DOD expands vulnerability disclosure policy to public networks, IoT devices
- By Lauren C. Williams
- May 06, 2021
The Defense Department is expanding its vulnerability disclosure program to cover all of its publicly available systems, including networks, frequency-based communication, industrial control systems and internet-of-things devices.
Sparked by the Defense Digital Service's 2016 Hack the Pentagon initiative, the program was initially restricted to public-facing websites and applications, which limited the number and kinds of vulnerabilities reported.
"DOD websites were only the beginning as they account for a fraction of our overall attack surface," said Kristopher Johnson, the director for the Pentagon's Cyber Crime Center, which oversees the program
The announcement comes after the center announced a defense industry-focused pilot of its bug bounty program in April. That yearlong pilot is expected to build on lessons from the original vulnerability disclosure program, which has uncovered more than 29,000 vulnerabilities since its launch, according to a recent report.
Other crowdsourcing efforts are focused on rooting out vulnerabilities in satellites and industrial control systems.
The Air Force and Space Force have opened registration to space cybersecurity researchers for this year’s Hack-A-Sat challenge. The contest to help build more secure space systems starts with a qualification round and culminates in an attack/defend style capture the flag event. Last year’s inaugural event featured 6,000 competitors, organized into 2,213 registered teams.
The May 4 Hack the Capitol 4.0 event focused on vulnerabilities in industrial control systems. The day-long program designed for congressional staffers delivered policy presentations, technical talks and an exhibit hall featuring an IoT Village and exercises where participants learned about cyber-physical topics of logic, sensors and actuators, operational technology system architecture, communication protocols and data analysis.
A version of this article was first posted to FCW, a sibling site to GCN.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.
Click here for previous articles by Wiliams.