Business Case: Bug Hunters Need Better Financial IncentivesTS Lombard's Rafael Narezzi Discusses Exploits, Extortion and GDPR
Businesses need to find more ways of incentivizing good researchers to find flaws in technology before bad actors discover them, says Rafael Narezzi, CIO of financial services firm TS Lombard.
As an example, he points to the "KRACK" attack recently discovered by a Belgian researcher in the WPA2 security protocols used to encrypt many WiFi communications (see WiFi Security Shredded via KRACK Attack). "I'm glad it was the good guys actually who found this flaw," he says, saluting the Ph.D. researcher involved.
But for everyone who finds flaws in the course of finishing an advanced degree, how many other flaws have already been discovered and put to use by individuals with less honorable intentions?
Plea: Better Incentives
To counter the massive profits available to bad actors who find and weaponize such flaws, Narezzi says that large technology firms need to be spending more on incentivizing researchers with good intentions to find these vulnerabilities in their products first. He also expects more organizations to get on the bug-hunting bandwagon when EU regulators begin enforcing the General Data Protection Regulation in May 2018.
Narezzi warns that GDPR could see a new type of scam emerge: cybercrime gangs breaching or claiming to have hacked into an organization, then extorting the victim in exchange for a promise to not disclose the breach to regulators.
In a video interview at Information Security Media Group's recent 2017 London Fraud and Breach Prevention Summit, Narezzi also discusses:
- The outsize profits to be made from cybercrime;
- Strategies for incentivizing more security researchers;
- How GDPR could change the bug-hunting debate.
Narezzi is CIO of TS Lombard in London, which was formed in 2016 by the merger of two leading independent investment research firms: Trusted Sources and Lombard Street Research. Narezzi formerly served as head of IT for Lombard Street Research.