The Defense Department’s “Hack the Pentagon” program using vetted hackers to find security vulnerabilities in public DOD websites was so successful that the DOD plans to use it in other areas of its security.
The program, which used so-called white hat hackers to probe DOD sites for flaws, ran from April 18 to May 12. More than 1,400 hackers were invited to take part in the first “bug bounty” program for the federal government, in which the DOD paid the hackers for finding the vulnerabilities.
More than 250 participants submitted at least one vulnerability report, and 138 of those vulnerabilities were determined to be “legitimate, unique and eligible for a bounty,” according to Defense Secretary Ash Carter. The DOD worked with HackerOne, a well-known “bug bounty as a service” firm based in Silicon Valley, to set up the program and fix the vulnerabilities. Critical, mission-facing computer systems were not involved in the program.
Expanding to Other Areas
At an event at the Pentagon earlier this month, in which Carter highlighted the work of 18-year-old David Dworken (who participated in between high school classes), Carter said that the program will be expanded to other parts of the department, as many had speculated.
Carter is directing all DOD components to review where such programs could be used, according to a DOD statement, and the department will add incentives to its acquisition guidance and policies so that contractors who work on DOD systems can conduct their own independent security reviews, like the bug bounty. "This will help them make their code more secure from the start and before it’s installed on our systems," Carter said at the event, according to FedScoop.
“When it comes to information and technology, the defense establishment usually relies on closed systems," Carter said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.”
The Hack the Pentagon program also freed up DOD information security personnel to fix vulnerabilities instead of hunting for them, FedScoop notes. “By allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyberspecialists to spend time fixing them,” Carter said. “The pilot showed us one way to streamline what we do to defend our networks and correct vulnerabilities more quickly.”
A New Security Model
Overall, the program cost the DOD around $150,000. "It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said.
Carter said the program is a cost-effective way to supplement and support federal employees who defend the government’s computer networks. The Defense Digital Service works on protecting classified systems, and some team members do so by looking for vulnerabilities.
At the event, Carter said there needs to be a clear way for ethical hackers and security researchers to report vulnerabilities in DOD networks and systems. As a result, the department is creating a central point of contact for researchers and technologists to point out flaws they discover.