MIAMI—Lisa Wiswell’s phone rang off the hook last summer in the throes of the OPM hack. But she wasn’t just answering questions from those whose security clearance and personal data disappeared into the Chinese ether; there were also hackers on the other end of the line offering their help.
Wiswell, digital service lead with the Department of Defense’s Defense Digital Service office, recounted the anecdote on Thursday during a talk at Infiltrate Conference promoting the recently announced Hack the Pentagon program.
Wiswell said the goal of the first DOD bug bounty goes well beyond paying white hats for finding bugs in a handful of public-facing DOD websites. It’s about changing attitudes inside the government toward hackers, and it’s about the government admitting it needs help keeping its networks and data secure.
“What’s changed is the government’s willingness to allow you to hack us,” Wiswell said. “Many in government are more humble now than historically, and are coming around and acknowledging that we need help.”
A trial run of the bounty program was announced last week. It launches April 18 and closes May 12, and will be open to participants who are either a citizen, lawful permanent resident or alien authorized to work in the U.S. Participants must not be on the Treasury Department’s Specially Designated Nationals List, and must have a Social Security or taxpayer identification number. To receive a payout for an accepted, verified vulnerability, a participant must also be able to pass a security check.
The bounty program will be run by HackerOne, and those who register will receive the program’s parameters in an email sent at midnight April 18. Wiswell did say that the bounty will pay out $15,000 for “big-ticket bugs” such as remote code execution vulnerabilities.
Wiswell said she spent months working with HackerOne chief policy officer Katie Moussouris building the program’s framework and hacking bureaucracy inside the DOD. All of this was constructed as criminals and state-sponsored attack groups continue to probe and find holes in government networks and critical infrastructure.
“We wanted to define novel approaches to security challenges rather than just throw more money, software, hardware and contractors at the problem,” Wiswell said. “The bug bounty is one olive branch. We are committed to providing a legal avenue for the responsible disclosure of vulnerabilities. There’s a shift in the government from security through obscurity, to the thought that security should be open, innovative and engaged with the broader Internet ecosystem.
“There is a shift happening where government goes from thinking of hackers as dangerous criminals to partners in technology,” Wiswell said. ” We must respect all of you as the precious resource you are.”
The pilot program, Wiswell said, is a proof of concept that will illuminate lessons that can be incorporated as the program evolves.
Moussouris, who has since decided to open her own consultancy to help organizations get bug bounties off the ground, told Threatpost last month that the program is an admission the government needs to take measures to make things better.
“The current approaches are not working. The OPM hacks let you know that without a shadow of a doubt,” Moussouris said. “I think governments have the same problems that large organizations do. You know you’re under attack. You know you have vulnerabilities, but if you can put enough compensating controls around it and you feel like you’ve addressed the risks sufficiently, but an attacker isn’t bound by your scope or your compensating controls. And they will get what they want to get if they want to.”