First, a new policy released today encourages anyone to look for weaknesses in any public DoD site, as long as they report what they find. Then, for a select subset of hackers and sites, “bug bounty” programs go further by offering cash rewards to registered hackers for finding problems in selected sites. The bigger the problem, the bigger the payout, with Hack The Pentagon going as high as $15,000 and the forthcoming Hack The Army likely to go higher.
Bug bounties for white hats are old hat for tech companies, but they’re still a new idea for much of the wider commercial sector, let alone the staid Defense Department. Defense Secretary Ashton Carter has pushed hard to bridge the gap between the Pentagon and Silicon Valley. He created a special contracting outpost in Palo Alto, DIUx (Defense Innovation Unit, Experimental), and set up a Defense Digital Service to bring IT experts into the Pentagon on roughly one-year tours to shake things up.
Chris Lynch heads the DDS. “We have actively dissuaded people from telling us vulnerabilities,” Lynch told reporters at an embargoed briefing before the new policy’s release. In one case he’s personally familiar with, a private security researcher was doing routine scans of large portions of the website that happened to include .mil sites. “The Department of Defense had actually reached out…and said, ‘please don’t scan us,’” Lynch said. “I think that that’s crazy.”
Hack The Pentagon’s very success highlighted other problems. The program only rewarded researchers for finding vulnerabilities in specific, enumerated websites. But some participating hackers found “out of scope” vulnerabilities in other websites. When they tried to report the problems, they found no procedure to do so, no policy and no point of contact.
“It turns out we had no process,” said Charley Snyder, senior cyber policy adviser in the Office of the Secretary of Defense. Patriotic hackers ended up emailing their vulnerability reports to the Pentagon webmaster — which is kind of like calling 911 and getting voicemail — or even posting them on Twitter.
So in parallel to setting up Hack The Army, which offers bug bounties for vulnerabilities in Army recruiting-related sites, the Pentagon also wrote up an across-the-board policy for reporting vulnerabilities in any public-facing Defense Department website. (If you channel Matthew Broderick and hack the nuclear command and control system, sorry, you’re still not covered).
Based on private-sector Vulnerability Disclosure Policies, the Pentagon VDP sets certain expectations for researchers. For example, don’t disrupt Pentagon business by conducting Denial of Service (DOS) attacks, said Snyder, and “don’t just run crazy automated scans that are just going to generate a lot of low-level stuff.” In return, well-behaved white hackers who find real vulnerabilities will have a channel to report them without fear of legal repercussions, which has prevented at least some reporting in the past.
“We don’t care where the information comes from. We just want an avenue for you to deliver this information to us,” said Lisa Wiswell, who works for Lynch as a “bureaucracy hacker” in the Defense Digital Service. (In a sign of shifting cultures, while Wiswell has spent 10 years in government, mostly in DoD, like Lynch she was so casually dressed I initially mistook her for a fellow reporter; Snyder, by contrast, wore a suit). Wiswell is running the bug bounty programs.
The bounties are more targeted than the DoD-wide Vulnerability Disclosure Policy, Wiswell made clear. They’re also getting increasingly challenging — both for the hackers and for DoD. Hack The Pentagon only rewarded participants for finding vulnerabilities in a set list of “static” websites like Defense.gov which publish information for the general public. Hack The Army will cover Army recruiting websites, which are still by their nature aimed at the public but which take in data important to the day-to-day functioning of the service’s recruiting operation.
Only hackers who register with private sector firm HackerOne will be allowed to participate, said Wiswell, and only those who pass a background check can actually receive a bounty payment. (Until that point, a participant can stay pretty anonymous). For future bug bounties targeting more sensitive websites, Wiswell said, the Pentagon has contracted with security firm Synack, whose ex-NSA founders have a list of exhaustively vetted hackers for work requiring discretion.
To anyone nervous about opening up Pentagon systems to such outside scrutiny, Snyder points out DoD computers are under real attack from real adversaries every day. “The bad guys are certainly not waiting for an invitation,” he said. Now, at least, the good guys have one.