By Sandra I. Erwin
Defense Secretary Ash Carter announces the results of the "Hack the Pentagon" pilot program
In a tacit acknowledgement that conventional tactics no longer suffice, the Pentagon is crowdsourcing the cyber fight. The strategy to rely on white hat hackers and anonymous sleuths to detect vulnerabilities in networks has been embraced by the private sector, and the Pentagon is now following suit.
In a new “vulnerability disclosure policy” effective Nov. 21, the Defense Department is encouraging anyone who finds weak spots in defense networks to report them to the government without fear of being prosecuted.
The Pentagon for the first time is providing a legal avenue for security researchers to find and disclose vulnerabilities, said Charley Snyder, senior cyber policy adviser at the Defense Department. Secretary Ashton Carter championed this move after he saw the success of a bug bounty program known as “Hack the Pentagon.” The results of that program showed the value of crowdsourcing, Snyder said at a meeting with reporters.
In “Hack the Pentagon,” more than 1,400 “security researchers” signed up for the chance to win a monetary prize, based on how serious a vulnerability they were able to detect. Carter said in June he was encouraged by the results: 252 hackers uncovered weaknesses in networks, and 117 received payments ranging from $100 to $15,000. The Pentagon later fixed the newly found bugs.
The disclosure policy announced Nov. 21, officials predict, will motivate security researchers to report bugs as a matter of routine practice regardless of whether they are participating in a bounty program. “It is a commitment to security researchers to work in good faith,” said Snyder. “This reduces the legal uncertainty that has had a chilling effect.”
The Pentagon has many layers of cyber defenses in place — such as red teams, automated tools that scan sites and armies of contractors monitoring networks — but that is still not enough as cyber criminals and intruders continue to sharpen their tactics. “When you open it to the crowd you get people who come at this with different perspectives,” said Snyder.
To manage cybersecurity crowdsourcing, the Pentagon has enlisted Silicon Valley technology firms HackerOne and Synack. Both have received a huge influx of funding from venture capitalists as crowdsourcing cyber efforts increasingly take hold in many industries. HackerOne was started by former security experts from Facebook, Microsoft and Google. The crowdsourcing of Defense Department public sites is handled by HackerOne, and Synack manages the more sensitive assets.
The Pentagon’s vulnerability disclosure policy was given the green light by the Department of Justice’s criminal division. Assistant Attorney General Leslie Caldwell called it a “laudable way to help computer security researchers use their skills in an effective, beneficial and lawful manner to reduce security vulnerabilities.”
Beyond the legalities, the idea that people will be able to anonymously report bugs and not have to fear prosecution marks a “big change in attitude” at the Defense Department, said Chris Lynch, director of the Defense Digital Service, another Carter initiative. The DDS, in place since November 2015, is an offshoot of the White House’s U.S. Digital Service — a team of IT experts brought in to inject private-sector ideas and thinking into the government.
The crowdsourcing push in cybersecurity is driven by necessity, as agencies face growing threats, Lynch told reporters. “How can we use the best and brightest in industry to work with us?” he asked.
The next big test starts Nov. 21 when a new bounty program, “Hack the Army,” gets under way. This one will set a higher bar than “Hack the Pentagon,” Lynch said. “We were criticized,” he noted, because “Hack the Pentagon” was restricted to public websites in defense.gov. The Army challenge ups the ante as it is asking hackers to find weaknesses in recruiting sites that store sensitive personal identity data of every recruit. “This is a very critical system,” Lynch said. The data in these sites are not public, but hidden behind firewalls.
The Army is trying to prevent the type of breach that compromised the personal data of millions of federal employees and contractors when hackers penetrated the database of the Office of Personnel Management.
Lisa Wisnell, bureaucracy hacker at the Defense Digital Service, oversees the bug bounty programs. She said “Hack the Army” is the first service-specific challenge. The recruiting websites are “crucial assets,” she said. “’Hack the Pentagon’ gave us confidence that we could do this against more ‘interesting assets.’”
Government employees, if authorized by their supervisors, will be allowed to participate, although they will not be paid any bounties, said Wisnell. At a time when federal agencies are looking to plug holes in their networks and beef up their cybersecurity skills base, “this provides real-world free training.”
Photo: Defense Dept.