Defense Department: "Hack the Pentagon," Please!
The federal government wants to hire hackers to boost security.
The Department of Defense announced Thursday that programmers could register for its “Hack the Pentagon” project, a new partnership with HackerOne that will crowdsource some of the DOD’s security needs.
The “bug bounty” pilot program will run from April 18 through May 12, and registration is currently live. Hackers can apply for selection by HackerOne, which is curating the selection process.
So why is the government hiring hackers to boost security? It’s nothing new. Lots of companies host hackathons, offering prizes to any programmer brilliant and diligent enough to poke holes in software. Some of them are eventually offered jobs if they’re good enough.
“The Hack the Pentagon pilot is modeled after similar challenges conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services,” says Pentagon Press Secretary Peter Cook. “By providing a legal avenue for the responsible disclosure of security vulnerabilities, bug bounties engage the hacker community to contribute to the security of the Internet.”
HackerOne is a particularly “reputable” firm, as Cook put it, with hundreds of clients including Twitter, Yahoo!, Snapchat, and Uber relying on it to find vulnerabilities before the bad guys do.
Alex Rice, CTO and founder of HackerOne, tells Inverse that several hundred hackers will be involved in the pilot program – applications are open until mid-April, so there are no final numbers as of this writing. HackerOne will be connecting the DOD to a vetted, invite-only community of hackers who will work to identify areas of vulnerability within the DOD.
Even for organizations with significant security budgets, vulnerabilities still make it through, Rice said. “There’s still a severe shortage of cybersecurity talent and tools that are available. The DOD is like every other organization dealing with the reality that there’s a gap between the traditional ‘best’ practices and then what human intelligence is able to actually do. So these bounty programs are at the cutting edge of trying to close that gap by applying the best human intelligence to these vulnerabilities.
“Even the DOD can’t hire enough security individuals to protect against the adversaries they’re up against. So [it’s the DOD saying] ‘we already have the best security team but we acknowledge that might not be enough.’ It’s just good practice to ask what might be missed and have as many eyes as possible.”
Bug bounty programs, wherein developers incentivize hackers to find bugs and insecurities in their software, have been widely used among tech companies for some time. This will be the first time such a program will be utilized by the federal government.
“It’s pretty phenomenal to see the United States government taking this step before so many private industries do it,” says Rice, who ran the product services security team at Facebook before launching HackerOne. “This has been a leading practice in tech companies for years now, and you’re starting to see it roll out in other industries, but most private sector verticals are now lagging behind the U.S. government. It’s incredible to see them innovating in this space. I hope it’s a sign of things to come.”