WASHINGTON — The Defense Department is launching a pilot program in April to allow vetted computer security specialists to do their best to hack DoD public web pages, Pentagon Press Secretary Peter Cook said today.
“Hack the Pentagon” is the first cyber bug bounty program in the history of the federal government, Cook said in a statement issued today.
Bug bounty programs are offers by software developers and company websites to reward people who report bugs related to vulnerabilities or hacking exploits.
Jarrett Ridlinghafer, at the time a technical support engineer for Netscape, created the first “bugs bounty” program in 1995, according to the entrepreneur’s website.
Today bugsheet.com has a directory of 369 such programs offered by everyone from Adobe and Amazon to Twitter and Sony.
“We can’t hire every great ‘white hat’ hacker to come in and help us,” a senior defense official said today on a media call, “but [Hack the Pentagon] allows us to use their skill sets, their expertise, to help us build better more secure products and make the country more secure.”
Cook said the department will use commercial-sector crowdsourcing to allow qualified participants to conduct vulnerability identification and analysis on the department’s public webpages.
“The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products and digital services,” Cook said.
The pilot is the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites and networks, he added.
The Pentagon’s bug bounty participants will have to register and submit to a background check before being involved in the program.
Once vetted, Cook said, the hackers will participate in a controlled, limited-duration program during which they’ll be able to identify vulnerabilities on a predetermined department system.
“Other networks, including the department’s critical, mission-facing systems, will not be part of the bug bounty pilot,” he added, noting that bug bounty hunters could receive monetary awards and other recognition.
The program, Cook said, shows Defense Secretary Ash Carter’s commitment to driving the Pentagon to identify new ways to improve the department’s cybersecurity.
Enhancing National Security
Carter said he’s confident the initiative will strengthen DoD’s digital defenses and ultimately enhance national security.
The department’s Defense Digital Service, launched by Carter last November, is leading Hack the Pentagon.
Cook said the DDS is an arm of the White House’s cadre of technology experts at the U.S. Digital Service and includes a small team of engineers and data experts meant to improve DoD’s technological agility.
“Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country,” DDS director and technology entrepreneur Chris Lynch said.
Hack the Pentagon, Cook said, “is consistent with the administration’s Cyber National Action Plan announced on Feb. 9 that prioritizes near-term actions to improve our cyber defenses and codifies a long-term strategy to enhance cybersecurity across the U.S. government.”
The pilot program will launch in April and the department will provide more details on requirements for participation and other ground rules in the coming weeks, he said.
A live asset will be chosen as the target for the hackers, the senior defense official said, but one that is under constant attack and has no personally identifiable or mission-critical information.
“We are going to be bringing in a very broad program where over time we can look at multiple assets that we would like to have the bounty run against, but for now … we’re going to introduce a program where people have to register, they’re going to be vetted and there will be obvious things like they’re not going to be on terrorist watch lists,” he said.
The official added, “We see this growing into something that we can use as a broader tool to help make our systems and our services more secure, not only for the Department of Defense but across the federal government.”