The Pentagon last week made contract awards in its promised expansion of federal government’s first-ever bug bounty — the “Hack the Pentagon” challenge which would up finding and closing 138 separate cybersecurity vulnerabilities in DoD’s public-facing websites earlier this year.
The newcontracts — $3 million to HackerOne and $4 million to Synack — will fund roughly 14 more such challenges in which “white hat” hackers earn payments for discovering security flaws. Each company won single-award indefinite-delivery/indefinite quantity contracts, and the Pentagon is inviting individual military services and agencies to submit their own systems to crowdsourced vulnerability testing; individual projects will be awarded as task orders under the ID/IQs.
Importantly though, the award to Synack is specifically meant to test the bug bounty concept against systems that are much more sensitive than public web portals. For the first task order, worth $350,000, DoD is asking the firm to pit the experienced security researchers it recruits against a half-million lines of sensitive source code developed by one of its contractors, plus one live application that’s only accessible via a military intranet.
“The contractor will be required to maintain a private community of skilled and trusted researchers, diverse in skillset, and able to conduct both deep binary hacking, web-based attacks, reverse engineering, and network and system exploitation,” the department wrote in a performance of work statement. “The challenge phase itself will last three weeks, and the total period of performance of the task order will not exceed four months.”
In the first bug bounty, DoD invited essentially anyone to participate, provided they could pass a basic background check. Winners ranged from high school students to experienced white-hat hackers with hundreds of bounties under their belts.
The new functional area DoD is opening up under the second ID/IQ to Synack will use a significantly more closed ecosystem, said Jay Kaplan, the company’s CEO and co-founder.
“We have more of a hyper-vetted community of security researchers,” he said in an interview. “We assess them from a skills standpoint and from a trust perspective. On the skills side, we want to make sure they’re not going to be taking down any critical systems or causing any degradation in performance, and on the trust side we’re really making sure that everyone we’re working with is a known identity. We also use more of a private model — everything our researchers are doing is routed through our infrastructure, so it gives us control and an audit trail if we ever need to go back and do any verification of any of their activities.”
The company doesn’t disclose its client list, but says it includes more than 100 Fortune 500 companies.
According to federal spending records, the Internal Revenue Service is examining a similar bug bounty for sensitive government systems: It awarded Synack $2 million on Sept. 15 for “Black-box penetration testing by annual subscription using ethical hackers or researchers with no knowledge of IRS systems,” but Kaplan declined to discuss details of the contract without the agency’s consent.
The Defense Department already has what’s likely the world’s largest cybersecurity workforce in its direct employ, ranging from the National Security Agency’s information assurance directorate to the 133 cyber mission teams U.S. Cyber Command is building — the vast majority of which are focused on defending DoD systems, not on offense.
Given that fact, it’s worth asking why DoD wants to spend additional funds to recruit outside experts when it already has legions of people who are already conducting penetration tests against its systems each day.
Kaplan, a former NSA employee who left to start his own company, said the answer is fairly straightforward. The government has boatloads of expertise at its disposal, but its processes don’t easily lend themselves toward employing those skills against finding and fixing problems quickly.
“There are way too many things touching the internet, and the old way of doing things is to bring in a couple of resources, run through a project where we identify vulnerabilities, submit a report, and then move onto the next project,” he said. “You’re very limited by the skillset of those couple of individuals who are looking at a particular asset during that two-week period while they were actually looking at it. When you can incentivize people on more of a success basis, they’re hyper-motivated to find the problems.”
That’s because participants are paid more for harder-to-find cyber vulnerabilities. Bounties have ranged from a few hundred dollars to $25,000.
“Rather than trying to get to the end of their one-week engagement on a particular system, they’re going to keep looking and look outside the box to come up with creative attacks in the same way an attacker would,” Kaplan said. “That’s something I think [government employees] just lose sight of when their job is to look at system after system and write up vulnerability assessments over and over again day after day.”