Bug bounty programs are a big part of the Pentagon’s push to solve complex IT problems.
But starting programs that allow vetted outside security researchers to search for software flaws was not easy in the bureaucratic and failure-averse institution, say Chris Lynch, the director of the Defense Digital Service, and Lisa Wiswell, the group’s digital security lead.
On the latest episode of The Cybersecurity Podcast, Mr. Lynch said his team went so far as to schedule meetings in conference rooms to which "naysayers" did not have access.
"One of the strategies we had to resort to was literally physically getting some people out of the meetings that we had, because they were so disruptive," Mr. Lynch tells podcast cohosts New America's Peter W. Singer and Passcode's Sara Sorcher.
"They were worried about their own careers, right?" he continued. "There's a belief in the Department of Defense that comes from the idea that failure is not an option, so when you do a bug bounty, if [researchers] find vulnerabilities, that's considered a failure. That's the wrong way to think about it." After all, you can't fix software flaws if you can't find them.