The Department of Defense is expanding its “Hack the Pentagon” program by awarding contracts to Silicon Valley firms BugCrowd, HackerOne, and Synack to run ongoing bug bounty contests in search of vulnerabilities.
First launched as a pilot program in 2016 under Secretary Ash Carter, Hack the Pentagon allowed outside cybersecurity professionals to legally attempt to break into its public-facing systems — something that the DoD's enemies are trying to do pretty much every day. The trial run was a success, which led to thousands of security vulnerabilities being identified and remedied, according to a DoD press release.
“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important,” Chris Lynch, Director of the Defense Digital Service, said in a statement.
“When our adversaries carry out malicious attacks, they don't hold back and aren't afraid to be creative. Expanding our crowdsourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets. We're excited to see the program continue to grow and deliver value across the department.”
The contracts will see the companies running “continuous, year-long assessments” of DoD assets beyond the public-facing sites of the past. Bug hunters will also be targeting private Pentagon assets, as well as hardware and physical systems.
The outside help is much-needed.
The Pentagon announced a breach of its travel records system just over 10 days ago, which exposed personal information and credit card data on as many as 30,000 military and civilian personnel. And just a few days before that, a report out from the Government Accountability Office showed the scale of vulnerabilities in DoD, especially in its weapons systems, is getting out of hand.
As Task & Purpose previously reported, between 2012 and 2017, penetration testers “routinely found mission critical cyber vulnerabilities in nearly all weapon systems that were under development,” the report said. Also noteworthy was the fact that testers weren’t taking nearly as much time or using sophisticated methods as a nation-state adversary would.
Instead, most used “relatively simple tools and techniques” to take control, and largely operated undetected as a result.
“DoD likely has an entire generation of systems that were designed and built without adequately considering cybersecurity,” the report said.
The contract for the crowd-sourced bug bounty program is worth a cool $34 million, NextGov reported.