Pentagon to welcome hackers with open arms
- By Mark Pomerleau
- Mar 03, 2016
In an effort to increase cybersecurity through innovative means, the Pentagon is inviting “vetted” hackers to participate in the government’s first “bug bounty” program.
Under the Hack the Pentagon initiative, as it’s called, hackers will submit to background checks and identify vulnerabilities on a predetermined department systems, potentially for cash awards, according to a DOD announcement. Critical, mission-facing systems will not be part of the pilot, however.
The initiative will be led by the department’s Defense Digital Service, which was launched in November. DDS “brings coders in for what we call a tour of duty,” Secretary of Defense Ashton Carter said during a Microsoft-hosted breakfast in Seattle on March 3. “They come in, you know they’re not going to make a career of it, they’re not going to join, they’re not going to be part of the government, but they come in for a year or a two, or a project, and make a contribution to us.”
The effort is based on similar so-called bug bounty programs in the private sector that seek to reward efforts to exploit vulnerabilities before adversaries do. “The objective here is to let the white hats help us find vulnerabilities before the black hats do,” Carter said in Seattle.
Some in government have expressed a desire to adopt bug bounty programs, an industry best practice. The Army “urgently needs to stand up vulnerability disclosure and response programs that would permit its personnel to responsibly report findings to a centralized entity that would assist in tracking and resolving issues,” two Army captains wrote in a Cyber Defense Review article. “Revocation of security clearances, loss of access to IT systems, and punitive action under the Uniform Code of Military Justice are all viable outcomes for someone who casually stumbles upon an interesting finding during everyday work,” they wrote, regarding reluctance to share discovered vulnerabilities for fear of reprisal.
“We can't just keep doing what we're doing, because the world changes too fast. Our competitors change too fast,” Carter said at the RSA Conference on March 2. “[I]t's a serious matter for us to remain open. And government does tend to be closed. The defense establishment especially just tends to be closed.” And although there are reasons for secrecy, “by and large, I think the more open we are, the more connected we are to the innovative community, the better we'll be at doing what our mission is,” he said.
“We can't hire every great white hat hacker to come in and help us,” a senior defense official said in a media call. “[Hack the Pentagon] allows us to use their skill sets, their expertise, to help us build better, more secure products and make the country more secure.”
Some are skeptical of the crowdsourced initiative, however. “Don't know a proficient hacker who'd submit to background check to hack ‘predetermined’ DOD systems,” Micah Zenko, senior fellow at the Council on Foreign Relations, wrote on Twitter following DOD’s announcement. “DOD insisting hackers give up personal info, be monitored, and only hack ‘predetermined’ systems is opposite every hacker ethos.”
Others, however, are optimistic. “Inviting members of the highly skilled hacker community is an incredibly effective way to identify inevitable security vulnerabilities that your own testing missed,” said Katie Moussouris, Chief policy officer for HackerOne, a bug bounty firm. “The broad implication here isn’t just strengthening national security, but it will also have a ripple effect for other governments' and industries' acceptance on the use of bug bounty programs to focus hackers on helping you find issues in target systems.”
“The acknowledgement from the Pentagon that open and free security assessments on its websites are valuable, and even encouraged, is a huge step forward for the DOD and the U.S. government,” Tod Beardsley, security research manager at the cybersecurity firm Rapid7, said. “The terms are a little more restrictive than many similar programs, but this positive sentiment is a huge win for modern security research and security researchers of all stripes.”
“The DOD already has mature red teams and offensive cyber capabilities. Bug bounty programs are fairly common in the technology industry,” said Monzy Merza, director of cyber research and chief security evangelist at Splunk. “This DOD program will strengthen DOD deployments, exercise blue team capabilities, and shine a light on those who build the DOD’s Internet presence.”
Hack the Pentagon aligns with efforts to make the department more innovative and embrace technological advancements through other programs, such as the Defense Innovation Unit-Experimental – a new DOD outpost in Silicon Valley intended to foster greater partnership between government and technology firms.
The Hack the pentagon pilot will launch in April, with details forthcoming.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.