Pentagon launching bug bounty program
- By Mark Pomerleau
- Mar 03, 2016
In an effort to increase cybersecurity through innovative means, the Pentagon is inviting “vetted” hackers to participate in the government’s first “bug bounty” program.
Under the Hack the Pentagon initiative, hackers who pass background checks will work to identify vulnerabilities on predetermined department systems, potentially for cash awards, according to the Defense Department. Critical, mission-facing systems will not be part of the pilot, however.
The initiative will be led by the department’s Defense Digital Service, an arm of the U.S. Digital service that was launched in November. Like USDS, DDS “brings coders in for what we call a tour of duty,” Defense Secretary Ashton Carter said during a Microsoft-hosted breakfast in Seattle on March 3. “They come in, you know they’re not going to make a career of it… but they come in for a year or a two or a project and make a contribution to us.”
Hack the Pentagon is based on bug bounty programs in the private sector that reward efforts to discover weaknesses in software before adversaries do. “The objective here is to let the white hats help us find vulnerabilities before the black hats do,” Carter said in Seattle.
“We can't hire every great white hat hacker to come in and help us,” a senior defense official in a media call. However, Hack the Pentagon “allows us to use their skill sets, their expertise, to help us build better more secure products and make the country more secure.”
Two Army captains proposed just such a program in a Cyber Defense Review article last year, and Department of Homeland Security officials have also floated the idea of paying bug bounties.
There are some skeptics, however. “Don't know a proficient hacker who'd submit to background check to hack ‘predetermined’ DOD systems,” Micah Zenko, senior fellow at the Council on Foreign Relations posted to Twitter following DOD’s announcement. “DOD insisting hackers give up personal info, be monitored and only hack ‘predetermined’ systems is opposite every hacker ethos.”
Other observers, though, are optimistic. “Inviting members of the highly skilled hacker community is an incredibly effective way to identify inevitable security vulnerabilities that your own testing missed,” said Katie Moussouris, chief policy officer at HackerOne, a bug bounty firm. “The broad implication here isn’t just strengthening national security, but it will also have a ripple effect for other governments' and industries' acceptance on the use of bug bounty programs to focus hackers on helping you find issues in target systems.”
“The acknowledgement from the Pentagon that open and free security assessments on its websites are valuable, and even encouraged, is a huge step forward for the DOD and the U.S. government,” Tod Beardsley, security research manager at the cybersecurity firm Rapid7, said. “The terms are a little more restrictive than many similar programs, but this positive sentiment is a huge win for modern security research and security researchers of all stripes.”
Hack the Pentagon may also fortify the overall government cybersecurity business community. It would “strengthen DOD deployments, exercise blue team capabilities and shine a light on those who build the DOD’s Internet presence,” said Monzy Merza, director of cyber research and chief security evangelist at Splunk. “Bug bounty programs typically pay for performance, thus this is a good precedent to reduce the contracting friction in doing business with the DOD. As the bug bounty program becomes more successful, the DOD will enhance its IT environments to include greater degrees of visibility and automation.”
It might also lure some cybersecurity talent to government. “Like most organizations, the DOD is challenged with human resource shortages for cyber defenders, and this program may also serve as a recruiting tool,” Merza said.
The pilot will launch in April, with details forthcoming.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.