Defense

The Pentagon wants to be hacked -- and learn from it

Shutterstock image: looking for code.

SAN FRANCISCO -- The Defense Department will begin a pilot program next month to allow carefully screened hackers to scour DOD websites for vulnerabilities and report their findings.

DOD has its own "red teams" that probe defense networks for security flaws, but the Hack the Pentagon initiative goes a significant step further by inviting private hackers to get out their digital scalpels.

The department's first bug bounty program will be one of several forthcoming initiatives to discover vulnerabilities in DOD applications, websites and networks, according to Pentagon Press Secretary Peter Cook.

"You'd much rather find the vulnerabilities in your networks in that way than by the other way, which is pilferage of information -- in our case, compromise, shutdown and so forth of our networks," Defense Secretary Ash Carter said March 2 at the RSA Conference in San Francisco.

Carter cast the program as part of his push to get the Pentagon to embrace a startup mentality.

"If you don't take risk and you're not willing to fail, then you're never going to get anywhere," he said. "And you all know that, and that's one of the things that's imbued in the innovative community out here."

The hackers will target the department's public websites, not critical, mission-facing systems, Cook said. Participants might get paid for their efforts in the form of rewards for finding vulnerabilities, known in industry as "bug bounties." Only U.S. citizens are eligible for the program. Hackers who participate must undergo a background check before they are given access to DOD systems.

Like the rest of the federal government, DOD is competing with the private sector to recruit top cybersecurity talent.

In the past three years, several of the Pentagon's red-team specialists have left for lucrative private-sector jobs, according to a Pentagon memo obtained by the Daily Beast. The specialists who have stayed are not keeping pace with sophisticated adversaries, according to the report.

Tony Cole, a FireEye executive who has helped assemble cyber incident response teams at DOD and elsewhere, told FCW that threat data gathered by the bug bounty program could "provide for a more secure internal enterprise and possible future offensive capabilities in the cyber realm."

Although the program "will be difficult to structure and run successfully, the benefits could be large and long-term, [and] could help the department mitigate numerous undiscovered vulnerabilities," he added.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.