DoD enlists hackers to expose cyber vulnerabilities

Hackers are a known threat to government cyber infrastructure. Government agencies have been the target of numerous breaches, including the devastating Office of Personnel Management hack where the data of 21 million individuals was stolen, including Social Security numbers and 5.6 million fingerprints. But what happens when you invite actual cyber attackers to uncover weaknesses in data security systems?

The Computer Fraud and Abuse Act dictates that infiltrating protected information systems, even to expose vulnerabilities, is illegal. Cybersecurity experts have long disapproved of the government’s stance, which doesn’t allow hackers-for-hire to infiltrate agency systems and disclose weaknesses. Experts believe that not enlisting individuals with hacking talents makes organizations less secure.

The White House launched the DoD’s Defense Digital Services (DDS) group to address the US Digital Service. The DDS, along with the Office of the Secretary of Defense cyber policy group, under the then Defense Secretary Ash Carter, created the “Hack the Pentagon” program, where independent hackers can come in, break into different agency systems, find bugs, and report them.

Although the DoD conducts its own internal penetration testing and vulnerability assessments, “Hack the Pentagon” is unique in that the federal government normally does not go outside its constraints to seek support from the private sector. The DoD has labeled “Hack the Pentagon” as “the first cyber bug bounty program in the history of the federal government.”

The program, which has been ongoing for the past 18 months, offers cash rewards. The agency assured that hackers can only target preselected systems that are not part of its critical operations.

How Hack the Pentagon works

Preselected cybersecurity researchers tracked down vulnerabilities in a set of public-facing DoD websites over the course of 24 days. The department:

  • Resolved 138 unique vulnerabilities
  • Awarded 58 hackers with tens of thousands of dollars
  • Presented a $15,000 payout to one hacker who reported a significant number of bugs

The DDS launched two additional hack-a-thons in the ensuing months:

Hack-a-thon name Bugs identified Total payout (approximate)
Hack the Army 100 $100,000
Hack the Air Force 207 $130,000

After hack-a-thon success, government opens up to more bug bounties

The initial contest concluded and people continued to submit bugs. The DoD then issued the Vulnerabilities Disclosure Policy, which legally allows people to submit bugs related to DoD-owned public-facing websites and apps. There is no reward, but 650 people have already identified 3,000 valid vulnerabilities. There are more bug bounty events in the pipeline:

  • The DoD has hosted private bug bounties through penetration testing organization Synack
  • The General Services Administration and the Department of Homeland Security are looking to host their own bug bounties
  • Lieutenant General Edward Cardon aims to hold one hack-a-thon per quarter to diversify the public-facing websites

Sign-up for our Daily Sentinel for all the latest cybersecurity news and advice.