Modern field guide to security and privacy

In nod to Silicon Valley, Pentagon opens door to hackers

The Department of Defense announced it will launch the federal government's first bug bounty program for vetted hackers to search its systems for vulnerabilities. 

Charles Dharapak/AP/File
A view of the Pentagon from Air Force One.

Think you can hack the Pentagon? Well, soon you may get the chance to crack its systems – without violating national security.

The Department of Defense announced Wednesday that it will invite vetted security researchers to test its cybersecurity systems in a pilot program set to begin next month.

It will be the first cybersecurity bug bounty program in the history of the federal government, and hackers "could be eligible for monetary rewards and other recognition," a Pentagon spokesman said, adding that the initiative is modeled after similar competitions conducted by some of Silicon Valley's biggest tech companies. 

"Bringing in the best talent, technology, and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DOD, but it also helps us better protect our country," said Chris Lynch, a technology entrepreneur who directs the Defense Digital Service, which will oversee the bug bounty program.

The Pentagon made it clear, too, that approved researchers won’t be allowed to run amok in DOD computer systems, but rather will be asked to identify vulnerabilities on a "predetermined" department system.

The project is a demonstration of a drive within the Pentagon to improve cybersecurity, said Secretary of Defense Ash Carter.

"I am always challenging our people to think outside the five-sided box that is the Pentagon," he added. "Inviting responsible hackers to test our cybersecurity certainly meets that test."

News of the program came during the RSA Conference in San Francisco, the largest annual gathering of security professionals, and generated plenty of buzz among attendees.

"Even the strongest organization on the planet, essentially, even they know that to be fully safe they need to work with hackers," says Mårten Mickos, chief executive officer of HackerOne, a San Francisco firm that operates bug bounty programs.

The Pentagon's decision, said Mr. Mickos, "shows a shift from the old world of secrecy to the new world of transparency. From an old world of keeping it close to the vest, to collaborating broadly. I think it's absolutely pioneering."

The program – dubbed "Hack the Pentagon" – shows that "DOD is clearly using commercial best practices," says Ben FitzGerald, director of the Technology and National Security Program at the Center for a New American Security.

Launching an endeavor like this is not easy, Mr. FitzGerald adds. "There are significant institutional antibodies for this type of initiative." 

That’s because hackers could find something embarrassing, or – despite their strict parameters – the Pentagon could be hacked in ways beyond what they might have expected. "They may like for these vetted hackers to look at, let’s say, one of the many innocuous websites they run, in the hopes that these guys will say, 'It’s really good [security]' or, 'There’s just a minor issue.' "

They may find instead, "You didn’t have any password protection, or you had 'password' as a password,' " FitzGerald says.

That’s why the new hacker initiative is an important step toward "demystifying the security needs of the [Defense] department," he adds, since "often when national security people talk about cybersecurity, it’s as if it’s something different than the network security that every business does."

While the Pentagon trades in top secret information, "a lot of what it does involves basic security as well," FitzGerald says. "We see organizations like Google and Facebook make frequent use of these programs and see great returns."

For the DOD, he added, "it's the closest you get to a Silicon Valley model of disrupting and innovating."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to