As the Defense Department turns to crowdsourcing to help protect its information networks, Silicon Valley is in a position to revolutionize the way the Pentagon promotes cybersecurity.
The Defense Department recently established a vulnerability disclosure program with the assistance of HackerOne, a Silicon Valley-based cybersecurity firm that manages “white hat” hacking initiatives for private sector companies and other organizations.
The program created a legal framework and mechanisms for friendly hackers outside of the department to volunteer their time and find vulnerabilities in Pentagon IT systems.
HackerOne provides the platform for taking an external vulnerability report and tracking it all the way down to remediation, Alex Rice, the company’s chief technology officer, said in an interview with National Defense.
“It’s really a ‘see something, say something’ policy that is very common in Silicon Valley companies,” he said, noting that the Pentagon was the first national defense agency to adopt a similar approach.
By encouraging friendly hackers to probe for and identify vulnerabilities, defense officials hope to better secure U.S. military networks from intrusions.
“If there’s a vulnerability there we want to know about it. We want to know about it before the adversary knows about it,” said Lisa Wiswell, the digital security lead at the Pentagon’s Defense Digital Service. “When you’ve got folks that are willing to help we … [need to use them] to the best of our ability.”
Embracing the Silicon Valley crowdsourcing model required a change in mindset for a defense establishment that previously viewed all hackers warily, she noted at a CyberCon gathering of government and industry officials in Washington, D.C.
“The cultural shift that has started to happen within the department is pretty impressive,” she said. “Having folks understand that the same kind of communities that we’ve sort of demonized for a long time … are now sort of our friends and we want to benefit from skill sets no matter where they come from, is a tremendously different approach than what we’ve done in the past.”
Although participants in the vulnerability disclosure program typically won’t receive any financial reward for their efforts, success can still be a career booster, Rice said. The Defense Department created an acknowledgment page to recognize outside cyber experts who help identify and remediate vulnerabilities, he noted.
“There is value in getting an official thanks from the DoD,” he said. “It’s certainly a compelling thing for security professionals to put on their resume.”
But the Pentagon isn’t going to simply rely on those who are willing to donate their time and expertise. Working with partners in Silicon Valley, the Defense Department is establishing so-called “bug bounty” programs that pay successful hackers for each vulnerability that they discover in designated systems.
“When you start to provide them [financial] incentives their ability to invest even more time and go deeper … starts to produce really incredible results, and those are where bug bounty programs come into play,” said Rice, who previously led vulnerability disclosure and bug bounty programs at Facebook.
Last spring, the Defense Digital Service teamed with HackerOne to create Hack the Pentagon, a pilot project to test out the bug bounty concept. About 1,400 hackers were invited to participate in the challenge. During the 24-day competition, 138 previously undisclosed vulnerabilities were identified and remedied on the Defense Media Activity’s public web properties. The initiative cost $150,000, about half of which was paid out as bounties to successful hackers.
The return on investment “that we saw from this was potentially exponential,” Wiswell said.
Paying a traditional contractor to do an audit and vulnerability assessment along these lines would have cost the Pentagon more than $1 million, Secretary of Defense Ashton Carter said when the results were announced.
Wiswell said the crowdsourcing method provides more bang for the buck. “You only pay for what you get instead of paying an infosec firm … to tell you about where your vulnerabilities are for X number” of work hours, she said. “The cost savings is really, really enormous.”
To help expand the bug bounty model across the Pentagon, the Defense Department has awarded contracts to HackerOne and Synack, another Silicon Valley-based cybersecurity firm that manages crowdsourcing projects.
Both companies have experience overseeing bug bounties for large firms in a variety of industries including technology, health care, finance, oil and gas, and critical infrastructure.
“We can apply this to just about any vertical,” said Mark Kuhr, the chief technology officer at Synack.
For Pentagon-sponsored bug bounties, HackerOne will focus primarily on public-facing systems while Synack deals with more sensitive ones.
In the fall, HackerOne was tapped to manage the Hack the Army challenge to test the security of IT systems that the service uses to recruit soldiers. Up to 500 hackers, also known as “researchers,” were allowed to participate.
“That’s going against operational websites that are really of critical importance,” Wiswell said. “It’s something that anybody interested in joining the Army has to input their information into.”
To be eligible to participate in Pentagon-sponsored bug bounty contests, hackers must be U.S. citizens and pass a criminal background check. For projects involving sensitive systems, Synack has a more intense vetting process to thwart malicious actors.
Federal civilian contractors and active duty military personnel were allowed to take part in Hack the Army. Opening these types of competitions to them provides a valuable training ground for cybersecurity professionals all across the government to further practice and hone their skills, Rice noted.
The first iteration of the Army challenge recently concluded. Rice said he would wait for the service to release the results before discussing them in detail.
In the meantime, Pentagon officials have been evaluating additional systems that could benefit
from the crowdsourcing model, Wiswell said.
Hack the Army is one of at least 20 challenges that HackerOne expects to manage for the Defense Department, Rice noted. Neither the Air Force nor the Navy currently has plans for similar bug bounty programs, according to their spokespeople. But Rice anticipates that more Pentagon agencies will follow in the Army’s footsteps.
“The results from this program will be quite encouraging for other organizations who are looking to step up their cybersecurity maturity in a similar way,” he said. “I’m confident we’ll see some more components taking advantage of this contract for these services.”
Kuhr said Synack was actively working with the Defense Department to set up the initial engagement under its contract, and it would be kicking off soon.
The company specializes in “hard targets,” he noted. He declined to provide details about the sensitive Pentagon systems slated to be tested. “I can say that they are mission critical systems that are used every day globally by the military to accomplish their very important mission,” said Kuhr, who previously worked for the National Security Agency where he conducted cyber operations.
Wiswell said: “DoD is primarily focused on the security of really important, really dynamic networks and systems, and those are the kinds of things that we’re really hopeful that Synack will provide us some institutionalized, consistent testing of.”
HackerOne and Synack use somewhat different payment models. Of the bounty that’s paid to the hackers that HackerOne oversees, the company charges its customers a 20 percent fee and handles all the of the screening, processing and reward disbursement, Rice said.
Synack charges one fixed fee for each challenge that it organizes, Kuhr said.
“We manage all of the payments on the back end and absorb risk if we have to pay out a lot of vulnerabilities for a customer’s application or network or whatever we’re testing.
“That is a much better model for larger companies and governments because … if you’re paying on a per-vulnerability basis and you can’t predict the number of vulnerabilities, you have an unpredictable budget,” he added.
The bug bounty model offers other significant advantages for Synack’s customers, he noted.
“When you bring out a consultant for a penetration test engagement, you pay them on a time and materials basis,” Kuhr said. “Is he necessarily incentivized to find anything? No, because he’s getting paid regardless. He’s getting paid his hourly rate whether he finds 10 vulnerabilities or finds five. Our model is more incentive-driven and allows us to be very effective.”
Synack’s approach would similarly benefit the Pentagon, he argued.
“It’s frankly lower cost than what they’re paying some of the traditional defense contractors to do, and you’re getting a lot more eyes and a lot more diversity of talent to inspect these systems,” he said. “There’s no question that you’re going to get your money’s worth in this type of model.”
Because so many experts can participate in bug bounty programs, Wiswell said the HackerOne and Synack frameworks represent “a really enormous leap forward” for the Defense Department as force multipliers.
The Pentagon isn’t just interested in using these initiatives to probe its websites and networks. The Defense Department also developed its contract with Synack with devices in mind, Wiswell said.
“If it’s hackable, we want the crowd to actually help us understand how it’s hackable,” she said. “We can then go back to the firms [to make fixes] or we can make better decisions about going and actually purchasing things from different supply chains.”
Kuhr said there are opportunities to apply Synack’s model earlier in the acquisition process.
“When you’re deploying a new system … it would be great to have a security assessment done in this type of manner with a highly skilled community before we … put it on the network,” he said. “The goal is that we find these issues ahead of them actually being on the networks and actively exposed to potential adversaries.”
Going forward, the Pentagon will include incentives in its acquisition guidance and policies for contractors to take advantage of innovative approaches to cybersecurity. In some cases, defense officials would encourage contractors to make their technologies available for independent security reviews and bug bounties before they deliver them, Carter said.
While the Pentagon has faced difficulties recruiting and retaining cyber experts, HackerOne and Synack have experienced no such problems when it comes to bug bounty projects, company executives said.
“It really was a case of if you build it, they will come,” Rice said. “The fact that these organizations offer a safe space in which security professionals can test their skills, can challenge themselves and potentially earn some incentives on top of it has led to a large number of these professionals coming forward to participate in these programs.”
The crowdsourcing model offers flexibility for hackers and it doesn’t require them to work on bug bounties full time, Kuhr noted. “You can do it in addition to your day job and … participate in very interesting projects that you really can’t do legally elsewhere in the world.”
Prizes vary but they can add up to a handsome sum. Some hackers that work with Synack earn hundreds of thousands of dollars every year. In the past, the company has paid out as much as $25,000 for discovering a single vulnerability, Kuhr said.
“Some of these guys … have amazing capabilities, and we’ve been continuously impressed with their ability to find very unique exploitation paths on systems that are quite hardened by very mature organizations,” he said.
Silicon Valley executives see opportunities for business expansion with the Defense Department and other federal agencies as bug bounty programs yield positive results. And they could potentially be in a position to edge out traditional contractors.
“For the Pentagon it’s a new model,” Kuhr said. “They’re testing the waters with a smaller contract, and if that goes really well I think you will see a lot of resources shift into that type of approach.
“The broader Pentagon has a lot of different systems that they’re trying to test simultaneously, and there frankly just aren’t enough people. So they need scalable models like ours,” he added. Photos: iStock