The backdrop to the U.S. government’s first public-facing bug bounty program announced earlier this year was that the Hack the Pentagon program was a way to connect with legitimate researchers and make a subtle plea for help.
On Friday, Veterans Day, the U.S. Army became the second critical agency to announce a reward program, and the second to reaffirm that the white hats from the private sector are invited to play a critical role in national security.
“The Army is reaching out directly to a group of technologies and researchers who are trained in figuring out how to break into computer networks they’re not supposed to; people we normally would have avoided,” said Secretary of the Army Eric Fanning in announcing the Hack the Army.
The initiative will be an invite-only program managed by HackerOne, which also ran Hack the Pentagon, and Luta Security whose founder Katie Moussouris is the former chief policy officer at HackerOne. The scope of the program was not explained by Fanning on Friday, other than to say that Army recruiting websites and databases will be the primary focus, where the Army is gathering personal information from recruits. This differs a bit from Hack the Pentagon, which allowed hackers to register and find web-based vulnerabilities in a number of static DoD websites.
“With Hack the Army, we are committed to taking Hack the Pentagon several steps further,” Fanning said. “Each of these sites is essential to our day-to-day recruiting mission. While Hack the Pentagon focused on static websites, Hack the Army will be composed of dynamic content and mission critical websites we rely on to recruit the best fighting forces in the country. These assets have deep ties to the Army’s core operations.”
Hack the Army is also open to military and government researchers, in addition to private sector researchers who must register and be vetted to ensure they are citizens, lawful permanent residents and foreigners authorized to work in the U.S.
“We recognize we cannot continue to do business the way that we are, and that we’re not agile enough to keep up with things that are happening in the tech world,” Fanning conceded. “There are people all over the world trying to get access to our sites, our data, our information. We have very well trained, capable teams in the military and the Department of Defense, but it’s not enough. It’s not enough bandwidth for what we need to do to protect those systems. And the more, different sets of eyes, different teams with different experiences, we can bring to this problem, the more secure we can feel about protecting this information.”
Hack the Pentagon was a milestone for the government and symbolized its realization that it needs to secure the help of private sector researchers to secure its presence on the Internet and the data it collects. The Hack the Pentagon trial ran for 24 days starting in April and paid out researchers from a pool of $150,000. HackerOne said that 138 vulnerabilities were resolved from the Hack the Pentagon bounty.
At the Infiltrate conference in April, Lisa Wiswell of the DoD’s Defense Digital Service office, said the bounty program was about changing attitudes inside the government about hackers.
“What’s changed is the government’s willingness to allow you to hack us,” Wiswell said. “Many in government are more humble now than historically, and are coming around and acknowledging that we need help.”
Fanning echoed her thoughts on Friday, saying that the challenge to the white-hat community was valuable to the government.
“What Hack the Pentagon validated was that there are large numbers of technologists and innovators who want to make contributions to our nation’s security, but lack the avenue to do so,” he said. “Bug bounties offer a means for patriots to contribute to our mission. We’re getting a better appreciation today how many white hats there are who can help make the Army’s digital systems more secure. By offering them an avenue to report vulnerabilities, we are building trust and relationships for the long term.”