hacker prodding a public-facing Army recruitment website in early December stumbled upon a vulnerability, then another, until he found himself suddenly connected to an internal Department of Defense network that should have prompted him for special access credentials. By the end of that night, Pentagon employees were swapping frantic phone calls and considering a complete shut-down of the compromised network. The intrusion was unexpected, but more concerning was the fact that the hacker hadn’t set off any alarm bells — the Defense Department didn’t know he’d gotten into the internal network until he told them about it.
The hacker who found the vulnerabilities was participating in the Army’s first-ever bug bounty program, Hack The Army, a challenge that invites security researchers to put their skills to the test and pays them for their efforts. Defense Department security teams are trained to react swiftly to unexplained traffic on their networks, and not all of the Department’s 3.2 million members knew the bug bounty was underway, so the panic was understandable. But the Army sanctioned and even celebrated the hack of its recruitment website — it meant the bug bounty program was working.
“Frankly, my reaction was, ‘Great,’” Secretary of the Army Eric Fanning explains. “A lot of people’s first reaction to Hack The Army was, ‘Why would you invite people to hack you?’ Well, we’re being hacked every day, all day long, by people who are wishing to do us harm. So this idea of setting up this competition, vetting the participants, and then being in a situation where they tell us what they find is great. If they’re not finding vulnerabilities and, in some cases, finding vulnerabilities that really surprise us, then I don’t think the competition is doing all that we want it to do.”
Sec. Fanning’s reaction represents an evolution in the way government — following the lead of tech companies like Google and Facebook — views security research. Government agencies and private industry giants haven’t always been so nonchalant about getting hacked. Fears of foreign hackers have consumed Capitol Hill in the wake of large-scale data theft from the Office of Personnel Management and the Democratic National Committee, and companies have responded to bug reports with legal threats. Although many larger firms have established programs today that allow for safe vulnerability disclosure, hackers still have reasonable fears about prosecution and prison time.
“The shadow of that still lingers very strongly with security researchers,” says Alex Rice, the chief technology officer of HackerOne. “The risk is significant, and that’s true for the industry and especially for the government.”
HackerOne is one of several companies that offer bug bounty as a service, pairing the likes of Twitter, Uber and Dropbox with hackers who will test their sites and services for vulnerabilities. One of HackerOne’s latest clients is the Defense Department, which launched its first bug bounty, Hack The Pentagon, last spring and followed it with Hack The Army in November.
The Defense Department has been relatively slow to accept the concept of a bug bounty, adopting it only after years of implementation in the tech industry.
lthough the idea of bug bounties reportedly originated in the mid-1990s at Netscape. Rice traced it back even further, digging up a Hunter & Ready advertisement from 1983 that offered to reward hackers who discovered bugs in its VRTX operating system with Volkswagen Beetles. “Get a bug if you find a bug,” the tagline read.
Bug bounty programs didn’t hit the mainstream until Google instituted the first extensive bug bounty in 2010, quickly followed by Facebook, Yahoo and other tech companies. Apple came late to the concept, launching an invitation-only program last year.
The Defense Digital Service, the Pentagon-based wing of the U.S. Digital Service, has encouraged the Defense Department to catch up with the industry. Born out of the disastrous launch of healthcare.gov, USDS pairs tech workers with government agencies to improve technical competency.
Chris Lynch heads the Defense Digital Service and has championed bug bounties within the Pentagon and with skeptical hackers who didn’t believe he could get the project off the ground.
“We know for a fact that sending a wide variety of hackers into a wide environment will result in something meaningful. It is a fact. We cannot hire every amazing hacker and have them come work for us, but we can do these crowdsourced bug bounties,” Lynch says. “I’m done with being afraid to know what our vulnerabilities are. That’s not okay.”
The Defense Department tested the waters with Hack The Pentagon, which invited participants to attack public-facing Department of Defense websites. Hack The Pentagon was considered a proof-of-concept project — a way for bug bounty advocates like Lynch to show that the program would improve security without risking the breach of classified material or crucial systems. After the program’s success, worries about what would happen if the agency welcomed hackers began to fade.
I’m done with being afraid to know what our vulnerabilities are.
“Those qualms are lessened today than they were six months ago,” says Lieutenant General Paul Nakasone, who leads Army Cyber Command. “My first thought was, ‘Wow, it only took them 10 minutes to identify a vulnerability. How long would it have taken for us to discover?’” (According to official Hack The Army stats, the first vulnerability was reported in just five minutes.)
Lt. Gen. Nakasone’s teams help patch the problems uncovered by bug bounty participants. Containing hackers within an agreed-upon network with established rules has helped ease concerns, he explained. As an olive branch, the Army didn’t require participating hackers to undergo background checks prior to joining the program, even though some private companies make background checks mandatory. Instead, Hack The Army participants only have to undergo a background check if they want to collect their financial reward.
Hack The Army also gave hackers more exciting targets than the public-facing domains like defense.gov that were up for attack during Hack the Pentagon. The Army edition of the program included recruitment websites with access to personal data and recruiting stations across the U.S.
“We chose intentionally this suite of assets, knowing they were the crown jewels,” says Lisa Wiswell, the digital security lead of Defense Digital Service. “It’s where we have recruits enter their personally identifiable information and all kinds of stuff. We do a lot to secure it today.”
Even with those defenses in place, it still only took one of the Hack The Army participants a day to notice an unmaintained router linking the Army’s recruitment websites to the internal network. By stringing together a chain of minor vulnerabilities, the hacker was routed onto the internal website that should have required access credentials. “They were obviously smart enough to tell us right away. We didn’t feel that there were any nefarious activities,” Wiswell said.
Protecting personal information is a sore spot for many in government, Wiswell explained, who want to avoid a repeat of the Office of Personnel Management hack. The panic that ensued when the hacker alerted the Army to his discovery was a natural reaction, she said.
“It’s still uncomfortable for a lot of folks, folks on the military side especially. When you rely on network day-to-day, you have a hard time making tradeoffs between shutting down or living in a world where it could have been compromised,” Wiswell says. “But if our good guys got to it, it probably means the bad guys had information about vulnerabilities there already. The bug bounties start to level the playing field. The bad guys are going to continue to hack us, no question. They will be hacking us over their morning tea in China. We’re allowing the good guys to come in and help too. When you allow that to happen, you don’t have to sit and take it any longer.”
erhaps anticipating public outcry about tax dollars being paid to hackers, the Defense Department framed Hack the Pentagon as a cost-reduction measure. The program cost $150,000 but DoD said that commissioning a similar security audit from a private company would have cost more than $1 million. The cost of Hack The Army is undetermined, as the Army is still assessing the vulnerabilities discovered during the program, but Lt. Gen. Nakasone says projections indicate the program will remain affordable.
Bug bounty proponents also argue that the programs have a trickle-down effect: Researchers are likely to find problems in code supplied by vendors, and when those problems are fixed, every organization that contracts with the vendor will get a security boost. The programs also serve as a blunt, effective form of training for military members who are allowed to participate as attackers and defenders in the bug bounty.
We’re allowing the good guys to come in and help too. When you allow that to happen, you don’t have to sit and take it any longer.
But the Defense Digital Service team isn’t just focused on defending the merits of the bug bounty program — they want to expand it.
Increasing Pentagon acceptance of hackers was only the first step. The Defense Digital Service team hopes bug bounties will fundamentally shift the way the Defense Department thinks about cybersecurity. The chain of vulnerabilities that kicked up concern during Hack The Army would have slipped by an automated vulnerability scanner, Wiswell argues, proving the need for human ingenuity and experience in security. Large organizations like the Defense Department spend millions of dollars on automated vulnerability scanning, which promises to discover problems across a vast network faster and more effectively than a team of engineers could.
“Automation alone is rarely capable of those kinds of leaps of logic,” Wiswell says. “We focused for a long time on these silver bullet technologies like automated scanning and things of that nature, which wasn’t a full security strategy. There’s a lot of things we do to stop the bleeding, but there’s not a lot we do to overhaul the way we think about security.”
Lynch has indicated in the past that turning hackers loose on increasingly sensitive data sets was always part of the plan for the bug bounty, and he said that hasn’t changed. He anticipates eventually running a bug bounty program on classified networks.
However, it’s unclear what will become of programs like Defense Digital Service under the Trump administration. Sec. Fanning, an Obama appointee, will leave the Pentagon to make way for Vincent Viola, the billionaire owner of a Florida hockey team Trump has nominated to replace him. Given the intelligence community assessment that Russia participated in several hacking campaigns intended to sway voters in his favor, Trump may want to appear tough on hackers and oppose the bug bounty programs underway at the Defense Department.
“I have no better idea than you what will happen with the next administration, but I don’t think that the need for and the value of programs like this are really disputed by anybody. Cyber is a low barrier to entry for adversaries and everybody believes —” Fanning paused, then corrected himself. “There’s pretty broad consensus that the more sets of eyes we can have on the problem, the better for us.”