The Defense Department is asking cybersecurity experts and hackers to test the security of its websites and computer systems, in what it is calling its “Hack the Pentagon” initiative.
The DOD said in a statement that as part of the pilot program, it will “allow qualified participants to conduct vulnerability identification and analysis on the department’s public webpages.” This is just a first step, according to the Pentagon, and the DOD will run multiple programs to “test and find vulnerabilities in the department’s applications, websites, and networks.”
Calling All Hackers
The program is modeled on so-called “bug bounty” programs used in the private sector to expose vulnerabilities and then improve companies' networks, products and digital services, the Pentagon noted. As The Verge notes, “Facebook, Twitter, Yahoo, Microsoft, United Airlines, Tesla, and multiple other big names have collectively doled out hundreds of thousands of dollars' worth of rewards for their programs.”
The DOD will launch the pilot in April, and the department said it will provide more details on requirements for participation and other ground rules in the next few weeks. Those who want to participate in the initiative will need to register with the DOD and submit to a background check before they will be allowed to take part. Those who participate in the program could receive money or other recognition.
“Once vetted, these hackers will participate in a controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system,” the DOD said. “Other networks, including the department’s critical, mission-facing systems will not be part of the bug bounty pilot program”
While that might seem like the Pentagon is not giving the vetted hackers much to test and attack, the DOD actually runs hundreds of public-facing websites.
The Pentagon said it is trying to stay ahead of the curve on cybersecurity. “I am always challenging our people to think outside the five-sided box that is the Pentagon,” Defense Secretary Ash Carter said in the statement. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”
The DOD said the program is being led by the Defense Digital Service (DDS), an arm of the U.S. Digital Service that was launched in November.
“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DOD, but it also helps us better protect our country,” DDS Director and technology entrepreneur Chris Lynch said in the statement.
Larger National Cybersecurity Plan
The DOD said that the program is in line with the Obama administration’s Cyber National Action Plan (CNAP), which was announced Feb. 9. The Pentagon noted that the plan “prioritizes near-term actions to improve our cyber defenses and codifies a long-term strategy to enhance cybersecurity across the U.S. government.”
The CNAP includes a planned $3.1 billion revolving fund dubbed the “Information Technology Modernization Fund,” which is designed to accelerate the replacement and updating of legacy IT that is difficult to secure and expensive to maintain.
The plan also creates a new position, the federal chief information security officer, who will report to federal Chief Information Officer Tony Scott. The new CISO, who has not yet been named, will be responsible for driving cybersecurity policy as part of the CNAP.