Defense

The Pentagon wants to be hacked -- and learn from it

Shutterstock image: looking for code.

SAN FRANCISCO -- The Defense Department will begin a pilot program next month to allow carefully screened hackers to scour DOD websites for vulnerabilities and report their findings.

DOD has its own "red teams" that probe defense networks for security flaws, but the Hack the Pentagon initiative goes a significant step further by inviting private hackers to get out their digital scalpels.

The department's first bug bounty program will be one of several forthcoming initiatives to discover vulnerabilities in DOD applications, websites and networks, according to Pentagon Press Secretary Peter Cook.

"You'd much rather find the vulnerabilities in your networks in that way than by the other way, which is pilferage of information -- in our case, compromise, shutdown and so forth of our networks," Defense Secretary Ash Carter said March 2 at the RSA Conference in San Francisco.

Carter cast the program as part of his push to get the Pentagon to embrace a startup mentality.

"If you don't take risk and you're not willing to fail, then you're never going to get anywhere," he said. "And you all know that, and that's one of the things that's imbued in the innovative community out here."

The hackers will target the department's public websites, not critical, mission-facing systems, Cook said. Participants might get paid for their efforts in the form of rewards for finding vulnerabilities, known in industry as "bug bounties." Only U.S. citizens are eligible for the program. Hackers who participate must undergo a background check before they are given access to DOD systems.

Like the rest of the federal government, DOD is competing with the private sector to recruit top cybersecurity talent.

In the past three years, several of the Pentagon's red-team specialists have left for lucrative private-sector jobs, according to a Pentagon memo obtained by the Daily Beast. The specialists who have stayed are not keeping pace with sophisticated adversaries, according to the report.

Tony Cole, a FireEye executive who has helped assemble cyber incident response teams at DOD and elsewhere, told FCW that threat data gathered by the bug bounty program could "provide for a more secure internal enterprise and possible future offensive capabilities in the cyber realm."

Although the program "will be difficult to structure and run successfully, the benefits could be large and long-term, [and] could help the department mitigate numerous undiscovered vulnerabilities," he added.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    The U.S. Army Corps of Engineers and the National Geospatial-Intelligence Agency (NGA) reveal concept renderings for the Next NGA West (N2W) campus from the design-build team McCarthy HITT winning proposal. The entirety of the campus is anticipated to be operational in 2025.

    How NGA is tackling interoperability challenges

    Mark Munsell, the National Geospatial-Intelligence Agency’s CTO, talks about talent shortages and how the agency is working to get more unclassified data.

  • Veterans Affairs
    Veterans Affairs CIO Jim Gfrerer speaks at an Oct. 10 FCW event (Photo credit: Troy K. Schneider)

    VA's pivot to agile

    With 10 months on the job, Veterans Affairs CIO Jim Gfrerer is pushing his organization toward a culture of constant delivery.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.