May 27 2016

DOD's Initial 'Hack the Pentagon' Program Could Lead to Similar Efforts

The Pentagon’s “Bug Bounty” found about 90 vulnerabilities in the Department of Defense’s public websites, and the department is going to reward those who discovered the flaws.

The Defense Department’s “Hack the Pentagon” program led to the discovery of about 90 vulnerabilities in the DOD’s public websites, and by the end of May the Pentagon will be paying the hackers it invited to find the weaknesses.

The program, which the department announced in early March, formally kicked off at the end of March with an invitation to hackers to sign up and get vetted. Over the course of the initiative, which ran from April 18 to May 12, 1,400 hackers crawled the DOD’s websites, hunting for bugs that could be exploited to tamper with the sites. The Pentagon had expected around 500 to participate, according to Defense News. DOD officials say the program could be extended within the DOD.

“All of this is helping us be more secure, at a fraction of the cost that exhaustively diagnosing ourselves would take,” Defense Secretary Ash Carter noted in mid-May as the program ended, according to Politico. “And we believe this approach, effectively crowd-sourcing cybersecurity, has great potential for us.”

Finding Vulnerabilities

The DOD partnered on the program with HackerOne, a well-known “bug bounty as a service” firm based in Silicon Valley. Critical, mission-facing computer systems were not involved in the program.

HackerOne set up a registration site for eligible participants, who were required to be a permanent U.S. resident, and not on U.S. Treasury Department's Specially Designated Nationals List of people and organizations engaged in terrorism, drug trafficking or other crimes. Participants in the program also underwent a basic criminal background screening; those who opted out of the screening agreed to forego bounty compensation.

Alex Rice, co-founder and chief technology officer at HackerOne, says the Pentagon was wise to involve the wider security community in the program. “I’ve been pleasantly surprised at the responsiveness; they’ve moved very quickly,” Rice told Newsweek. “They’ve been more innovative than I was expecting going into this. I had some biases on what to expect, and it’s been clear that the stereotypes are dangerous.”

Chris Lynch, a software entrepreneur who has been the director of the DOD’s Defense Digital Service since November, ran the program.

“‘Hack the Pentagon’ doesn't even sound legal,” Lynch told CBS News. “There were a lot of people who didn't like that name.” Yet Lynch says that not every hacker is a malicious actor, and that the DOD is “now allowing people who are willing and who are not malicious to do it.”

“We had our first vulnerability that came in 13 minutes from the launch of the program,” Lynch says.

The payouts will go out to about 90 individuals and could reach as high as $15,000, according to Defense News.

More Hacking Efforts Could Be Coming

Corey Harrison, a member of the Defense Digital Service, says the vulnerabilities the bounty program exposed included the ability to manipulate website content, "but nothing that was … earth-shattering" and worth shutting the program down over, according to FCW.

Harrison told FCW that the program is just an initial step, and that DOD officials may decide to expand it to cover more Pentagon assets.

The Defense Digital Service works on protecting classified systems, and some team members do so by looking for vulnerabilities. “They're busy, and we get that,” Harrison told FCW, speaking of DOD’s red teams that look for those weaknesses. “So this was just an opportunity to … augment their efforts.”

Erin A. Kirk-Cuomo/Wikimedia Commons

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.