Pentagon Launches First-of-Its-Kind Bug Bounty Program
The idea is to find and fix vulnerabilities before the bad guys do. Certain restrictions apply.
Challenged by hackers and staffing shortages, the Pentagon is inviting plainclothes techies to a competition where they can poke around military code for security bugs. The idea is to find and fix vulnerabilities unknowingly inserted in software before the bad guys do.
The contest draws inspiration from “bug bounty” programs in the private sector open to hobbyists and professional penetration testers. Microsoft, for instance, offers a reward of up to $100,000 for attacking its software. General Motors earlier this year launched a car-hacking program that seeks glitch reports but doesn’t yet pay for them.
The military’s new “Hack the Pentagon” program, unveiled Wednesday, potentially could offer cash prizes, according to a Defense Department announcement. Perhaps some of those bucks could come from the nearly $7 billion Pentagon Secretary Ash Carter expects to spend on cybersecurity in 2017.
Only citizens willing to undergo a background check will be allowed to scour Pentagon computer programs for security vulnerabilities, according to Defense. Participants will not be angling for bugs in the F-35, but rather scrutinizing weaknesses in Defense webpages. The venture marks the first U.S. government foray into bug hacking, the department says.
The “controlled, limited duration” trial will provide screened-hackers access to a pre-selected system, according to the Pentagon. No national security applications or other critical, “mission-facing” systems will be tested.
It is unclear what the screening process will entail or whether participation will be contingent on drug testing. Defense officials said details on eligibility rules will be out in coming weeks.
Background Checks Required
Background check requirements have stopped some cyber professionals from applying for government jobs, including FBI positions, Justice Department Inspector General Michael Horowitz wrote in a Nov. 10, 2015 memo to the attorney general on the bureau’s management challenges. FBI employees are barred from having used marijuana in the last three years or any other illegal drug in the past 10 years.
After Colorado and Washington State legalized recreational marijuana, James Clapper, director of national intelligence, sent a memorandum in October 2014 reminding agencies they “continue to be prohibited from granting or renewing a security clearance to an unlawful user of a controlled substance, which includes marijuana.”
HackerOne, a San Francisco-based firm that coordinates bug bounties for 500 organizations, said drug-use restrictions shouldn’t have a significant effect on the outcome of the Pentagon’s endeavor.
Many of its clients have other types of eligibility regulations, such as bans on contestants from Syria and Iran, or limiting competition to a certain skill set like mobile security.
“As an experiment, it makes an incredible amount of sense to start with a constrained environment that you have a lot more confidence in,” said Alex Rice, a HackerOne co-founder who launched a bounty program at Facebook.
But ”no question,” the military will be excluding some top-notch players from helping secure Defense systems because of the marijuana prohibitions.
The cultural disconnect between some creatives in the private sector and the military extends far beyond drug use, according to the Pentagon chief himself.
“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Carter said in a statement. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”
Channeling Silicon Valley
“Hack the Pentagon” is one product of the Defense Digital Service, an office stood up last November that assigns 2-year IT gigs to Silicon Valley coders and other individuals outside the defense industrial base.
The Defense Digital Service will kick off the bug bounty program this April. The office is one arm of a governmentwide tech squad comprising teams of programmers and statisticians, called the U.S. Digital Service.
While the military’s contest might be the first federal bug bounty program announced, other agencies have been mulling public bug-finding initiatives, including the departments of Homeland Security and Commerce.
DHS officials are contemplating using a “micropurchasing authority” to compensate ethical hackers, according to FCW. The General Services Administration successfully cut through the red tape of federal hiring and contracting by using the funding instrument, which has a cap of $3,500, to compensate coders.
“We used it for code,” said Darryl Peek, a cybersecurity strategist in DHS’ Federal Network Resilience Division, of the micropurchasing authority. “Why can’t we use it for bounty?”