05 March 2016

Department of Defense Announces Initiative for Vetted Hackers to “Hack the Pentagon”

Derek Athy

This past Wednesday, the U.S. Department of Defense released a major announcement surrounding national security – inviting “vetted hackers” to “Hack the Pentagon” in an initiative that is being led by the Defense Digital Service (DDS).

The initiative marks the first program of its kind undertaken by the federal government, as the Pentagon follows suit of some of the world’s largest companies in utilizing hackers to proactively test for holes within digital networks and applications through trusted, incentive-driven programs. The government is trailing behind in cyber security, while cyber threats continue to evolve and advance as attack surfaces rapidly grow. The Department of Defense is now beginning to take pragmatic steps, transitioning from static, ineffective security solutions to dynamic, innovative ones that can better protect the critical information and systems at the Pentagon.

For now, the Pentagon’s most sensitive networks, such as key weapons programs, will not be included in the scope of the “Hack the Pentagon” pilot program. Instead, this initiative will incentivize a selected community of highly-vetted and qualified security researchers (from a pool of U.S. citizen applicants who previously registered and submitted a background check) to identify vulnerabilities in the Pentagon’s web and mobile applications and network infrastructure. The hackers will be eligible for monetary awards/recognition, or “bug bounties”, based on their findings of exploitable vulnerabilities.

Crowdsourced models harness the human ingenuity and intelligence of some of the most talented security researchers in the world – scaling this talent in a way that internal security teams and red teams at the Pentagon cannot attain.

DJ Patil, the White House’s chief data scientist (formerly of eBay and LinkedIn), commented on the mindset behind the initiative:

“When people hear ‘bug bounty,’ they think we are just opening ourselves to attack, but what people forget is, we are always in this day and age under attack.. By bringing crowds to the problem … you’re getting a jump on the curve.”

It takes just one hacker to break a system. Programs like “Hack the Pentagon” allow ethical, trusted researchers to detect and report vulnerabilities in a secure manner, enabling organizations to mitigate risk and patch holes in exploitable networks before a malicious hacker gets there first.

At the 25th Annual RSA Conference in San Francisco this week, Defense Secretary Ash Carter spoke on the unveiling of the program:

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security… The military is not getting good cybersecurity grades across the enterprise.. We can’t just keep doing what we’re doing. The world changes too fast; our competitors change too fast. The goal is not to compromise any aspect of our critical systems, but to still challenge our cybersecurity in a new and innovative way.”

Synack CEO Jay Kaplan applauded this move, commenting:

“It is clear that the current process and methodology for protecting some of our nation’s most sensitive assets as it relates to the military is simply no match for the onslaught of continued state-sponsored and other attacks. Leveraging a broader base of security experts who are incentivized to uncover issues, coupled with technology, is a proven model with high efficacy across private industry.”

The Pentagon announced this initiative amidst a trip by top Defense officials through Silicon Valley to meet with tech executives as part of the military’s efforts to “rebuild bridges between the Department of Defense and some of our nation’s most innovative industries”, according to The Hill. Director of the National Security Agency’s and U.S. Cyber Command, Admiral Michael S. Rogers, proclaimed at the RSA Conference in San Francisco that:

“We want to harness the private sector through partnerships and integration. One reason we are here is all of you. We believe in what you bring to this fight. We believe in the knowledge and innovation you help power. The power of partnerships generates the best outcomes for the department, the nation and all of you.”

Weeks ago, Kaplan highlighted the disconnect Washington has with Silicon Valley and other technology hubs around the U.S. in regard to the Apple vs. FBI privacy debate (Fortune). He proclaimed that a “foundational shift” in how the government works is necessary in forming lasting partnerships with leading technology organizations and in attracting top security talent — an obstacle to overcome, but Washington is proving to be more adaptive. In light of the recent “Hack the Pentagon” announcement, Kaplan commented:

“The DoD continues to make incremental strides in adopting innovative approaches and technology out of the private sector. While you have to applaud the progressive mentality shift, implementation may prove to be much more challenging; government bureaucracy will have to be overcome in a big way.”

While barriers and obstacles in implementing further crowdsourced security programs by the Department of Defense will exist, the “Hack the Pentagon” initiative is undoubtedly a step in the right direction as the Pentagon institutes this pilot-program using fundamental aspects of Synack’s foundational solution. The Department of Defense is electing a progressive, proactive security solution by utilizing highly-vetted, trusted and expertly qualified hackers to emulate the attack threats and techniques of the adversary — a model that has proven over and over again to be tactical and effective for industries across both the public and private sectors.