Pentagon sees white hat hackers as low-cost penetration testers

Last week, the Defense Department announced it would be launching the federal government’s first-ever “bug bounty,” banking on the idea that there’s a nascent community of white hat hackers that’s been itching to help the Pentagon with its cybersecurity challenges but hasn’t been able to until now.

In the first go-round of the Hack the Pentagon challenge, officials will ask pre-registered security experts to attempt to infiltrate one of DoD’s public websites and report back on any vulnerabilities they find in exchange for cash prizes. But a senior Defense official, who outlined some aspects of the program for reporters on condition of anonymity, said DoD wants to expand the same concept to effectively crowdsource the process of penetration testing for myriad other Defense systems.

“We see this growing into something that we can use as a much bigger tool to help make our systems more secure, not only for the Department of Defense but for the broader federal government. Because of that, we need to test this approach on a live system,” the official said, adding that DoD sees the effort as part of Secretary Ash Carter’s Force of the Future Initiative.

Advertisement

“There are a lot of people that want to help us with cybersecurity but don’t work for DoD, and we hear from them all the time. Now the good guys can actually help, and this is a far cheaper way for us to do security and penetration testing than anything we’ve done before in the Department of Defense, plus we’ll get the scale of a very large pool of experts and researchers that we traditionally wouldn’t have access to.”

The size of the bounty won’t be announced for another several weeks. The Pentagon is only saying, for now, that the prize pool will be modeled on similar competitions in the private sector.

“Usually how it works is when researchers find a vulnerability, the severity of that vulnerability has an impact on the size of the award that they’d get,” the official said.

Most details about the nuts and bolts of how the program will work also remain unanswered, including which system the department has chosen for hackers to hammer away at during the initial pilot. The Pentagon said it would be a website that’s highly hardened because it’s already subject to constant attack,  and that it’s not connected to databases that contain classified or personally identifiable information.

Because of that, they see low risks that the new competition will make whatever site is chosen a new target for nation states or criminals.

“Our systems are attacked every day by bad guys. They’re not sitting there and saying, ‘Oh wow, I’ve been waiting for the Department of Defense to offer a bug bounty.’ They’re not waiting, they’re doing it right now,” the official said.

Nonetheless, any “white hat” security experts who decide to take part will need to subject themselves to background checks before they’re allowed to participate and will have to agree to follow pre-defined “rules of engagement” in order to be eligible for bounties— and to gain immunity from the risks of criminal prosecution which usually accompany any attempt to penetrate government IT systems.

Read more stories from the DoD Reporter’s Notebook.