Skip to content
Naked Security Naked Security

“Hack the Pentagon” bug bounty program announced

First, we vet you, the US says. Then, keep your hands where we can see them. Now we're just like the cool tech companies!

The US Department of Defense (DoD) on Wednesday announced “Hack the Pentagon”: a program it says will be the first cyber bug bounty program in the history of the federal government.

Just like similar programs in the private sector, the government is inviting hackers to test its network and website security.

What it’s NOT doing: throwing open the doors to turn the nation’s digital infrastructure into the devil’s playground.

The Feds are only inviting vetted vulnerability testers, and those testers aren’t going to be poking holes in mission-critical systems.

The DoD says it’s using “commercial sector crowdsourcing” to find “qualified participants” to conduct vulnerability identification and analysis on the department’s public webpages.

This is the first in what the department says will be a series of programs that will also seek out holes in the department’s applications and networks.

Hack the Pentagon participants will have to register and submit to a background check in order to participate.

After that, they’ll participate in what the DoD says will be a “controlled, limited duration program” that will focus on a predetermined department system.

Just like programs run by tech companies, this one could entail “monetary awards and other recognition,” the DoD says.

It’s “thinking outside the five-sided box,” says Secretary of Defense Ash Carter:

I am always challenging our people to think outside the five-sided box that is the Pentagon.

Inviting responsible hackers to test our cybersecurity certainly meets that test.  I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.

Lord knows those digital defenses need it: they’ve proved about as strong as wet tissue paper recently.

In July 2014, the Office of Personnel Management (OPM) revealed that the private information of more than 20 million current and former government workers – including Department of Homeland Security employees – had been stolen in a massive security breach.

(The attack was blamed on China, perhaps the US’s biggest cyber-adversary).

A year later, in June 2015, stolen government login credentials were found scattered all over the web, possibly leading to exposure of logins for 47 agencies spread across 89 domains.

A February 2015 report from the Office of Management and Budget (OBM) to Congress found that 12 of those agencies allowed some level of access to their networks without the additional security afforded by two-factor authentication (2FA) .

Analysis of the OPM breach has suggested that government employee data, which included taxpayer IDs, were left particularly vulnerable by the lack of both 2FA and encryption.

But the OPM breach was just the tip of the iceberg.

Last year saw breaches at government agencies from the US Postal Service to the IRS, and went all the way up to the White House.

Attackers breached the unclassified email system at the State Department, accessed the secure email communications of President Obama, and compromised the email system of the Joint Chiefs: the highest-ranking US military officers.

Another US Senate report came to a conclusion that shouldn’t shock anyone: the government’s cybersecurity is shockingly bad.

It found that even computer systems at the DHS, an agency with significant cybersecurity responsibilities, have “hundreds of vulnerabilities” due to out-of-date software.

There’s clearly a lot of cybersecurity work to be done, with the Hack the Pentagon program being just the most recent in a series of attempts to tackle it.

In November, the White House unveiled a new plan to improve cybersecurity.

The DoD also plans to hire private contractors to develop a $600 million-plus computer system for a new background check agency, as Reuters reported last week.

The DoD’s Defense Digital Service (DDS) – a small team of engineers and data experts that Carter launched in November – is leading Hack the Pentagon.

The DoD says that the initiative is consistent with the administration’s Cyber National Action Plan, announced on 9 February.

The Hack the Pentagon pilot program will launch in April. The DoD says to stay tuned: participation details and other ground rules will be coming over the next few weeks.

Image of The Pentagon courtesy of Shutterstock.com

3 Comments

Sounds reasonable. I wonder if they’ll allow social engineering attacks from participants as well. (“The General is giving you a direct order to open that firewall port!”)

Does a successful bounty hunter spend time in a luxury detention facility in Cuba for their efforts?

Either way, nice try, U.S. gov’t.

Now that that they have brain damage and have lost their mind, they start asking how to put on a helmet. But won’t take any action that cost less than $600 million, gotta have those kickbacks.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?