SAN FRANCISCO — The Pentagon is launching a new program that invites hackers to attack Department of Defense websites for possible financial rewards, the first such “bug bounty” program in the federal government.
The program, which begins in April, essentially involves the Pentagon selecting a group of hackers, giving them Department targets, and asking them to do as much damage as possible — and then report back what they found to help the DoD patching those holes, in exchange for some kind of reward.
“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Secretary of Defense Ash Carter said in a statement. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defense and ultimately enhance our national security.”
Participants will be need to be registered and vetted, although a senior defense official said that the process for how they will be tested is still being worked out. All participants must be US citizens.
The official, speaking on background ahead of the official announcement, said the hope is to eventually have participants number “in the thousands” but said there wasn’t a hard target.
“This is a pretty amazing thing and we believe that people are going to want to participate,” he said. “We welcome whatever that number is that can lend their skills to do it.”
“Bug bounty” programs, as they are known, have become commonplace in the tech sector. The website BugCrowd.com maintains a list of more than 470 companies that have such programs, including giants like Google, Microsoft, PayPal and Yahoo.
But the federal government had not yet embraced the idea, which the official called a best practice that should help DoD identify weak spots that are already under pressure.
“We’re constantly under attack. I can’t possibly empathize that anymore. Just like we have warfighters that are constantly under attack, our systems and networks are constantly being attacked here,” the official said. “Nobody who is a ‘bad guy’ is waiting around for us to introduce a bug bounty to go after a DoD effort. They’re not waiting. They’re doing it right now.”
So what will be targeted? The official said that while final decisions are still being made, the targets will be public-facing websites. Major homepages like Defense.gov or Army.mil would seem to be likely targets, as would social media. In January 2015, US Central Command’s Twitter and YouTube accounts were hacked by people claiming affiliation with the Islamic State group, commonly known as ISIS or ISIL.
Part of the reason for choosing public sites is to protect anything mission-critical from accidentally being affected by the government’s hackers, the official noted.
“We are picking initial assets because it’s a pilot and we want to make sure we control the risk and exposure, but we also can make it valuable,” he said. “We’re going to start simple but still picking something that will be very valuable.”
If the pilot is successful, it could be rolled out to a broader range of sites, the official indicated.
“This is a best practice. We should be doing this. We should be thinking of this throughout the entire development of any new technology or product or service that we offer within the DoD,” he said. “The goal here is to create a repeatable new process that we can roll into a bunch of other things that are going on at the DoD.”
The announcement comes as Carter is attending the annual RSA security conference, a major hub for the cyber security community. Defense News is traveling with Carter during a West Coast swing, where he is meeting with leaders from the tech sector to discuss how to bring innovation into the Pentagon.