The US Department of Defense (DoD) on Wednesday announced “Hack the Pentagon”: a program it says will be the first cyber bug bounty program in the history of the federal government.
Just like similar programs in the private sector, the government is inviting hackers to test its network and website security.
What it’s NOT doing: throwing open the doors to turn the nation’s digital infrastructure into the devil’s playground.
The Feds are only inviting vetted vulnerability testers, and those testers aren’t going to be poking holes in mission-critical systems.
The DoD says it’s using “commercial sector crowdsourcing” to find “qualified participants” to conduct vulnerability identification and analysis on the department’s public webpages.
This is the first in what the department says will be a series of programs that will also seek out holes in the department’s applications and networks.
Hack the Pentagon participants will have to register and submit to a background check in order to participate.
After that, they’ll participate in what the DoD says will be a “controlled, limited duration program” that will focus on a predetermined department system.
Just like programs run by tech companies, this one could entail “monetary awards and other recognition,” the DoD says.
It’s “thinking outside the five-sided box,” says Secretary of Defense Ash Carter:
I am always challenging our people to think outside the five-sided box that is the Pentagon.
Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.
Lord knows those digital defenses need it: they’ve proved about as strong as wet tissue paper recently.
In July 2014, the Office of Personnel Management (OPM) revealed that the private information of more than 20 million current and former government workers – including Department of Homeland Security employees – had been stolen in a massive security breach.
A year later, in June 2015, stolen government login credentials were found scattered all over the web, possibly leading to exposure of logins for 47 agencies spread across 89 domains.
A February 2015 report from the Office of Management and Budget (OBM) to Congress found that 12 of those agencies allowed some level of access to their networks without the additional security afforded by two-factor authentication (2FA) .
Analysis of the OPM breach has suggested that government employee data, which included taxpayer IDs, were left particularly vulnerable by the lack of both 2FA and encryption.
But the OPM breach was just the tip of the iceberg.
Attackers breached the unclassified email system at the State Department, accessed the secure email communications of President Obama, and compromised the email system of the Joint Chiefs: the highest-ranking US military officers.
Another US Senate report came to a conclusion that shouldn’t shock anyone: the government’s cybersecurity is shockingly bad.
It found that even computer systems at the DHS, an agency with significant cybersecurity responsibilities, have “hundreds of vulnerabilities” due to out-of-date software.
There’s clearly a lot of cybersecurity work to be done, with the Hack the Pentagon program being just the most recent in a series of attempts to tackle it.
In November, the White House unveiled a new plan to improve cybersecurity.
The DoD also plans to hire private contractors to develop a $600 million-plus computer system for a new background check agency, as Reuters reported last week.
The DoD’s Defense Digital Service (DDS) – a small team of engineers and data experts that Carter launched in November – is leading Hack the Pentagon.
The DoD says that the initiative is consistent with the administration’s Cyber National Action Plan, announced on 9 February.
The Hack the Pentagon pilot program will launch in April. The DoD says to stay tuned: participation details and other ground rules will be coming over the next few weeks.