The Pentagon is opening a new front in its war on flaws and bugs in its websites. Over the weekend, about 100 hackers from around the world went to town on the Marine Corps’ public-facing sites, finding more than 75 security vulnerabilities in just a few hours, the Defense Digital Service announced on Monday.
It’s the latest hack-the-military bug-bounty program, the brainchild of DDS director Chris Lynch. The first one, Hack the Pentagon, launched in 2016, found 138 bugs. Then came Hack the Army, which found more than 118; Hack the Air Force, versions one and two, found 315 collectively, and this year’s Hack the Defense Travel System, which found more than 100. DDS is working with San Francisco-based bug-bounty company HackerOne on the programs.
The hack-the-Pentagon efforts are helping to fix non-sensitive Defense Department sites. It was a push to get the Pentagon to experiment with the concept at all, Lynch told Defense One on the sidelines of the DEFCON hacker conference here. Lynch says he is still struggling with aspects of Pentagon acquisition that are too weighted toward established players at the expense of innovation and the timely fixing of problems.
“The old-school approach was, we would have this really large vendor and they would sell you some terrible piece of software—probably—and they would say, ‘This is 100 percent going to do the job of securing your networks, certifications, and systems and it’s all going to be great. Perfect.’…That doesn’t really work. You need a broader community.”
Just by telling the world that the Defense Department was open to tips, DDS officials received reports that they wouldn’t otherwise have gotten. Lynch said they also learned how hard it is for outsiders to report problems to the Defense Department related to public websites.
He recounted one of the more interesting experiences he had reaching out to the larger hacker community. “Someone in a foreign country, I can’t remember where they were, sent us an email with a vulnerability that they knew about. They said, ‘I don’t even know how to report a [website] vulnerability to the DoD’” he said. This was before the DDS began working the issue, according to a spokesperson. ”There was no way to just say ‘Hey, I saw something. I’m just going to report it.’ I think that’s crazy. It was a big wakeup call. This person was scared to report to the DoD. I say, let me know. I want to know.” It’s now easier and there is an established process for disclosing those, according to DDS.