Ash Carter’s bold step of opening the Pentagon’s unclassified websites to hacker attacks –HackerOne — deserves coverage. We held off on reporting about the Pentagon’s new effort to encourage hackers to help the US military until we got an assessment from someone whose judgment we trust, with experience in the darkest corners of the cyber world.
Why does this matter so much? “The existing system is incapable of giving him a complete view of the Department’s cyber risk and, realizing that in-house processes cannot solve the problem, he is turning to industry and the hacker community to provide an orthogonal view to the Pentagon’s cyber posture,” writes John Quigg, former Army cyber warrior who is now senior advisor to Spurrier Capital Partners, a New York investment bank.
What’s the state of the Pentagon’s ability to manage a cyber attack? The Government Accountability Office just issued a report about the military’s ability to support civil authorities during a serious cyber attack. Its conclusion: the roles and responsibilities and the chain of command are unclear. In a domain where reactions must sometimes occur in seconds or minutes, an unclear chain of command does not increase confidence.
“DOD guidance does not clarify the roles and responsibilities of key DOD entities—such as DOD components, the supported command, and the dual-status commander—that may be called upon to support a cyber incident,” GAO found. And key “documents do not identify the role of the dual-status commander—that is, the commander who has authority over federal military and National Guard forces—in supporting civil authorities during a cyber incident.” As of January this year, the military had not begun efforts to issue or update guidance. “Until DOD clarifies the roles and responsibilities of its key entities for cyber incidents, there would continue to be uncertainty about which DOD component or command should be providing support to civil authorities in the event of a major cyber incident.”
So will HackerOne help fix this? Will this mark a turning point in the security of the unclassified networks upon which the Defense Department depends so much? Could it actually mean a less safe enterprise? After all, these hackers will be probing for weakness.
“Lest visions of Matthew Broderick in War Games stir concerns of teens running amok in defense networks, the new Defense Digital Service (DDS) is engaging an innovative start up called HackerOne to vet willing participants from the hacking community, harvest (securely) the results for Defense Department remediation processes, and manage the bounty program to incentivize the white hat community’s participation,” Quigg argues. “The HackerOne team, resourced by some of the biggest equity names in security world, is a serious effort to corral the raw talent in the hacker world and constructively provide a mechanism applying it to the serious problems of both government and commercial sectors.”
But not all is bright and happy just because Carter wants to do the right thing. The crucial next step is how to turn the vulnerabilities found into protected networks, and it will require great speed and some money.
“The Secretary’s most pressing concern has to be his department’s ability to take the results of the “Hackathon” and turn them into actions and acquisitions. This effort is being managed by the DDS and it is unclear how they will translate lessons learned into resourced capabilities that can evolve at the same velocity as the cyber threat,” Quigg argues “This is, nonetheless, a welcome break from business as usual in federal cyber security and we eagerly await Secretary Carter’s next move.”