Minutes after news of the Office of Personnel Management (OPM) hack broke last year, Lisa Wiswell started getting calls from hackers.
Ms. Wiswell, chief of digital security for the Pentagon's Defense Digital Service, has long worked with independent security researchers, and considers ethical hackers allies in the country's fight against internet saboteurs.
"All of the folks said, 'Listen, we don't want something like OPM to ever happen again. Just find a legal avenue for me to help,' " she recalls.
The overwhelming reaction from a community of people whose work has become critical for tech companies, banks, automakers, and utilities to secure computer systems and software compelled Wiswell to bring hackers into the Pentagon's fold.
And so earlier this year, Wiswell led the charge to launch the federal government’s first-ever bug bounty program, which rewards hackers for finding and reporting software bugs.
Its ostensible aim was to help the Pentagon find vulnerabilities in its public websites, but Wiswell had a more subversive and wide-reaching goal in mind, too: Help change the image of hackers, who many inside the Pentagon associated only with criminal breaches and computer attacks. In doing so, she says, she wants to change US national security culture.
It's beginning to work. The initial program was so successful that on Wednesday the Pentagon announced two new contracts worth $7 million to expand the bug bounty program, working with tech companies HackerOne and Synack to facilitate the expanded effort.
"Working with the external hacker community supplements the fantastic cybersecurity work that DoD is doing internally, said Marten Mickos, chief executive officer of HackerOne, in a press release. "No organization or government is so powerful that it does not need outside help identifying security issues."
More than 1,400 hackers signed up for the pilot bug bounty program – triple what Pentagon officials had anticipated. In the end, the Pentagon paid out $75,000 for more than 130 "legitimate, unique" vulnerabilities and saved DOD, by Defense Secretary Ash Carter’s estimates, millions of dollars. (The DOD paid $5 million over three years to one vendor, which found less than 10 vulnerabilities, for example.)
Hackers as patriots
What was equally striking to Wiswell was that these hackers were willing to forge ahead despite a robust chorus of voices within their own community who were against helping the Pentagon root out vulnerabilities, warning that the government was just looking for intelligence about the hacker community.
"There were pockets of folks saying, 'Don’t do it. Don’t sign up. They just want to collect your information and keep a list of hacker out there,'" says Wiswell.
When Wiswell and others on her team conducted exit interviews with the hackers who had taken part in the bug bounty, 9 out of 10 said they signed up because they felt like the US was asking them to serve.
"One said, 'I can’t even run a mile. I’m not cut out to be a soldier. But if the DOD asks me to help in an area I’m skilled in, I’m happy to do it,' " Wiswell recalls. "He found a lot of interesting vulnerabilities for us."
What they wanted in return was the modest request that the government not put them on some watch list. They also wanted to Pentagon to create clear parameters for hacking, so they wouldn’t wander into secure servers – known as "hack-cidents" – that could leave them vulnerable to, say, prosecution by the Department of Justice.
Wiswell understood their concerns.
"They wanted to know we weren't going to call up the DOJ and say, 'Here are some folks you might want to talk to,' " she says. "There were a number of things that were just really unclear. It’s a scary thing to conduct any sort of researching activities against DOD IP space at all, given the last 30 years of history."
The Defense Digital Service dutifully went to work building these parameters and, in turn, cultivating trust within the hacker community. "We didn’t even know their true identities," Wiswell says. "We just had user names."
The first bug bounty also proved to some skeptical Pentagon officials that the hackers "did what we asked them to do and nothing more," Wiswell says, adding that it helped her to make the case to expand the program.
Version two of the Pentagon's bug bounty program will be similar to the inaugural one, but will eventually invite hackers to go deeper into Pentagon systems.
"DOD is a very interesting organization, because our mission-critical assets are networked and online, too," Wiswell says. "We want to make sure there aren’t vulnerabilities in more sensitive assets."
To this end, the Pentagon will invite a "limited number" of "deep binary hackers" to take part, to help strengthen the security of "small, embedded systems" like thumb drives and phones, she adds. "Those might be something you'd care to hack."
They are certainly Pentagon items that have proven highly vulnerable in the past. And going forward, it is possible that the Pentagon will push the boundaries of the bug bounties even further, into the classified realm.
"There are lots of laws when you're talking about hacking anything classified, but there's certainly potential in that space," Wiswell says. "I think that there are probably a lot of networked assets that touch classified systems that aren't classified themselves – and those might be interesting areas to start."
To accompany the bug bounty program, Wiswell's next priority is to put in place a "DOD vulnerability disclosure policy," which she describes as a sort of "see something, say something" for the digital realm. It is meant to be a protection for hackers to do just that: pointing out vulnerabilities in the Pentagon systems that they come across, without fear of retribution.
After all, the bug bounty program wasn't just about pointing to holes in the Pentagon’s public-facing sites, Wiswell says: It was also about getting the government to admit that it needs help from hackers.
"The bottom line is that code that goes unchecked for long periods of time is just vulnerable – that’s software development 101," she says. "So we’re publicly extending an olive branch."