Always Wanted to Hack the Pentagon? DoD Says Bring It

By Cheryl Pellerin
DoD News, Defense Media Activity

If you’re a computer security specialist, or at least a white hat hacker, who’s always wanted to take a run at the Pentagon, here’s your chance. A pilot program called Hack the Pentagon launches in April.

It’s the first cyber bug bounty program in the history of the federal government, and it will offer incentives, to be determined, to those who find vulnerabilities and exploits.

The Pentagon with the Washington Monument and National Mall in the background. U.S. Air Force photo by Senior Airman Perry Aston

The Pentagon with the Washington Monument and National Mall in the background. U.S. Air Force photo by Senior Airman Perry Aston

Pentagon Press Secretary Peter Cook announced the pilot today in a statement, and on a media call this afternoon a senior defense official offered details of the program so far.

Not familiar with bug bounties?

They’re basically offers by software developers and companies to reward people who research and report bugs, especially those related to vulnerabilities or hacking exploits.

Jarrett Ridlinghafer, at the time a technical support engineer for Netscape, created the first “bugs bounty” program in 1995, according to the entrepreneur’s website.

Today bugsheet.com has a directory of 369 bounty programs offered by everyone from Adobe and Amazon to Twitter and Sony.

“We can’t hire every great ‘white hat’ hacker to come in and help us,” a senior defense official told reporters today, “but [Hack the Pentagon] allows us to use their skill sets, their expertise, to help us build better, more secure products.”

Zeros and Ones. A DARPA graphic

Zeros and Ones. A DARPA graphic

Cook said the department will use commercial-sector crowdsourcing to let qualified hackers conduct vulnerability identification and analysis on the department’s public webpages — specific target to be determined.

“The bug bounty program is modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products and digital services,” Cook said.

The pilot is the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites and networks, he added.

Pentagon bug bounty hackers have to register and pass a background check before they take part in a controlled, limited-duration program to identify vulnerabilities on a live department system.

U.S. Navy Petty Officer 1st Class Daniel Mcelvaney, assigned to the U.S. 7th Fleet command ship USS Blue Ridge (LCC 19), gives the navigator Lt. J.G. Kyle Fitzpatrick coordinates to be charted electronically aboard the ship while departing Chinhae, South Korea, on March 15, 2010. The Blue Ridge is participating in exercise Key Resolve/Foal Eagle 2010, a joint U.S. and South Korean command-post exercise with computer-based simulations and field exercises.

U.S. Navy Petty Officer 1st Class Daniel Mcelvaney, assigned to the U.S. 7th Fleet command ship USS Blue Ridge (LCC 19), gives the navigator Lt. J.G. Kyle Fitzpatrick coordinates to be charted electronically aboard the ship while departing Chinhae, South Korea, on March 15, 2010. The Blue Ridge is participating in exercise Key Resolve/Foal Eagle 2010, a joint U.S. and South Korean command-post exercise with computer-based simulations and field exercises.

Cook said other networks, including the department’s critical, mission-facing systems, won’t be part of the bug bounty pilot.

As is routine in the private sector, he said bug bounty hunters will receive monetary awards — bounties — for their successful efforts.

The Pentagon’s Defense Digital Service, launched by Defense Secretary Ash Carter last November, leads Hack the Pentagon. Leading DDS is Director and technology entrepreneur Chris Lynch.

DDS is an arm of White House technology experts at the U.S. Digital Service and includes a small team of engineers and data experts who work to improve DoD’s technological agility.

The senior defense official said DDS exists to bring in best practices from the private sector, so everything from talent to technology and processes “to transform how we build products, digital services and technologies here at the Department of Defense.

One of those best practices is the bug bounty.

During the call, someone asked if there’s a chance that black hat hackers –- bad guys — could try to get in on the Pentagon bug bounty.

The Department of Defense, its systems and its networks are attacked every day, the senior defense official said.

In its fourth year as U.S. Cyber Command's major exercise depicting a national response to a serious cyber incident, Cyber Guard 15 drew a record number of players representing those who would be most affected by a cyber attack.

In its fourth year as U.S. Cyber Command’s major exercise depicting a national response to a serious cyber incident, Cyber Guard 15 drew a record number of players representing those who would be most affected by a cyber attack.

“Bad guys are not sitting there and thinking to themselves, ‘Oh wow, this is excellent, I’ve been waiting for the Department of Defense to do a bug bounty.’ They’re already there, attacking us every single day,” the official said.

The problem comes down to the people who want to help who don’t work for the Department of Defense, he said.

“We hear from those people all the time,’’ he continued. ‘‘Right now there’s a security conference out here called RSA that we’re at, and we’ve had people who’ve said, ‘Now the good guys can actually help.’’’

He added, “The bad guys aren’t waiting, they’re in there right now, so this is a great opportunity for the good guys to jump in and lend their expertise to help make us more secure.”

As Hack the Pentagon is fleshed out, a live asset will be chosen as the target for the hackers, the senior defense official said, but one that is under constant attack and has no personally identifiable or mission-critical information.

“We’re going to be bringing in a very broad program where over time we can look at multiple assets that we would like to have the bounty run against,” he said.

“But for now … we’re going to introduce a program where people have to register, they’re going to be vetted and there will be obvious things like they’re not going to be on terrorist watch lists,” he added.

“We see this growing into something that we can use as a broader tool to help make our systems and our services more secure, not only for the Department of Defense but across the federal government.”

Look for more information coming out soon, and get ready to get vetted and Hack the Pentagon.

Follow Cheryl Pellerin on Twitter: @PellerinDoDNews

Special Report: DoD Cyber Strategy

Follow Armed with Science on Twitter!

Disclaimer: The appearance of hyperlinks does not constitute endorsement by the Department of Defense of this website or the information, products or services contained therein. For other than authorized activities such as military exchanges and Morale, Welfare and Recreation sites, the Department of Defense does not exercise any editorial control over the information you may find at these locations. Such links are provided consistent with the stated purpose of this DOD website.