Hack the Pentagon - DoD and Synack
22 October 2019

3 Years of Hack the Pentagon: Solidifying and Scaling Innovation

Synack

This post was co-authored by The Defense Digital Service & The Synack Team

Three years ago, the Defense Digital Service (DDS) made history when they set up a little-known pilot program called Hack the Pentagon, the first time a federal government agency engaged a crowd of top security researchers to search for vulnerabilities in Department of Defense assets. DDS courageously chose this early focus on cybersecurity, applying a diversity of skill sets and an outside perspective to finding and fixing security vulnerabilities before the adversary could exploit them. Blazing a trail, DDS engaged the country’s and allied nations’ best ethical hackers to conduct crowdsourced security testing on not just marketing websites and test environments, but also our nation’s most critical assets.

Since the launch of the Hack the Pentagon pilot in 2016, the Department of Defense, led by DDS, has worked to scale the program beyond a pilot to become a department-wide security best practice. Today, the Pentagon uses crowdsourced security testing to proactively find and fix security issues in systems ranging from the F-15 Trusted Aircraft Information Download Station (TADS) system to an internal File Transfer Mechanism to a U.S. Air Force logistics system. In total, Hack the Pentagon has helped secure over a dozen systems. 

To celebrate Hack the Pentagon’s 3rd birthday (which coincidentally falls during National Cybersecurity Awareness month!), here’s a look back at just a few of the successful projects that DDS has made public, and the impact that some of these projects are having:

F-15 Trusted Aircraft Information Download Station (TADS) system

Beginning at the end of 2018, DDS partnered with Synack to conduct repeat crowdsourced security testing on the TADS, a system that collects data from video cameras and sensors while the F-15 jet is in flight. The first test in the winter of 2018 revealed several security vulnerabilities that, if exploited, could have given a malicious actor full control of the system. The U.S. Air Force patched the vulnerabilities and then, under the leadership of Dr. Will Roper, Assistant Secretary of the Air Force for Acquisition, Technology and Logistics, they chose to push themselves harder and re-test the system again with Synack at DEF CON 27’s Aviation Village. During this second test in August 2019, the Synack Red Team found some of the same vulnerabilities within the testing scope, and some new ones too. The results from the second test offered a powerful lesson: security should be continuous to mitigate risk, and systems should be tested earlier in the acquisition lifecycle to build in security by design.

File Transfer Mechanism

With Hack the Pentagon, the DoD has not shied away from applying the testing rigor of the crowd on their sensitive internal systems. One of the very first projects was on a high-value asset: a file transfer mechanism. The warfighter relies on this system to transfer mission-critical information between networks, including classified ones. The DoD engaged Synack for a crowdsourced security test, conducted on Synack’s trusted platform. The mechanism had been tested repeatedly by traditional penetration testers, and the security team did not expect to find much for at least a week. But just a few hours into the crowdsourced security test, a Synack Red Team member reported the first vulnerability – a critical one. The project set a powerful example for the Pentagon and highlighted the value of getting an outside, crowdsourced perspective on internal security.

REMIS Logistics system

The U.S. Air Force also engaged with Synack to test their Reliability and Maintainability Information System (REMIS) logistics system. Specifically, the Air Force and DDS wanted to understand the vulnerability risk of potential damage to authorized users who had inside access to the REMIS system. Over the course of four weeks, 73 Synack Red Team ethical hackers spent more than 1,700 man-hours probing REMIS for vulnerabilities and weaknesses. They identified 12 vulnerabilities with varying severities, of which the REMIS program office and Northrop Grumman were able to immediately remediate. If exploited, these vulnerabilities could have given an adversary the ability to compromise trusted integrations (such as integrated software Commercial Off the Shelf (COTS) components) to access military maintenance information. This project offered a different, but just as important lesson: COTS components need to be assessed as potential attack vectors for adversaries, and security testing should become a pillar of the acquisition lifecycle. 

Modernization and Innovation

American defense agencies are prioritizing rapid acquisition cycles and modernization initiatives. A critical component to the success of these initiatives is ensuring the security of both new products and system updates. Our partnership with the U.S Air Force – and the many crowdsourced security tests we’ve worked on together – has shown that smart and controlled crowdsourced security testing can easily integrate into the acquisition lifecycle and scale at the speed of deployment.

Thanks to crowdsourced security’s proven success, it’s no longer a pilot project within DDS; it’s a mainstay solution that has proven its efficiency and effectiveness. Last year, DDS announced that it would expand the program and invest an additional $34 million in crowdsourced security. While Hack the Pentagon got its start from visionary Chris Lynch, the challenge of implementing it at scale is coming down to the new DDS Director Brett Goldstein. Goldstein has the hard task of taking crowdsourced security from its nascent stage to its next step in maturation. Goldstein’s leadership experience across private and public sectors and his technical expertise is proving to be valuable as he puts a strategy in place to operationalize and deploy crowdsourced security at scale within DDS’s vast digital infrastructure. 

According to DDS, Goldstein is “deeply committed to using data and technology to support smarter government and improved services.” He told Nextgov in a statement earlier this year, “Technology has never been more important to the mission of national defense.” Calls for a smarter government are calls for a more optimal, efficient, and effective government. 

To keep pace with their digital transformation initiatives, DDS realized in 2016 that keeping pace with our adversaries required leveraging private sector best practices for security testing, thus creating Hack the Pentagon. In order to scale Hack the Pentagon, DDS could consider augmenting the program with smart technology, including artificial intelligence and data science. Goldstein has already been hard at work bolstering the Pentagon’s data science capabilities. The use of artificial intelligence would require strong partnerships between public and private sector partners.

When you put humans and Artificial Intelligence together to work on security problems, it increases efficiency and accelerates the time to find and remediate vulnerabilities. Synack data shows that machines can be 4x faster than humans at finding vulnerabilities. However, the vulnerabilities that a human finds are much more impactful, such as business logic flaws, subdomain takeovers, persistent cross-site scripting vulnerabilities, and authorization issues. The vulnerabilities found by machines tend to be less severe, such as SQL injection, path traversal and reflected cross-site scripting. Overall, humans are at least 2x more impactful if we consider the severity of the vulnerabilities that they find. 

Leading the Way for a Brighter Future

When you combine humans and machines to work on a problem (in the right way), you are utilizing each for their strengths and covering for their weaknesses. AI-enabled scanning technology allows human testers to find and triage vulnerabilities faster. This, in turn provides security teams with information to prioritize and remediate the most severe vulnerabilities and reduce their lifecycle (based on Synack data). Greater security testing efficiency and speed allows security teams to cover a larger attack surface more effectively.

Once an organization decides to implement an innovation at scale, it’s no longer an experiment; it becomes a part of the daily life of an organization and other organizations take notice. DDS is transforming the way we protect our country from cyber attacks, and federal agencies and private enterprises are following their lead. Since the announcement of the first Hack the Pentagon contract 3 years ago, more than 15 federal agencies are employing Synack’s trusted crowdsourced security testing. Our crowdsourced security platform is protecting not only leading government agencies, but also leading global banks, top ecommerce brands, and more than $1 trillion in F500 revenue.  

Crowdsourced security is now considered a best practice by the DoD, the White House, Senate, and by Gartner, thanks to the leadership of DDS. In an industry that’s sometimes seen as conservative and slow, Brett Goldstein and DDS are the bold leaders adopting and scaling innovation to secure our country. Cheers and happy birthday to the Hack the Pentagon team!