagon’s VRP fit with the existing national cybersecurity policy?

We will answer these two research questions through a case study of the U.S. Pentagon, which has launched an innovative proof of concept pilot VRP in the spring of 2016. For the case study of the U.S. Pentagon’s vulnerability reward program and the U.S. cybersecurity policies, we collected and analyzed secondary data published by the U.S. Department of Defense, HackerOne, the Whitehouse, and other websites. For the purpose of comparison, we also collected and analyzed the private-sector VRP operational rules and rewards of leading VRP firms such as Google, Microsoft, and CISCO among others.

We conducted secondary source data analysis of official government documents and reports on the use and effectiveness of VRP as our case study. We also did an analysis of their websites to find the latest information on what the Pentagon is doing in this domain. Finally, we looked up other news articles on the subject from best practices in the private sector. Since this is a new and emerging area we found a good number of reports on what the federal government is doing in this area. In our analysis we carefully cross-validated multiple sources of information to minimize false or misleading information. Given the newness of this crowdsourcing-based VRP program adoption in government, a case analysis of the secondary source data can certainly make a contribution to the literature on government practice in VRP. Private-sector VRP is thriving over the recent years but this sector’s practices, if strategic and commercially successful, will be harder for academic researchers to access primary source data via case interviews
5. The case of the Pentagon

5.1 Hacking into the Pentagon

For the black hat hackers, hacking into the U.S. Pentagon is their ultimate trophy, surefire signs of cybersecurity expertise, and fastest way to notoriety. This means that the U.S. Pentagon is one of the most attractive sites for the black hat hackers. In May 1996 GAO on Defense Information Security reports that unknown and unauthorized individuals were increasingly attacking and gaining access to highly sensitive unclassified information on the Department of Defense’s high-impact computer systems (GAO, 1996).

A few years later, Gary McKinnon in the U.K. hacked into 97 U.S. military and NASA computer systems from 2001 to 2002. He copied data, account files, and passwords onto his own computer, costing the U.S. government $800,000 data breach damage. With the diagnosed autism he fought and won a 10-year legal battle against the U.S. demand to extradite him (SecurityWeek, 2012). More recently, in 2015, Russia-sponsored spear-phishing attack was launched into the Pentagon’s joint staff email system. This data breach exposed 4,000 military and civilian employees. Just few days after this incident, Chinese hackers working for the Chinese government launched hacking attacks against the personal emails of top national security and trade officials (Thielman, 2015).

Figure 4.

HackerOne homepage.

5.2 Pentagon’s pilot VRP

Pentagon has launched a pilot proof-of-concept VRP to enhance its cybersecurity posture in 2016. The private-sector high-tech firms conduct their VRP operations in-house without the involvement of a third-party service provider. Unlike the private-sector practices, however, the U.S. Department of Defense outsourced the pilot VRP operations to HackerOne. HackerOne is a third-party white hat hacking management and support platform operator. It provides services in executing all aspects of a bug bounty program such as triage, bounty pricing, and hacker relations. However, the Pentagon is still responsible for determining the severity and threat of reported software vulnerabilities and fixing them. HackerOne claims six benefits of having HackerOne as a partner: (1) Built by experts; (2) Improve efficiency; (3) Find issues faster; (4) Hacker trust; (5) Dynamic platform intelligence; and (6) Confidential reports (Short, 1976). HackerOne also claims on its website that it led vulnerability management and bug bounty programs at Facebook, Microsoft, and Google (HackerOne, 2016).

Figure 4. shows HackerOne homepage with a flexible open call for white hat hackers to “Hack the Pentagon” which is described as “a bug bounty program of the U.S. Department of Defense on the HackerOne platform” (HackerOne, 2016, p. 1). The U.S. Department of Defense’s Defense Digital Service (DDS) team initiated this “Hack the Pentagon” pilot VRP initiative (Collins, 2017).

The Pentagon’s pilot VRP was launched by Secretary of Defense Ash Carter in 2016. HackerOne was selected by the Department of Defense to advise, operate, and execute the “Hack the Pentagon” pilot initiative. This cybersecurity initiative was the first known VRP in the history of the U.S. federal government.

This ‘Hack the Pentagon’ pilot initiative was launched by the newly formed Defense Digital Service (DDS) (https://www.dds.mil/) division of the U.S. Department of Defense to challenge white-hat hackers to test the cybersecurity controls of public Defense Department websites. The pilot initiative was restricted to public websites and the hackers did not have access to highly sensitive systems.

More than 1,400 white-hat hackers and security experts participated in the “Hack the Pentagon” which ran from April 18, 2016 until May 12. According to the Pentagon, the participants found 1,189 software vulnerabilities. Of the 1,189 bugs reported, 138 valid, unique, and previously undisclosed software vulnerabilities were accepted by the DDS team (Lyer, 2016). If we assume that the 138 valid software bugs were found by 138 participants (rather than a few participants found all 138 bugs), then a percentage of high-end valid bug hunters over the participants was less than 10% (138/1,400).

Of the 1,400 participants, David Dworken, an 18-year-old high school student, identified many vulnerabilities that could have any hacker to take control of those websites and steal account information. Dworken reported six vulnerabilities but failed to receive any reward because they had already been reported. But he remarked: “It was a great experience. I just started doing more and more of these bug bounty programs and found it rewarding”. Regarding the VRP benefits he stated: “Both the monetary part of it and doing something that is good and beneficial to protect data online in general” (Department of Defense, 2016). He was already approached by recruiters about potential cybersecurity internships.

Secretary of Defense Ash Carter observed at the “Hack the Pentagon” award ceremony: “We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks …what we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference”. The Pentagon reported that the pilot project cost was $150,000. It has paid a total of about $75,000 to the successful hackers with amounts ranging from $100 to $15,000. The project also included creating a process so that others could report bugs without fear of trial. Secretary of Defense Ash Carter further observed at the award ceremony: “It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million…’. (Ali 2016). What was not mentioned by Secretary of Defense Ash Carter at the award ceremony included service contract costs of HackerOne and (most likely) increased in-house IT costs in fixing software bugs identified.

Based on the successful outcome of the proof-of-concept pilot initiative, the Department of Defense has awarded a new contract in October 2016 to HackerOne and Synack, a software firm in California that specializes in crowd security intelligence to develop new capabilities to launch their own VRP (Collins, 2017). What Secretary of Defense Ash Carter calls “a two-pronged effort” consists of (1) continuance of its earlier crowdsourced vulnerability detection and assessment reports from the general public with regard to the public-facing DoD websites and (2) new crowdsourced vulnerability detection and assessment reports from selective groups of highly vetted security researchers regarding the Department’s more sensitive information systems and digital assets. HackerOne is charged to the first project, whereas Synack is responsible for the second project. Lisa Wiswell, a member of the DDS team reported: “Considering the tremendous cost-benefit of crowdsourcing talent, it’s proven that you’ll get more bang for your buck than with some of the other traditional security tools we’ve used in the past”. (Collins, 2017). She further identified another benefit of the Department’s VRP as providing citizens with the opportunity to “improve the government that serves them” by using “their skills toward helping secure our nation’s assets”.

In November 2016, the Department of Defense extended the earlier “Hack the Pentagon” pilot VRP initiative to a new “Hack the Army” VRP initiative (Leopold, 2016). In the same month, the Department of Defense announced a new “Digital Vulnerability Disclosure Policy” which was developed by the Department of Defense in consultation with the Department of Justice to empower security researchers through a legal pathway to help the Department of Defense bolster its cybersecurity and ultimately the nation’s security (U.S. Department of Defense, 2016).

6. Discussion

6.1 Pentagon’s VRP innovation and diffusion

In order to answer the RQ1 about the Pentagon’s pilot VRP outcome, we drew on the literature on crowdsourcing to theoretically define crowdsourcing as “a type of participative online activity in which an individual, an institution, a non-profit organization, or company proposes to a group of individuals of varying knowledge, heterogeneity, and number, via a flexible open call, the voluntary undertaking of a task. The undertaking of the task, of variable complexity and modularity, and in which the crowd should participate bringing their work, money, knowledge and/or experience, always entails mutual benefit. The user will receive the satisfaction of a given type of need, be it economic, social recognition, self-esteem, or the development of individual skills, while the crowdsourcer will obtain and utilize to their advantage what the user has brought to the venture, whose form will depend on the type of activity undertaken” (Estellés-Arolas & González-Ladrón-De-Guevara, 2012, p. 197).

By drawing on this theoretical definition, we argue that the Pentagon’s pilot VRP is neither the existing in-house cybersecurity controls execution (CIS, 2016) nor the outsourcing contract arrangements with external security audit and vulnerability assessment firms. As Fig. 4. shows, the HackerOne put out a flexible open call for the crowd to participate in the “Hack the Pentagon” VRP pilot initiative. So, it is clear that the Pentagon’s pilot VRP is the adoption of private-sector crowdsourced software vulnerability detection and reporting practices and it attracted the 1,400 crowd of citizens to participate the VRP pilot initiative during the duration of 25 days.

Our case study analysis indicates that the Pentagon’s pilot VRP outcome was perceived by various stakeholders as being mutually beneficial when the proof-of-concept pilot initiative ended on May 12, 2016. From the Pentagon’s perspective, the realization of the power of the crowdsourcing is one of the intangible benefits uncovered. Secretary of Defense Ash Carter observed at the “Hack the Pentagon” award ceremony: “We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks …what we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference”. In addition to the intangible benefit, the Pentagon did generate tangible benefits in terms of the new vulnerabilities detected and reported by the participating crowd. According to the Pentagon, the participants found 1,189 software vulnerabilities. Of the 1,189 bugs reported, 138 valid, unique, and previously undisclosed software vulnerabilities were accepted by the DDS team (Lyer, 2016). Furthermore, there can be tangible financial benefits to the Pentagon. While the VRP pilot initiative cost the Pentagon $150,000, we do not know the undisclosed contract cost paid to HackerOne. However, Secretary of Defense Ash Carter observed this financial benefit. If the Pentagon had gone through the normal process of hiring an outside firm to do security audit and vulnerability assessment, it would have cost the Department of Defense more than $1 million.

Since the case study has not conducted interviews with the participants, we cannot assert the perceived benefits of the Pentagon VRP pilot initiative from the participating crowd’s perspective. We are uncertain whether the participating crowd received “the satisfaction of a given type of need, be it economic, social recognition, self-esteem, or the development of individual skills” (Estellés-Arolas & González-Ladrón-De-Guevara, 2012, p. 197). But the case study analysis using the secondary source data indicates at least one 18-year-old participant found such a satisfaction in making a difference. Lisa Wiswell, a member of the DDS too suggested that the Pentagon’s VRP did provide citizens with the opportunity to “improve the government that serves them” by using “their skills toward helping secure our nation’s assets” (Collins, 2017).

Finally, the mutually beneficial outcome of the Pentagon’s VRP pilot initiation convinced the Department of Defense to extend the initial VRP innovation to the adoption of a new “Hack the Army” VRP innovation initiative in November 2016 (Leopold, 2016).

6.2 Strategic alignment of VRP with extant national cybersecurity policy

Earlier research on cybersecurity threats in government identified a diverse range of cyber adversaries: bot-network operators, criminal groups, foreign intelligence services, hackers, insiders, phishers, spammers, spyware/malware authors, and terrorists (Reddick, 2010). Today the U.S. federal governments and agencies face increasingly sophisticated and persistent cyber threats from black hat hackers who hack into government computer networks for data breaches, challenge, revenge, stalking, or monetary gain, among other motivations. With relative ease, black hat hackers can now download attack scripts and protocols from the Internet to launch them against government websites. Moreover, attack tools have also become more sophisticated. In consequence, the worldwide population of black hat hackers poses “a relatively high threat of an isolated or brief disruption causing serious damage” (GAO, 2015). U.S. GAO informed House of Representative Subcommittees on Research and Technology and Oversight that stronger controls are required to mitigate the increased cybersecurity threats (GAO, 2015).

The U.S. National Security Council’s Information and Communication Infrastructure Interagency Policy Committee (ICI-IPC) in the Whitehouse has central responsibilities for political and strategic management and coordination of cybersecurity policies (Pernik, 2016). In addition, the National Cyber Security Division of the Department of Homeland Security (DHS) is responsible for providing strategic guidance and coordination of the overall federal government efforts to defend the critical infrastructure. The Department of State (DOS) is the primary agency for internationally communicating and coordinating the President’s cybersecurity policy. Finally, the Department of Justice (DOJ) is overall in charge of the enforcement of cybersecurity laws.

The Obama administration in December 2015 passed the Cybersecurity Act of 2015, which strengthens the nation’s cybersecurity by making it easier for private-sector firms to share cyber threat information with each other and with the federal government and implemented a Cybersecurity National Action Plan (CNAP) (White House, 2016). CNAP includes: (1) establishment of the Commission on Enhancing National Cybersecurity; (2) Modernization of government IT and transformation of the way the government manages cybersecurity, including through the creation of a new position of the Federal Chief Information Security Officer; (3) empowerment of citizens to secure their online accounts, including through a new National Cybersecurity Awareness Campaign; and (4) investment of over $19 billion for cybersecurity as part of the Fiscal Year (FY) 2017 Budget (White House, 2016). The implementation of CNAP signaled the federal government’s commitment to using innovative crowdsourcing-based VRP program.

Our case study of the Pentagon’s continuing and expanding VRP clearly show that their initiatives are in good alignment with the 2016 CNAP. Particularly, the adoption of the private-sector innovation in crowdsourcing the detection, assessment, and reporting of software bugs from the cybersecurity community. This approach is an innovation that has the potential change the traditional ways the federal governments and agencies manage cybersecurity threats. Internal rigorous security audits will remain a critical part of the modernizing the cybersecurity practice, however. The Pentagon’s VRP has the potential to contribute to increased citizens’ awareness of cybersecurity threats in the digital hyper-connected world if the government transparently shares the VRP outcomes such as newly identified valid software bugs with the public.

7. Conclusion

Given clear and present danger of cybersecurity vulnerability and the rise of government hacks, the overarching aim of this paper is to raise an awareness of VRP concepts and practices among the digital government security research community. Specifically, we draw on the theory and practices in crowdsourcing to examine the feasibility of adopting the innovative private-sector VRP practices to enhance government cybersecurity posture.

In so doing, this paper draws on the literature on cybersecurity controls and crowdsourcing to find some preliminary evidence for the Pentagon’s mutually beneficial pilot VRP outcome and we argue its strategic fit with the existing national cybersecurity policy. We demonstrate the importance and applicability of the VRP that was originally conceived in the private sector and its application to the federal government. Essentially, VRP represents a new form of public-private collaborative governance in cybersecurity.

From our case study, there are important cybersecurity policy implications that government officials should be aware of. The existing federal cybersecurity policies do not assume the active engagement of the public, even the white hat hackers. Hence, intrusive cybersecurity innovations such as VRP in government, as we examined the case of the Pentagon, require new sophisticated cybersecurity policies to safeguard government agencies from the new practices. Furthermore, as the GAO. and the hi-tech firms’ experiences indicate, the new sophisticated cybersecurity policies are also required to develop new internal cybersecurity capabilities within the government IT department to cope with the likely increased workload in vetting, rewarding, and fixing some of the reported software bugs through crowdsourcing. If the government agencies adopt a strategy of partnering with a private-sector cybersecurity services provider such as HackerOne as the Pentagon did, then the new cybersecurity policies may need to address new issues of importance such as knowledge transfer and skills development in government. The challenge may be that in contrast to these hi-tech firms, government agencies may not have sufficient technological know-how to move towards independent operations of VRP without an industry partner.

There are important notable benefits and challenges of using crowdsourcing for security issues. One notable benefit is that government is able to use open innovation, that have been used in the private sector, to solve problems that they have not been able to effectively address. This is consistent with prior research that highlighted in the federal government how open innovation through the Obama era Challenge.gov program has been effective at improving innovation. One important challenge can the government to be able to learn from its mistakes? Having the VRP program opens up the Pentagon to all of its faults. Governments agencies especially those in the security domain, may be hesitant to open themselves up to white hat hackers.

There are three important lessons learned from this case study. First, we learned the importance of understanding innovation in cybersecurity in the private sector, as this was successfully applied to the Pentagon to improve its overall cybersecurity control performance. Companies like Google and Microsoft have used VRR programs with much success, and the Pentagon was able to learn from their experiences. Second, our paper showed the importance of placing open innovation outside the government boundary in order to inspire change within the government. This was especially risky given the top-security data and information held in the Pentagon, and to trust a third party to challenge its cybersecurity is very forward thinking and innovative for government. Our case study showed the success of open innovation concepts invented in the private sector to crowdsource solutions in government cybersecurity. Finally, the Pentagon VRP pilot was a Public Private Partnership. Its successful outcome shows the importance of collaborative governance in delineating roles and responsibilities among the stakeholders.

Our study makes an important contribution to the emerging literature on VRP and cybersecurity in government through a case study of the innovative VRP concept applied to the U.S. federal government’s Pentagon. However, our research has some limitations including the use of secondary source data rather than conducting case interviews with the Department of Defense. Our future research direction includes conducting multiple field case studies of governments, which have adopted VRP or consider such an adoption either in the U.S. or elsewhere.

References

Abdelsalam

H. M.

Reddick

C. G.

Gamal

, & Al-shaar

(2013). Social media in Egyptian government websites: Presence, usage, and effectiveness. Government Information Quarterly, 30(4), 406-416.

Adams

S. A.

(2011). Sourcing the crowd for health services improvement: The reflexive patient and “share-your-experience” websites. Social Science & Medicine, 72(7), 1069-1076.

Akamai. (2013). Akamai’s State of the Internet Q4 Report. Retrieved from https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/akamai-q4-2013-state-of-the-internet-connectivity-report.pdf

Ali

. (2016). Teen hacks Pentagon websites, gets thanked for finding ‘bugs’. Retrieved from http://www.reuters.com/article/us-usa-pentagon-cyber-idUSKCN0Z321U

Asllani

White

C. S.

, & Ettkin

(2013). Viewing cybersecurity as public good: The role of governments, businesses, and individuals. Journal of Legal, Ethical and Regulatory Issues, 16(1), 7-14.

Becker

, & Bendett

(2015). Crowdsourcing solutions for disaster response: Examples and lessons for the US government. Procedia Engineering, 107, 27-33.

Bott

, & Young

(2012). The role of crowdsourcing for better governance in international development. Praxis: The Fletcher Journal of Human Security, 27(1), 47-70.

Brabham

D. C.

(2010). Moving the crowd at threadless: Motivations for participation in a crowdsourcing. Information Communication and Society, 13(8), 1122-1145.

Bertot

Jaeger

P. T.

, & Grimes

J. M.

(2012). Promoting transparency and accountability through ICTs, social media, and collaborative e-government. Transforming Government: People, Process and Policy, 6(1), 78-91.

10.

Charalabidis

Loukis

E. N.

Androutsopoulou

Karkaletsis

, & Triantafillou

(2014). Passive crowdsourcing in government using social media. Transforming Government: People, Process and Policy, 8(2), 283-308.

11.

Chatfield

A. T.

, & Brajawidagda

(2014). Crowdsourcing hazardous weather reports from citizens via Twittersphere under the short warning lead times of EF5 intensity tornado conditions. Paper presented at the The proceedings of the 2014 47th Hawaii International Conference on System Sciences.

12.

Chatfield

A. T.

Scholl

H. J. J.

, & Brajawidagda

(2013). Tsunami early warnings via Twitter in government: Net-savvy citizens’ co-production of time-critical public information services. Government Information Quarterly, 30(4), 377-386.

13.

Chromium. (2016). The Chromium Projects. Retrieved from http://dev.chromium.org/Home/chromium-security/quarterly-updates

14.

CIS. (2016). The Center for Internet Security. Critical Security Controls. Retrieved from https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf

15.

CNN. (2016). Hackers publish contact info of FBI employees. Retrieved from http://www.cnn.com/2016/02/08/politics/hackers-fbi-employee-info/index.html

16.

Collins

. (2017). DoD announces ‘Hack the Pentagon’ follow-up initiative. Retrieved from https://www.defense.gov/News/Article/Article/981160/dod-announces-hack-the-pentagon-follow-up-initiative

17.

Denning

D. E.

(2015). Privacy and Security Toward More Secure Software. Communications of the ACM, 58(4).

18.

Department of Defense. (2016). Defense Secretary Ash Carter releases Hack the Pentagon results. Retrieved from https://www.defense.gov/News/News-Releases/News-Release-View/Article/802929/defense-secretary-ash-carter-releases-hack-the-pentagon-results

19.

Egelman

Herley

, & Van Oorschot

P. C.

(2013). Markets for zero-day exploits: Ethics and implications. Paper presented at the ACM International Conference Proceeding Series.

20.

Estellés-Arolas

, & González-Ladrón-De-Guevara

(2012). Towards an integrated crowdsourcing definition. Journal of Information Science, 38(2), 189-200.

21.

Finifter

Akhawe

, & Wagner

(2013). An Empirical Study of Vulnerability Rewards Programs. Paper presented at the USENIX Security Symposium.

22.

GAO. (1996). Information Security – Computer Attacks at Department of Defense Pose Increasing Risks. Retrieved from https://epic.org/security/GAO_DOD_security.html

23.

GAO. (2015). Cyber threats and data breaches illustrate need for stronger controls across federal agencies. (GAO-15-758T).

24.

GAO. (2016a). Federal information security actions needed to address challenges. (GAO-16-885T).

25.

GAO. (2016b). Information security agencies need to improve controls over selected high-impact systems. (GAO-16-501).

26.

Google. (2017a). Chrome Reward Program Rules. Retrieved from https://www.google.com/about/appsecurity/reward-program/

27.

Google. (2017b). Google Vulnerability Reward Program (VRP) Rules. Retrieved from https://www.google.com/about/appsecurity/reward-program/

28.

HackerOne. (2016). Hack the Pentagon. Retrieved from https://hackerone.com/resources/hack-the-pentagon

29.

Howe

. (2006). The rise of crowdsourcing. Retrieved from http://www.wired.com/2006/06/crowds

30.

Leopold

. (2016). DoD hacking effort extended to Army. Retrieved from https://defensesystems.com/articles/2016/11/23/hackarmy.aspx

31.

Linders

(2012). From e-government to we-government: Defining a typology for citizen coproduction in the age of social media. Government Information Quarterly, 29(4), 446-454.

32.

Lyer

(2016). 18 year-old hacks Pentagon, gets praised by government for finding bugs. Retrieved from http://www.techworm.net/2016/06/18-year-old-hacks-pentagon-gets-praised-finding-bugs.html

33.

Maillart

Zhao

Grossklags

, & Chuang

(2016). Given Enough Eyeballs, All Bugs Are Shallow? Revisiting Eric Raymond with Bug Bounty Programs. arXiv preprint arXiv:1608.03445.

34.

Mason

, & Suri

(2012). Conducting behavioral research on Amazon’s Mechanical Turk. Behavior Research Methods, 44(1), 1-23.

35.

Massimini

Kissel

Suby

, & Rodriguez

(2016). Analysis of the global public vulnerability research market, 2015 growth of public vulnerability disclosures, the important intermediary between commercial threat analysis and cyber grid threat reporting. Retrieved from https://www.trendmicro.com/cloud-content/us/pdfs/business/reports/public_vulnerability_oct_2016.pdf

36.

McGregor

(2014). The top 5 most brutal cyber attacks of 2014 so far. Retrieved from http://www.forbes.com/sites/jaymcgregor/2014/07/28/the-top-5-most-brutal-cyber-attacks-of-2014-so-far/#1895806521a6

37.

Mein

, & Evans

(2011). Dosh4Vulns: Google’s vulnerability reward programs. Retrieved from https://software-security.sans.org/downloads/appsec-2011-files/vrp-presentation.pdf

38.

Mergel

(2013). Social media adoption and resulting tactics in the U.S. federal government. Government Information Quarterly, 30(2), 123-130.

39.

Moore

(2014). Cybercrime: Investigating High Technology Computer Crime (2nd ed). London: Routledge.

40.

Morris

(2015). Information Security and Cybersecurity at the Federal Aviation Administration: Challenges and Control Efforts. New York: Nova Science Publishers, Inc.

41.

Nakashima

(2015). Hacks of OPM databases compromised 22.1 million people, federal authorities say. Retrieved from https://www.washingtonpost.com/news/federal-eye/wp/2015/07/09/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say

42.

Panaousis

Fielder

Maracalia

Hankin

, & Smeraldi

(2014). Cybersecurity Games and Investments: A Decision Support Approach. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8840, 266-286.

43.

Pandey

, & Snekkenes

E. A.

(2014). An assessment of market methods for information security risk management. Paper presented at the 16th IEEE International Conference on High Performance and Communications, WiP track.

44.

Pernik

Wojjtkowiak

, & Verschoor-Kirss

(2016). National cyber security organisation: United States. Retrieved from https://ccdcoe.org/

45.

Quinn

, & Arthur

(2011). PlayStation Network hackers access data of 77 million users. Retrieved from https://www.theguardian.com/technology/2011/apr/26/playstation-network-hackers-data

46.

Reddick

C. G.

(2010). Homeland Security Preparedness and Information Systems Strategies for Managing Public Policy. Hershey, New York: Information Science Reference.

47.

Rescorla

(2005). Is finding security holes a good idea? IEEE Security and Privacy, 3(1), 14-19.

48.

Schneier

(2012). The vulnerabilities market and the future of security. Retrieved from http://www.forbes.com/sites/bruceschneier/2012/05/30/the-vulnerabilities-market-and-thefuture-of-security/

49.

SecurityWeek. (2012). No British charges for hacker Gary McKinnon. Retrieved from https://www.securityweek.com/no-british-charges-hacker-gary-mckinnon

50.

Short

Williams

, & Christie

(1976). The Social Psychology of Telecommunications. London: John Wiley.

51.

Spiliotopoulou

Charalabidis

N. Loukis

, & Diamantopoulou

(2014). A framework for advanced social media exploitation in government for crowdsourcing. Transforming Government: People, Process and Policy, 8(4), 545-568.

52.

Stuart

, & Arthur

(2011). PlayStation Network hack: Why it took Sony seven days to tell the world. Retrieved from https://www.theguardian.com/technology/gamesblog/2011/apr/27/playstation-network-hack-sony

53.

Thielman

(2015). Chinese hack of US national security details revealed days after Russian hack. Retrieved from https://www.theguardian.com/world/2015/aug/10/chinese-national-security-officials-hack

54.

U.S. Department of Defense. (2016). DOD announces digital vulnerability disclosure policy and “hack the army” kick-off. Retrieved from https://www.defense.gov/News-Releases/News-Release-View/Article/1009956/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army

55.

Whitaker

G. P.

(1980). Coproduction: Citizen participation in service delivery. Public Administration Review, 40(3), 240-246.

56.

White House. (2016). FACT SHEET: Cybersecurity national action plan. Retrieved from https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan

57.

Wired. (2015). The year’s 11 biggest hacks, from Ashley Madison to OPM. Retrieved from https://www.wired.com/20015/12/the-years-11-biggest-hacks-from-ashley-madison-to-opm/

58.

Younis

Malaiya

Y. K.

, & Ray

(2016). Evaluating cvss base score using vulnerability rewards programs. Paper presented at the IFIP International Information Security and Privacy Conference.

59.

Zavarsky

(2015). High assurance cybersecurity plan templates for nuclear facilities: Two-dimensional layering of mutually orthogonal security controls for a high-assurance cybersecurity protection of critical computer-based systems in the post-Stuxnet era. Paper presented at the Proceedings of the International Conference on Information Society.

60.

Zavarsky

Waedt

, & Kuskov

(2015). High assurance cybersecurity controls against persistent and targeted attacks on instrumentation and control systems in nuclear facilities. Paper presented at the Proceedings of 9th International Topical Meeting on Nuclear Plant Instrumentation, Control, and Human-Machine Interface Technologies.

61.

ZDNet. (2016). Yahoo hacked again, more than one billion accounts stolen. Retrieved from http://www.zdnet.com/article/yahoo-hacked-again-more-than-one-billion-accounts-stolen/

62.

Zhao

Grossklags

, & Liu

(2015). An empirical study of web vulnerability discovery ecosystems. Paper presented at the Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security.