US Debuts 'Hack the Pentagon' Bug Bounty

Announcing what it calls "the first cyber bug bounty program in the history of the federal government," the Department of Defense is inviting hackers to test the department’s cybersecurity profile.

The Hack the Pentagon initiative is a pilot program that will use commercial sector crowdsourcing to uncover vulnerabilities and probe around for flaws on the department’s public webpages. According to a list published by the Defense Department, it currently manages 488 websites, which are devoted to everything from the 111th Attack Wing and other military units to the Yellow Ribbon Reintegration Program.

Other networks, including the department’s critical, mission-facing systems will not be included in the project.

The move was welcomed by the security community. “The ‘Hack the Pentagon’ program is another example of Defense Secretary Ash Carter’s efforts to strengthen our national security by tapping the high-end talent capable of hunting cyber-threats,” said Dave Amsler, president of Raytheon Foreground Security, via email. “As cyber-attacks become more sophisticated and persistent, our defense, critical infrastructure and business organizations cannot sit and wait. Instead we must hunt. The Hack the Pentagon program is a step in the right direction to be more proactive in detecting and eradicating cyber threats.”

Unlike similar bug bounty programs at Google and elsewhere, participants here will be required to register and submit to a background check prior to any involvement with the initiative. Once vetted, these hackers will participate in a “controlled, limited-duration program” that will allow them to identify vulnerabilities on a predetermined department system. Participants could be eligible for monetary awards and other recognition. 

Some say this approach could hamstring the program. “In general, researcher talent is more expensive in the US, so limiting the program to US-based, background-checked researchers may present challenges or simply require more incentives to participate,” said Jonathan Cran, VP of operations at bug bounty specialist Bugcrowd, via email. “33% of Bugcrowd's researcher base is here in the US, and less than 10% of those submit to background checks.

The DoD said that this is just the first in a series of programs designed to test and find vulnerabilities in the department’s applications, website and networks.

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” said Secretary Carter. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”

The “Hack the Pentagon” initiative is being led by the department’s Defense Digital Service (DDS), launched by Secretary Carter last November. The DDS, an arm of the White House’s dynamic cadre of technology experts at the US Digital Service, includes a small team of engineers and data experts meant to improve the department’s technological agility.  

 “Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” said DDS Director Chris Lynch.

The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks, it said.

Overall, it's a step in the right direction, Cran said. “This program will significantly further two of the first strategic goals announced by DoD last year: Build and maintain ready forces and capabilities to conduct cyberspace operations; and defend the DoD information network, secure DoD data, and mitigate risks to DoD missions,” he said. “The announcement leaves a lot of questions about the scope of the program, and the research community looks forward to more details.”

Photo © Frontpage

What’s Hot on Infosecurity Magazine?