The Department of Defense recently announced that its “Hack the Pentagon” pilot program that invited hackers to find cybersecurity vulnerabilities was successful and the DoD will continue pursuing similar initiatives, even as reports emerge that the Islamic State group has obtained information on more than 70 US and NATO air force bases.
Hack the Pentagon was a program launched in April that allowed and paid “vetted computer security specialists,” (including, as a later DoD report noted, more than 1,400 hackers as young as 18 years old) to legally attempt to find weaknesses in five publicly accessible Defense Department websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net, and dimoc.mil. Over 1,000 reports came back, and 138 weaknesses found were deemed critical vulnerabilities eligible for payouts.
Part of the reason the pilot program was considered successful was that it cost only $150,000, with the hackers themselves receiving abut half of the total.
“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” Defense Secretary Ash Carter said, according to the Pentagon.
The Defense Department now says it believes that further “bug bounty” programs like Hack the Pentagon will be useful not only for addressing weaknesses in its publicly facing websites, but other security concerns as well. To that end, it has announced that it will change its policies to allow anyone with knowledge of a vulnerability to disclose it without fear of prosecution, and bug bounty programs will be implemented in other areas of security concern to the DoD.
“Lastly,” according to the announcement, “we’ll include incentives in our acquisition policies and guidance so that contractors practice greater transparency and open their own systems for testing – especially DoD source code.”
While the Pentagon may see cost-effectiveness and a new pool of labor in opening its cyber security methods to scrutiny by “vetted computer security specialists,” it is also clear that not all of those who have breached DoD’s cyber defenses are the so-called “ethical hackers” the Pentagon is seeking.
CNN recently reported that, according to the South Korean National Intelligence Service (NIS), hackers affiliated with ISIS have successfully obtained information on 77 US and NATO air force facilities, and the terrorist group is calling on followers to attack them.
“The NIS says ISIS’ hacking organization, the United Cyber Caliphate, collected details of U.S. air force units in South Korea including Osan Air Base, and addresses and Google satellite maps have been released through the Telegram messaging service,” according to CNN.
If the Pentagon hopes to ensure cyber security by allowing greater access to things like its source code for cyber defenses it certainly seems it would be wise not to cut any corners – in terms of vetting hackers or anything else – although it is not as clear that the Pentagon has plans in place to prevent unintended blowback from such “bug bounty” programs.
As Carter emphasized, one of the major advantages the DoD sees to this approach is its cost-effectiveness. Of the roughly $75,000 paid out to hackers through Hack the Pentagon, one person reportedly received $15,000 for finding multiple vulnerabilities. Others, though, worked for smaller sums. Payouts for detected vulnerabilities reportedly started at about $100, while those who attempted to hack the Pentagon but could locate no weaknesses functioned essentially as unpaid interns in the service of national security.
18-year-old David Dworken, who just graduated from high school last week and was quoted in a DoD report on Hack the Pentagon, reportedly found six vulnerabilities, although he was paid nothing because other hackers located the same weaknesses.
Still, Dworken, who at 18 hopes to pursue a computer science degree and a cybersecurity career, seemed to think that being given legal authority to look for security vulnerabilities in DoD websites was reward enough in itself.
“Even without a bounty, these things are still, personally for me, incredibly rewarding,” Dworken reportedly said. “There is the greater-good aspect of it, especially when working with the federal government for something I obviously care deeply about.”
Despite his hacking work for the government apparently being unworthy of any monetary compensation, Dworken reportedly received personal praise from Defense Secretary Carter, who also spoke to the DoD’s evolving understanding of cyber security.
“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,” Carter reportedly said, “what we didn’t fully appreciate before this pilot was how many white hat hackers there are who want to make a difference.”
The Pentagon will presumably be keeping its fingers crossed that the thousands of hackers it allows to attempt to breach its cybersecurity, including unpaid teenagers, don’t ever decide to switch hats.