The Department of Defense is expanding its “Hack the Pentagon” bug-bounty program to include hardware assets, tapping the Synack, HackerOne and Bugcrowd platforms to attract more white hats to the effort.
The news comes two weeks after the Government Accountability Office (GAO) released a report detailing glaring cybersecurity issues in weapons systems at the DoD.
A three-year, $34 million “indefinite delivery, indefinite quantity” contract package covering the three bug-hunting companies will crowdsource vetted hackers to probe the DoD’s websites, hardware and physical systems.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” said Chris Lynch, director of the Defense Digital Service, in a statement. “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We’re excited to see the program continue to grow and deliver value across the Department.”
Since the Hack the Pentagon program kicked off in 2016, bug-hunters have found more than 5,000 code vulnerabilities, and has run six public-facing bounty challenges, including the most recent, Hack the Marine Corps in August. Other sessions have focused on the Air Force, Army and the Defense Travel Service.
Synack and HackerOne have provided their platforms to support the efforts since the beginning, and this contract represents an extension of those existing relationships; Bugcrowd is a newcomer to the effort.
“In today’s environment, crowdsourced security is critical because all systems are vulnerable and there is a massive deficit of security skilled resources,” said Ashish Gupta, CEO and president of Bugcrowd, in a blog post Tuesday. “And while we cannot control our adversaries, we can control where we are vulnerable. But we can only do this if we know. CISOs and CIOs have the daunting task of prioritizing the identification of where their vulnerabilities are and how to fix them…before it’s too late.”
According to the contract’s performance work statement, the government expects the companies to run at least eight limited-time challenges and five continuous challenges during the first year of the contract, and more if an option is exercised. Each program will last between three months to a full year, and they could overlap.
Reward amounts have not been disclosed.
It’s perhaps no surprise that the Pentagon is expanding its focus to include physical systems. The bounty-expansion news comes shortly after the GAO called out the DoD as a department “just beginning to grapple with the scale of vulnerabilities” in its offensive military equipment. It reported that in cyber-tests of major weapon systems in development, testers playing the role of adversary were able to take control of systems “relatively easily and operate largely undetected.”
“DoD’s weapons are more computerized and networked than ever before, so it’s no surprise that there are more opportunities for attacks,” the GAO said in the report. “Yet until relatively recently, DoD did not make weapon cybersecurity a priority. Over the past few years, DoD has taken steps towards improvement, like updating policies and increasing testing.”
Thus the bug-bounty news is a step in the right direction. “The Pentagon, despite the generally negative press the GAO report generated, has actually made significant progress in this area in recent years,” said Jim O’Gorman, president at Offensive Security, via email. “In order to continue this positive momentum, they need to keep emphasizing the importance of testing and invest in further pen-test training to build the skillset of their team.”
