Army takes page from DoD with hacker contest

As the Defense Department is ramping up its white-hat hacking contest to find vulnerabilities in its cyber systems, the nation’s largest military service is joining in on the games.

Last week the Army announced its Hack the Army program, a call to cyber sleuths to break into sanctioned Army networks to expose cyber weaknesses.

“The Army is reaching out directly to a group of technologists and researchers who trained in figuring out how to break into computer networks they are not supposed to, people we might normally have avoided,” said Army Secretary Eric Fanning, during a Nov. 11 speech in Austin, Texas. “We are not just meeting them face-to-face, we are challenging them. This is what’s valuable to us, take your best shot, bring it on.”

The program is hosted by HackerOne, a vulnerability coordination and bug bounty platform.

Advertisement

The Army will allow hackers to legally infiltrate recruiting and personnel systems.

“Each of these sites is essential to our day-to-day recruiting mission. … Hack the Army will be composed of dynamic content and mission critical websites that we rely on to recruit the best fighting forces in the country. These assets have deep ties to the Army’s core operations,” Fanning said.

The program will allow military personnel and government civilians to take part in the hacking.

The Army’s initiative is based off DoD’s Hack the Pentagon challenge announced in March.

In the first go-round of the Hack the Pentagon challenge, officials asked pre-registered security experts to attempt to infiltrate one of DoD’s public websites and report back on any vulnerabilities they found in exchange for cash prizes.

The first vulnerability report arrived 7 minutes after the contest started, and 1,410 pro and amateur hackers from 44 states wound up making 1,189 reports of security problems during the three-week pilot in late April and early May (though many of those reports were duplicates of the same vulnerabilities).

The bug bounty helped DoD resolve 138 vulnerabilities over 24 days.

Defense Secretary Ash Carter lauded the program as a cheaper way to assess Pentagon cybersecurity. The pilot cost $150,000.

“That’s not a small sum, but if we’d gone through the process of hiring an outside firm to do a security audit and vulnerability assessment — what we usually do — it would have cost us more than $1 million,” Carter said. “Also, by allowing outside researchers to find vulnerabilities on several sites and subdomains all at once, we freed up our own cyber specialists to spend more time fixing them.”

The Pentagon awarded $3 million to HackerOne and $4 million to Synack in October to fund 14 more challenges.

Each company won single-award indefinite-delivery/indefinite quantity contracts.  The award to Synack is specifically meant to test the bug bounty concept against systems that are much more sensitive than public web portals. For the first task order, worth $350,000, DoD is asking the firm to pit the experienced security researchers it recruits against a half-million lines of sensitive source code developed by one of its contractors, plus one live application that’s only accessible via a military intranet.