Bug Bounty Program

Cyber Literacy in Hong Kong – a Public Good to Bridge the Talent Gap and Develop a Secure Digital Society

Posted on June 19, 2023 by darklabhk

As the global cyber threat landscape continues to evolve, defenders will continue to play catch-up by finding ways to prevent, detect, respond and recover from cyber-attacks. However, we need to further democratize security and get citizens of all technical backgrounds more involved in order to fight back against latest threats that target both organizations and individuals alike.

The digital age has given rise to an urgent demand for cybersecurity professionals worldwide. However, this demand has surpassed the available workforce, resulting in a significant talent gap. The (ISC)² Cybersecurity Workforce Study 2022 reveals that despite a workforce of 4.7 million professionals, there are 3.4 million unfilled cybersecurity positions globally. [1] In the Asia Pacific region, where digital transformation is in full swing, the talent gap remains a concern. Nonetheless, there have been positive developments, with a 15.6% growth rate in the cybersecurity workforce. Singapore and South Korea stand out for their efforts in closing the talent gap within their countries.

In this article, we will explore diverse cybersecurity career paths, examine the factors contributing to the closure of the talent gap in certain regions, and discuss steps Hong Kong can take to address this pressing issue. Understanding the global cybersecurity talent landscape is vital for building a stronger and more secure digital future.

Understanding the Various Cybersecurity Roles and Responsibilities

In cybersecurity, roles are categorized using the InfoSec color wheel, which highlights the roles and responsibilities of different teams. [2] The primary roles include the Red Team (offensive security), Blue Team (defensive security, remediation and orchestration), and Yellow Team (combining security and development expertise). Collaboration between these teams leads to secondary roles: Purple Team (maximizing Red Team’s results and enhancing Blue Team capabilities), Green Team (improving code-based defense via DevSecOps), and Orange Team (increasing security awareness in software development).

To understand the tasks, competencies, skills, and knowledge associated with these roles, we can refer to frameworks such as the National Initiative for Cybersecurity Education (NICE) Framework [3] or the European Cybersecurity Skills Framework (ECSF). [4] The NICE Framework provides comprehensive insights into cybersecurity roles, including roles like Red Team Operator, Blue Team Analyst, Secure Software Assessor, and Compliance Manager. Meanwhile, the ECSF outlines competencies and knowledge domains, and encompasses roles such as Cybersecurity Engineer, Incident Responder, and Risk Manager. These frameworks serve as valuable references for individuals seeking to understand the specific responsibilities and requirements of various cybersecurity roles.

By embracing the diverse range of cybersecurity roles and promoting collaboration among them, organizations can establish a strong cybersecurity posture. This collaborative approach ensures effective defense against evolving cyber threats and enables a comprehensive security strategy.

Hong Kong’s Progress and Areas for Improvement

In recent years, Hong Kong has made notable advancements in its cybersecurity landscape. The introduction of Hong Kong Monetary Authority’s Cyber Resilience Assessment Framework (C-RAF) [5] and the Professional Development Programme (PDP) [6] has expanded the roles of red and blue teams alongside traditional compliance functions. Additionally, the adoption of public cloud technologies has driven growth in design/architect and develop/build roles, which has helped to boost the capacity and capabilities of the yellow team.

However, Hong Kong still faces challenges, particularly in building a sufficient talent pool for red and blue team roles. While Singapore boasts over 2,000 qualified candidates with credentials like CREST Registered Penetration Tester (CRT) and Offensive Security Certified Professionals (OSCP), Hong Kong has fewer than 300 qualified professionals, indicating a significant talent gap. Singapore stands out for its proactive approach to talent development. While individual licensing is not mandatory, companies offering licensable cybersecurity services must seek accreditation. [7] Furthermore, the Monetary Authority of Singapore has invested SGD 400 million in the Financial Sector Development Fund to enhance digital workforce competencies, including cybersecurity expertise. [8]

To strengthen Hong Kong’s cybersecurity workforce, it is crucial to invest in specialized training programs, foster collaborations between academia and industry, and promote recognized certifications and qualifications. Emulating Singapore’s commitment to talent development can help Hong Kong address the evolving cyber threats effectively.

How to Address the Talent Gap?

To tackle the potential problems surrounding the lack of cybersecurity talent in Hong Kong, it is crucial to ensure that the investments made are targeted and effectively utilized. While Hong Kong’s investment in cybersecurity is comparable [9], if not higher, than other regions, it is essential to focus on areas that require more talent, particularly in the primary colors of red and blue teams, rather than the traditional “white” team roles.

The talent gap in red team roles is already significant, with Singapore experiencing a tenfold gap compared to Hong Kong. To stay competitive, it is vital to nurture these talents at an early stage, even as early as secondary or tertiary education. This can only happen if the Hong Kong government recognizes the value of “ethical hacking” as a form of innovative problem-solving and includes it in educational curricula. However, it is concerning that the 2023-24 Budget page does not even mention cybersecurity, and that feels like a “missed opportunity” that should be addressed in future budgets. [10]

While demand generation efforts such as local bug bounty programs like Cyberbay [11] are valuable, they can only be fully effective with a steady supply of skilled and qualified professionals. It is crucial for the government to prioritize cybersecurity in its policies and allocate resources for the development of cybersecurity talent. By recognizing the importance of cultivating cybersecurity skills and incorporating them into educational initiatives, Hong Kong can build a robust talent pool and foster an ecosystem that supports the growth of the cybersecurity industry. This will help Hong Kong keep pace with market demands and maintain its position as a leading cybersecurity hub.

Conclusion

To support the ecosystem, we need an uplift of all talents, but in particular the red and blue teams. Those talents are severely lacking in Hong Kong as words like “hacking” are frowned upon by parents as well as the private and public sector. While demand generation such as bug bounty programs and supply programs such as Cyber Academies can help, this would not change until we either enforce the need to have such talent through law or regulation, or to have education programs that have sufficiently low barrier to entry, at least from a cost perspective, given our assessment that cybersecurity knowledge is actually a common good.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.

Bug Bounty Programs – a Public Good that is a Necessity for Corporates, SMEs, and Individuals Alike

Posted on April 24, 2023 by darklabhk

As the cyber threat landscape continues to evolve and threat actors increasingly target vulnerable external-facing assets, bug bounties present organizations with an opportunity to proactively identify and remediate vulnerabilities before they can be exploited by attackers.

In today’s digital age, cyber threats have become increasingly prevalent, and enterprises are struggling to keep up with the pace of these threats. This is evident in the number of disclosed vulnerabilities and identified zero-days. For example, the number of vulnerabilities increased from 20,171 in 2021 to 25,227 in 2022, which represented a growth rate of 25 percent [1]; meanwhile, there were 80 zero-days exploited in the wild in 2021, which is more than double the previous record volume in 2019. [2] These statistics indicate that the traditional methods of cybersecurity are no longer sufficient to protect businesses from evolving cyber-attacks.

As a result, bug bounty programs have become increasingly popular as a way for organizations to identify and remediate vulnerabilities in their systems. These programs offer organizations the opportunity to leverage the skills of the global cybersecurity community to identify vulnerabilities in their systems and applications. PwC’s Dark Lab explores the benefits of bug bounty programs, along with the potential roadblocks that hinders its wide-scale implementation, and proposes potential solutions that reduces the barriers to entry such that enterprises can leverage it is a viable business risk management strategy to tackle the dynamic cyber risk landscape.

Bug Bounty Programs – An Overview

A bug bounty programme allows organizations to define and scope a program where security researchers are allowed to try to identify security vulnerabilities – often within a subset of the organisation’s technical infrastructure – in exchange for financial or non-financial ‘bounties’ for successfully validated vulnerabilities. Bug bounty programs were introduced by NetScape in 1995, though have evolved significantly since then. [3] Today, there are multiple bug bounty platforms and services available that provide organizations with a streamlined way to engage with the cybersecurity community, including HackerOne, BugCrowd, and YesWeHack. One notable example of a successful bug bounty program is the Microsoft Bug Bounty Program, in which US$13.7 million to more than 330 security researchers across 46 countries in 2021. [4]

Governments have also recognized the importance of bug bounty programs in strengthening their nation’s cybersecurity posture. For example, review of 2018 Cybersecurity Act Paragraph 5 suggests that service providers providing traditional cybersecurity assessment services (e.g., vulnerability scan or penetration test) must first obtain a license [5], whereas companies providing bug bounty platforms and/or services are exempted [6], implies that the Ministry of Communications and Information (MCI) and the Cyber Security Agency of Singapore (CSA) regards bug bounty programs in higher esteem – more of a public good as it underscores a greater value brought to society.

Issues Faced by Bug Bounty Programs

Despite the growth of bug bounty programs, there are still market barriers that prevent the public good from being consumed. One major issue is the pricing of the vulnerability, given vendors determine the value of a bug. The lack of a “free market” in which security researchers are not properly incentivized leads to a “tragedy of the commons” situation, in which they seek for a greater economic reward of their proof-of-concepts in alternate markets, such as the dark web or to established threat actors. The pricing misalignment is compounded by the lack of legal protection and standardized guidance for security researchers to identify and disclose vulnerabilities, which further makes it less likely for them to obtain a payout due to the plethora of grey areas which may inadvertently lead to potential punishment. [7] This is also not helped by poor communication in certain cases, where there is a lack of criteria or requirements on the compensating schemes, restrictions and limitations, and handling of duplicated reports. [8]

Meanwhile, not all hackers are not motivated by money. For example, espionage threat actors are looking for information, and hence no amount of financial incentive would lead to them disclosing and/or monetizing their zero days. [9] And in general, most researchers are motivated by more than one or a combination of factors and motivations, such as prestige or to advance their career, for the challenge or to have fun, or for other ethical or ideological reasons, so it is not feasible to focus solely on financial incentives. [10] Meanwhile, bug bounty programs were also meant to address the lack of a large number of skilled and qualified security researchers who know how to “hack to earn” by crowdsourcing vulnerability identification; this continues to be an issue despite bug bounty programs being in place for over 25 years. [11]

How to Address those Issues?

There are several ways to fix the potential problems surrounding bug bounty programs. One solution is to have an independent platform that connects security researchers with organizations, similar to Uber. This platform would allow for rewards to be based on an amount that can be auctioned at the right price, with the oversight of the technology owner. This platform should connect the right level of talent with the right buyer, such that they can align on their incentives.

Another solution is to enhance legal frameworks, similar to what Singapore has done, to recognize the importance of bug bounty programs and to have certified or accredited personnel to perform this task. The legal framework should mandate companies to implement and operationalize a vulnerability disclosure policy (VDP) to provide straightforward guidelines for the cybersecurity research community and members of the general public on conducting good faith vulnerability discovery activities directed at public facing and/or internal applications and services. This VDP also instructs researchers on how to submit discovered vulnerabilities, impacted security vendor(s) (if applicable), and other relevant parties (where applicable) ethically and in a safe manner, with clear guidelines on how to disclose such vulnerabilities.

Finally, there needs to be an investment in talent development to ensure that there is a sufficient number of skilled and qualified security researchers who know how to “hack to earn” by finding vulnerabilities in the first place. Ideally, the legal framework should also mandate the need for security researchers to attain certifications and accreditations with practical elements. That would have a positive downstream impact on investment in cybersecurity education and training, thereby establishing a healthy pipeline of skilled cybersecurity professionals who can join bug bounty programs.

Conclusion

Despite the challenges, bug bounty programs offer significant benefits to organizations looking to strengthen their cybersecurity posture. By reducing the barriers to entry, bug bounty programs can be used as an effective business risk management strategy. In addition, the success of bug bounty programs may lead to the potential rise and fall of other connected markets. This includes the potential drop-off of cyber insurance as security researchers would look to profit in legal markets rather than parallel markets like the dark web, or the reduction in traditional vulnerability assessment and penetration testing services as bug bounty programs are continuously run. Meanwhile, new service offerings such as talent development may arise to ensure there is a greater demand of security researchers to meet the increased desire to identify and “supply” vulnerabilities. We expect the adoption of bug bounties in Hong Kong and globally to pick up in the next five years, as it is a cost-effective way to improve cybersecurity through crowdsourcing to qualified security researchers with diverse backgrounds and varying degrees of experience.

Further information

Feel free to contact us at [darklab dot cti at hk dot pwc dot com] for any further information.