The Pentagon wants to be hacked -- and learn from it
- By Sean Lyngaas
- Mar 03, 2016
SAN FRANCISCO -- The Defense Department will begin a pilot program next month to allow carefully screened hackers to scour DOD websites for vulnerabilities and report their findings.
DOD has its own "red teams" that probe defense networks for security flaws, but the Hack the Pentagon initiative goes a significant step further by inviting private hackers to get out their digital scalpels.
The department's first bug bounty program will be one of several forthcoming initiatives to discover vulnerabilities in DOD applications, websites and networks, according to Pentagon Press Secretary Peter Cook.
"You'd much rather find the vulnerabilities in your networks in that way than by the other way, which is pilferage of information -- in our case, compromise, shutdown and so forth of our networks," Defense Secretary Ash Carter said March 2 at the RSA Conference in San Francisco.
Carter cast the program as part of his push to get the Pentagon to embrace a startup mentality.
"If you don't take risk and you're not willing to fail, then you're never going to get anywhere," he said. "And you all know that, and that's one of the things that's imbued in the innovative community out here."
The hackers will target the department's public websites, not critical, mission-facing systems, Cook said. Participants might get paid for their efforts in the form of rewards for finding vulnerabilities, known in industry as "bug bounties." Only U.S. citizens are eligible for the program. Hackers who participate must undergo a background check before they are given access to DOD systems.
Like the rest of the federal government, DOD is competing with the private sector to recruit top cybersecurity talent.
In the past three years, several of the Pentagon's red-team specialists have left for lucrative private-sector jobs, according to a Pentagon memo obtained by the Daily Beast. The specialists who have stayed are not keeping pace with sophisticated adversaries, according to the report.
Tony Cole, a FireEye executive who has helped assemble cyber incident response teams at DOD and elsewhere, told FCW that threat data gathered by the bug bounty program could "provide for a more secure internal enterprise and possible future offensive capabilities in the cyber realm."
Although the program "will be difficult to structure and run successfully, the benefits could be large and long-term, [and] could help the department mitigate numerous undiscovered vulnerabilities," he added.
Sean Lyngaas is a former FCW staff writer.