US should pay hackers who find threats, says analyst
- 7 August 2014
- From the section Technology
The US government should pay hackers who indentify significant cybersecurity threats, a respected risk analyst has proposed.
Dan Geer said large bounties would prevent the vulnerabilities from ending up in the hands of criminal gangs or hostile authorities.
Mr Geer, whose tech firm assists the CIA, was referring to previously unknown security flaws, for which a patch is not yet available.
They are often used in cyber-warfare.
Tech news site the Register reported that Mr Geer, who made the suggestion in a keynote address at the Black Hat cybersecurity conference in Las Vegas, said the tactic would only work if there were few vulnerabilities in existence.
"If there are many vulnerabilities, then we've wasted our money," he reportedly said.
"But if there are a limited number, by making them not weaponisable have we not contributed to world peace?
"The US can corner the market in this in a way few other countries can."
Mr Geer added that the government should consider paying 10 times more than anyone else would for the vulnerabilities.
Once a patch was found, authorities should make the vulnerabilities public, he advised.
Other cybersecurity experts unveiled their research at the annual conference.
Jesus Molina explained how he had taken over a hotel in Shenzhen, China, after hacking into the central system via a guest iPad in his room.
Mr Molina said he was able to control the rooms' temperature, lighting and even the hotel doors.
Another cybersecurity professional, Billy Rios, claimed to have found multiple vulnerabilities in the tech used by the US Transportation Security Administration (TSA) in airports.
He said he could gain access to the TSA's X-ray machines, as well as a system that tracks employees' shift changes and the scanners used to detect hazardous materials in luggage or clothing.
"They all have major issues," Mr Rios told the BBC.
However a representative of the company that develops the airport technology, Morpho, denied the devices were vulnerable to attack.