The case of the CDU app illustrates the fact that white hat hacking for IT security has not become widely understood
Earlier this month, a hacker pointed out a security vulnerability in the German Christian Democratic Union (CDU) political party’s election campaign app. The party responded by pressing charges against the hacker. The complaint has since been withdrawn, but the case illustrates a fundamental problem: the importance of white hat hacking for IT security has not yet been widely understood.
Security vulnerabilities in programs and apps that are still unknown to the vendor are referred to as "zero days." In the worst cases, cybercriminals discover them and exploit them, or they’re discovered by ostensibly legitimate manufacturers of spyware who, in reality, sell them to regimes for spying on citizens.
In some cases, this makes spectacular attacks possible, such as last month’s Kaseya ransomware attack or the Pegasus attacks on journalists and human rights activists — both of these vulnerabilities were zero-day exploits of other programs.
This can have devastating economic consequences for companies and individuals alike. As reported by Netzpolitik, a German language blog on digital rights and digital culture, the most recent hacking discussion deals with the CDU-connect app, an internal party platform for coordinating election campaigns.
The case is a veritable nightmare for data protection: The vulnerability identified by the white hat hacker would have given criminals access to highly sensitive data of almost 20,000 active or potential election workers, including their email and postal addresses, photos and Facebook profiles. Anyone with dishonest intentions could have caused considerable damage to the individuals involved — not to mention the CDU as a whole.
Are white hat hackers the good guys?
In delivering her tip to the party, the hacker acted in the spirit of responsible disclosure, an important software industry rule decreeing that whenever hackers discover security vulnerabilities in a piece of software, they should bring them to the attention of the responsible developers. This provides the right people with the opportunity to firm up the security of their software (and can save them a lot of pain in the process). In return, security gaps that have been successfully patched are only publicly discussed after the patch has been made — or, in case a patch isn’t possible, after 90 days have passed. In this way, the public learns about security risks and can make informed decisions.
The role of Vulnerability Disclosure Programs
Although it may seem strange to some working outside of the cybersecurity industry, working together with “good" hackers (a.k.a. white hats) gives security professionals a streamlined way to both identify and fix security vulnerabilities. For this to work, however, companies must accommodate the white hats, by setting up a Vulnerability Disclosure Program.
In addition to basic openness, this includes simple and secure ways to report risks — for example, by using an email address created solely for this purpose. Companies can also go a step further and set up a bug bounty program, which pays hackers for their reports. The most important thing, though, is to develop secure code, proactively scan and protect your own infrastructure, and prevent attacks from the outset.
Working with white hat hackers boosts the efforts of these security measures. When security programs are properly adhered to, it can keep security vulnerabilities (such as the case of the CDU app) from entering circulation until each of the vulnerabilities have been patched. Unfortunately, the CDU's lack of action in this scenario has instead become an example of what not to do — instead of being positively acknowledged for disclosing a potentially dangerous flaw, the responsible hacker received criminal charges.
Despite all measures taken, vulnerabilities will always exist. It’s for this reason that cooperation with white hats is essential for developers and companies. Now that we live in a time where hardly any organization remains offline, even political parties aren’t immune to cyberattacks. Thus, it’s all the more important that they work together with all parties intent on improving security if we want to deal with these threats in a solution-oriented manner.