By Cheryl Pellerin
DoD News, Defense Media Activity
If you’re a computer security specialist, or at least a white hat hacker, who’s always wanted to take a run at the Pentagon, here’s your chance. A pilot program called Hack the Pentagon launches in April.
It’s the first cyber bug bounty program in the history of the federal government, and it will offer incentives, to be determined, to those who find vulnerabilities and exploits.
Pentagon Press Secretary Peter Cook announced the pilot March 3 in a statement, and on a media call a senior defense official offered details of the program so far.
Not familiar with bug bounties?
They’re basically offers by software developers and companies to reward people who research and report bugs, especially those related to vulnerabilities or hacking exploits.
Jarrett Ridlinghafer, at the time a technical support engineer for Netscape, created the first “bugs bounty” program in 1995, according to the entrepreneur’s website.
Today bugsheet.com has a directory of 369 bounty programs offered by everyone from Adobe and Amazon to Twitter and Sony.
“We can’t hire every great ‘white hat’ hacker to come in and help us,” a senior defense official told reporters today, “but [Hack the Pentagon] allows us to use their skill sets, their expertise, to help us build better, more secure products.”
Cook said the department will use commercial-sector crowdsourcing to let qualified hackers conduct vulnerability identification and analysis on the department’s public webpages — specific target to be determined.
“The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products and digital services,” Cook said.
The pilot is the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites and networks, he added.
Pentagon bug bounty hackers have to register and pass a background check before they take part in a controlled, limited-duration program to identify vulnerabilities on a live department system.
Cook said other networks, including the department’s critical, mission-facing systems, won’t be part of the bug bounty pilot.
As is routine in the private sector, he said bug bounty hunters will receive monetary awards — bounties — for their successful efforts.
The Pentagon’s Defense Digital Service, launched by Defense Secretary Ash Carter last November, leads Hack the Pentagon. Leading DDS is Director and technology entrepreneur Chris Lynch.
DDS is an arm of White House technology experts at the U.S. Digital Service and includes a small team of engineers and data experts who work to improve DoD’s technological agility.
The senior defense official said DDS exists to bring in best practices from the private sector, so everything from talent to technology and processes “to transform how we build products, digital services and technologies here at the Department of Defense”.
One of those best practices is the bug bounty.
During the call, someone asked if there’s a chance that black hat hackers –- bad guys — could try to get in on the Pentagon bug bounty.
The Department of Defense, its systems and its networks are attacked every day, the senior defense official said.
“Bad guys are not sitting there and thinking to themselves, ‘Oh wow, this is excellent, I’ve been waiting for the Department of Defense to do a bug bounty.’ They’re already there, attacking us every single day,” the official said.
The problem comes down to the people who want to help who don’t work for the Department of Defense, he said.
“We hear from those people all the time,’’ he continued. ‘‘Right now there’s a security conference out here called RSA that we’re at, and we’ve had people who’ve said, ‘Now the good guys can actually help.’’’
He added, “The bad guys aren’t waiting, they’re in there right now, so this is a great opportunity for the good guys to jump in and lend their expertise to help make us more secure.”
As Hack the Pentagon is fleshed out, a live asset will be chosen as the target for the hackers, the senior defense official said, but one that is under constant attack and has no personally identifiable or mission-critical information.
“We’re going to be bringing in a very broad program where over time we can look at multiple assets that we would like to have the bounty run against,” he said.
“But for now … we’re going to introduce a program where people have to register, they’re going to be vetted and there will be obvious things like they’re not going to be on terrorist watch lists,” he added.
“We see this growing into something that we can use as a broader tool to help make our systems and our services more secure, not only for the Department of Defense but across the federal government.”
Look for more information coming out soon, and get ready to get vetted and Hack the Pentagon.
Follow Cheryl Pellerin on Twitter: @PellerinDoDNews