Modern field guide to security and privacy

Podcast: How to hack the Pentagon

The Cybersecurity Podcast crew interviews Chris Lynch, the director of the Defense Digital Service, and Lisa Wiswell, the group’s digital security lead, about the Pentagon's bug bounty programs. 

Jason Reed
An aerial view of the Pentagon in Washington August 31, 2010.

Bug bounty programs are a big part of the Pentagon’s push to solve complex IT problems. 

But starting programs that allow vetted outside security researchers to search for software flaws was not easy in the bureaucratic and failure-averse institution, say Chris Lynch, the director of the Defense Digital Service, and Lisa Wiswell, the group’s digital security lead. 

On the latest episode of The Cybersecurity Podcast, Mr. Lynch said his team went so far as to schedule meetings in conference rooms to which "naysayers" did not have access.

"One of the strategies we had to resort to was literally physically getting some people out of the meetings that we had, because they were so disruptive," Mr. Lynch tells podcast cohosts New America's Peter W. Singer and Passcode's Sara Sorcher. 

"They were worried about their own careers, right?" he continued. "There's a belief in the Department of Defense that comes from the idea that failure is not an option, so when you do a bug bounty, if [researchers] find vulnerabilities, that's considered a failure. That's the wrong way to think about it." After all, you can't fix software flaws if you can't find them. 

Check out the podcast on: iTunes | Soundcloud | Stitcher

You've read  of  free articles. Subscribe to continue.
hackerone

HackerOne is the world's number one bug bounty and vulnerability disclosure platform, connecting organizations with the largest community of creative, white hat hackers, resolving in excess of 40,000 vulnerabilities and awarding more than $14 million in bug bounties. Over 700 organizations including the U.S. Department of Defense, Uber, and Starbucks trust HackerOne to find critical software vulnerabilities before criminals can exploit them.

HackerOne is proud to sponsor The Cybersecurity Podcast.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.