Military Embedded Systems

DoD announces "Hack the Pentagon" results and future cybersecurity plans

News

June 20, 2016

Mariana Iriarte

Technology Editor

Military Embedded Systems

Photo by DoD

WASHINGTON. Secretary of Defense (SECDEF) Ash Carter announced the results of Hack the Pentagon, a Department of Defense (DoD) cyber bug bounty program. Out of all the submissions, officials deemed 138 were to considered to be legitimate, unique, and eligible for a bounty.

The challenge – hosted by HackerOne, a Silicon Valley-based firm – was conducted on five public websites, which included defense.gov. It launched on April 18, and ran until May 12, with over 1,400 hackers, who completed registration and were invited to participate. Out of those who completed the registration, more than 250 submitted at least one vulnerability report. Among the contestants of the initiative, SECDEF gave an honorable mention to recent high-school graduate 18-year-old, David Dworkin and computer security researcher, Craig Arendt.

The purpose of the pilot program was to address the DoD’s defense in the digital world. "We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks," says Secretary Carter. "What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference - hackers who want to help keep our people and nation safer."

Dworkin has participated in similar competitions and says, "it was a great experience. I just started doing more and more of these bug bounty programs and found it rewarding. Both the monetary part of it and doing something that is good and beneficial to protect data online in general."

Defense Digital Service (DDS) is credited with the idea of the Hack the Pentagon initiative. Chris Lynch, director of DDS, wants to scale this idea further, "What we want to figure out is how we can use this in a way that is able to be used on nearly any level of classification, or any type of activity."

"We're not there yet. We're going to start to work through and look at other layers as well. We recognize that this is a really valuable tool," Lynch continues. "It's a huge change for the Department of Defense in terms of how we recognize the ability for people to come in and help us secure systems themselves. There are lots of things we can apply it to."

The success of Hack the Pentagon leads DoD officials to embark on three follow-on initiatives this month. To begin, engineers will develop a vulnerability disclosure process and policy for DoD so anyone with information about vulnerabilities in DoD systems, networks, applications, or websites can submit it to the department without fear of prosecution.

Then will come the expansion of bug bounty programs to other DoD Components, in particular the military services, by developing a sustainable DoD-wide contract vehicle. Finally, incentives will be included in the acquisition policies and guidance so that contractors practice greater transparency, and open their own systems for testing - especially DoD source code.

Defense Media Activity quickly worked to remediate all vulnerabilities found by the hackers. $150,000 was the final cost of the pilot program, and officials say it marks the first in a series of programs designed to test and find vulnerabilities.

Read more on cybersecurity:

Northrop Grumman and NEC enter into cybersecurity collaboration agreement

COTS, GaN, cybersecurity flavor spring trade shows

U.S. Cyber Command cybersecurity contract won by Parsons