Crowdsourcing improvements to America’s security: Bug bounties and open innovation in the U.S. Department of Defense

How the DoD is using open innovation to improve America's security

Bug bounty programs have long been used by private corporations, especially those in the technology sector, as a cost-effective way to fix product issues and improve product security. In these programs, outside hackers are paid by organizations to legally expose cybersecurity vulnerabilities, which are then addressed internally. However, until recently, the U.S. Department of Defense (DoD) was not open to crowdsourced improvements to its cybersecurity infrastructure, strictly enforcing the Computer Fraud and Abuse Act against those attempting to hack its websites and systems[1]. This changed in 2016, when the DoD stopped relying solely on internal personnel for its information security initiatives by experimenting with controlled bug bounty programs in which civilians were invited to expose vulnerabilities in public-facing DoD websites. Since then, the DoD has paid out over $350,000 to “ethical hackers” through its growing bug bounty programs, which are facilitated by private sector vulnerability coordination platforms such as HackerOne and Synack[2].

This method of open innovation is now becoming important to the DoD for three reasons. First, cultivating and maintaining cybersecurity talent is difficult. An October 2018 GAO report cited the DoD’s challenges with “[hiring and retaining] cybersecurity personnel, particularly those with weapon systems cybersecurity expertise,” as well as the tendency for DoD cybersecurity professionals to leave for better paying private sector jobs after gaining enough experience[3]. The DoD also recognizes that sourcing more minds and expanding creativity to identify problems and solutions to cybersecurity challenges is crucial. As the director of the Defensive Digital Service has said, “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative.” [2] Finally, the DoD recognizes the cost-effectiveness of bug bounties, having paid $150,000 to hackers for verified results in its pilot program, compared to an estimated $1 million had the Department gone through the “normal process of hiring an outside firm to do a security audit and vulnerability assessment.” [4]

In the short term, following the success of its “Hack the Pentagon” pilot program, the DoD has continued to replicate such time-bound bug bounty programs throughout its branches (Army, Air Force, etc) [5]. The Department is also running and refining its Vulnerability Disclosure Policy (VDP), its ongoing policy and process for security researchers to report vulnerabilities in any DoD public-facing website or web application, which is separate from the bug bounty programs[6]. As ideas to improve the DoD’s web security flow in from citizen hackers, the Department needs to learn to effectively manage this feedback loop. Given the lack of monetary incentives tied to the VDP, the DoD will need to react to discovered vulnerabilities in a timely manner, communicate action(s) taken on the submissions, and reasonably communicate the impact and outcomes of the process in order to attract future participation (and further scale) at very little cost.

In the medium term, the DoD seeks to elevate the capabilities and influence of the Defensive Digital Service agency beyond its current role of administering ad hoc bug bounty programs and the VDP. The agency’s mandate is to help the DoD close its technology talent and capability gap relative to the private sector in building its critical systems[7], which requires openness to both external innovation and better sharing of innovative solutions internally. To achieve this, it will need to sustainably build a shared culture of appreciation and acceptance of the idea that the DoD benefits from dramatically expanding the number of ideas originating from both civilian outsiders and other teams within the DoD. This will prove challenging for an organization that has traditionally (and understandably) been insular, secretive, and uncooperative with outsiders and even across branches. To bring the DoD’s technology talent and capabilities more in line with the private sector, the DoD needs to transition toward a more fast-moving, iterative systems improvement process that can increase output and attract talent. Again, this will be a major operational and cultural undertaking within a slow-moving, highly conservative bureaucracy.

Moving forward, the Department will inevitably move closer to addressing the most sensitive question of all – will crowdsourced ethical hackers have any role to play in the improvement of our nation’s most critical defense information and weapons systems? If so, how should the DoD define the scope and boundaries of the problems to be solved and who can solve them without jeopardizing national security, while still addressing cybersecurity challenges of critical impact? And as these programs expand in scope and sensitivity, will the current system of working with private sector cybersecurity coordination platforms such as HackerOne need to change in order to adequately source the volume, level of expertise, and security clearances that this new frontier of DoD cybersecurity problems require? (772 words)

[1] Newman, Lily Hay. “The Pentagon Opened Up to Hackers-And Fixed Thousands of Bugs.” Wired, Wired, 10 Nov. 2017, www.wired.com/story/hack-the-pentagon-bug-bounty-results/.
[2] Ng, Alfred. “’Hack the Pentagon’ Bug Bounty Expands to Include Critical Systems.” CNET, CNET, 24 Oct. 2018, www.cnet.com/news/hack-the-pentagon-bug-bounty-expands-to-include-critical-systems/.
[3] United States, Congress, “WEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities”, Oct. 2018, p. 40.
[4] Carter, Ash. “Remarks by Secretary Carter at Hack the Pentagon Ceremony.” 17 June 2016.
[5] O’Neill, Patrick. “Pentagon’s Latest Bug Bounty Program Pays out $80,000.” Cyberscoop, 31 May 2018, www.cyberscoop.com/hack-the-dts-dod-hackerone-bug-bounty-pentagon.
[6] “Vulnerability Disclosure for U.S. Dept Of Defense.” HackerOne, 21 Nov. 2016, hackerone.com/deptofdefense.
[7] “Transforming Technology within the Department of Defense.” Defense Digital Service, dds.mil/.

Previous:

Machine learning and Tencent

Next:

Machine Learning: Dating’s Saving Grace?

Student comments on Crowdsourcing improvements to America’s security: Bug bounties and open innovation in the U.S. Department of Defense

  1. Momo, thanks for a fascinating look into the national security and cyber world. One of the most important issues you hit on was the ability to attract and maintain individuals with the skills and knowledge necessary for the military to keep their IT systems and networks secure under increasing threats. There are several issues at work: first, the government is extremely limited in its ability to remunerate talented individuals due to legal restrictions. If an enlisted cyber warfare specialist can easily earn twice or three times the salary for fewer work hours, they had better have a compelling culture and mission to encourage them to stay in uniform. This brings up the issue of personnel management policy and managerial expertise. Many middle managers who supervise military cyber experts are significantly less experienced and tech savvy than their subordinates. The military has no ability to rapidly promote a hacker to their level of competence. Additionally, the U.S. military still prizes combat arms officers above others, meaning that often cyber warfare officers/managers are individuals who transferred into the community due to their inability to perform in their original war fighting role.

    If DoD is intent on pacing the threat, it is crucial they update their personnel policies. To maintain a industrial age personnel management and promotion system in the information age is a recipe for obsolesce. In the case of military computer networks, obsolesce means vulnerability and defeat in battle; in other words, a situation that is unacceptable!

    Good work.

  2. Momo, thanks for a fascinating look into the national security and cyber world. One of the most important issues you hit on was the ability to attract and maintain individuals with the skills and knowledge necessary for the military to keep their IT systems and networks secure under increasing threats. There are several issues at work: first, the government is extremely limited in its ability to remunerate talented individuals due to legal restrictions. If an enlisted cyber warfare specialist can easily earn twice or three times the salary for fewer work hours, they had better have a compelling culture and mission to encourage them to stay in uniform. This brings up the issue of personnel management policy and managerial expertise. Many middle managers who supervise military cyber experts are significantly less experienced and tech savvy than their subordinates. The military has no ability to rapidly promote a hacker to their level of competence. Additionally, the U.S. military still prizes combat arms officers above others, meaning that often cyber warfare officers/managers are individuals who transferred into the community due to their inability to perform in their original war fighting role.

    If DoD is intent on pacing the threat, it is crucial they update their personnel policies. To maintain a industrial age personnel management and promotion system in the information age is a recipe for obsolesce. In the case of military computer networks, obsolesce means vulnerability and defeat in battle; in other words, a situation that is unacceptable!

  3. I’m a firm believer that the most talented and advanced programmers and hackers will never work for the U.S Government due to wages, bureaucracy, and stigma. I do believe, however, that ethical hackers are interested in helping the government improve its systems. The government may not be able to employ them full time, but they can use them in a manner befitting a consulting to test for weakness and advise on improvement. As technological advances continue, this form of testing is not so much an option but a necessity. The scope of such work is rightfully a tricky debate. At the very least, it should include any gateway or protocol that can be reasonably accessed from public servers for these servers are likely already under some form of attack. Closed networks and other compartmentalized systems would require a higher detail of control and vetting in order to employee a private hacker for testing purposes. The government cannot afford to ignore potential weaknesses in such a critical infrastructure node.Ultimately, it is much better that the government discovers its own weaknesses before its enemies do.

  4. This is a fascinating topic and an application of open innovation that I had not previously considered. It makes complete sense for the government to try to maintain the security of its most important systems by hiring the best “hackers” to try and expose weaknesses. While I agree there are some issues in determining boundaries – what level of security clearance should they be given, are certain closed-systems too sensitive for this method – I almost feel as if the government has no choice. There is no way the government will ever retain the best talent. At least through bug bounty programs they can control the flow of information and monitor the people they hire to expose weaknesses. There are some ethical concerns that need to be ironed out, however. Is this limited to American nationals? What if the best talent in this arena comes from non-US citizens? How much can the government share?

  5. Extremely interesting topic, thank you for posting! I think the question that you pose in the beginning of the last paragraph is extremely important and, unfortunately for the US
    Government / DoD, I don’t think they have much of a choice… ethical hackers will absolutely have to play a role to improve national security. Given the extremely sensitive nature of what the DoD is trying to protect, I very much understand the desire to try and fix these issues internally. The reality of the situation is that the skill set needed to find bugs exposing cybersecurity issues is one of the most monetizable talents currently in the private sector. I personally do not believe there is much the DoD can do to try and convince these people to work for them unfortunately. To address the follow up question you asked, I think all ethical hackers should have to register as such before they begin just to ensure criminals do not use the program as protection if they are caught trying to hack into DoD websites. After registering, the scope and boundaries should be fairly broad in my opinion. The reason I would remain broad is that it is absolutely critical to beat criminals to the punch with all cybersecurity bugs. If the DoD is narrow in its scope of what the ethical hackers can do, they can easily overlook things the community of ethical hackers could have found.

    Fostering this community of ethical hackers can end up being the most cost-efficient way to properly deal with these cybersecurity threats. Linking up ethical hackers that have proven to discover bugs could be hugely beneficial to have them share ideas and work to together to try and find the next bug. Ultimately, creating a community of ethical hackers that act almost like an outside cybersecurity consultant would be the best possible outcome.

  6. Given the difficulty of retaining and recruiting top talent, the DoD must source innovation from externally as it is critical to national security. Although it may not be able to pay top wages to compete with tech companies for the scarce amount of advanced programmers, many companies and “ethical hackers” will be willing to help the DoD and government agencies (especially for a fee).

    One question that I have is will all future innovations and discoveries that the DoD is crowdsourcing be ethical? I am reminded of the FBI paying to hack the phone of the San Bernardino shooters. There was immediate controversy over the hacking and Apple’s response to the government request to unlock the phone. A private company was paid for the hack instead, raising the ethical issue of privacy. Another concern is that private actors finding bugs and breaches in the system may also be incentivized to sell this information to actors that are national security threats. Although crowdsourcing could play an important role in DoD innovation and security, there are some important considerations going forward.

  7. I think that this is a very important topic, which lots of countries face. I think that retaining extremely talented cyber security specialists is a very hard thing to do, mainly because the salaries in the private sector are much higher, the bureaucracy is much lower, and the lifestyle is way less restrictive. So as a result, the number of people who do stay is limited, and in time, those people will become less creative in analyzing and detecting security risks because it is much harder to detect a flaw in systems you have designed yourself or help design.

    This is why I think the move towards open innovation make a lot of sense, but as you mentioned, this is not feasible to expose your whole systems to the outside world. Also, replicating your internal systems in different context to try and produce a challenge to solve in these Hackathons is also not a good option, because you have no idea where your system is vulnerable (it’s usually where you expect it the least) and its time consuming to do.

    In Israel for example, we have the privilege that everyone serves in the army and then have to serve in reserve duty until the age of 40. This helps tremendously, because you can keep the clearance of people who now work in the private sector (after they are discharged) to some extend and then bring them back for a few weeks every year to serve. This way you can actually greatly benefit from them working in the private sector as they meet more challenges and when they come back for reserve duty, can look at problems in different perspective.

    So, my suggestion will be to consider this kind of model in the US, where people who left for the private sector, could serve as advisors, and come back for a few weeks every year (for a fee of course) and thus leveraging them as a source of control, but I am not really sure if this kind of model is feasible in the US, would love to hear your thoughts on that.

  8. The topic you address might be the most challenging and important of our age of digitalisation and you do make a good point, with an ever increasing and fast moving landscape of potential cyber threats open innovation and sharing of threat intelligence will likely be an important source of knowledge and increased security. There is no doubt that the DoD could benefit from improving their bounty programs to access the same level of innovation as other private sector technology enabled organisations use to expose vulnerabilities.

    However, I do believe there is one critical element missing that is relevant to the DoD. As an important organisation for the worlds largest military power, the threats the DoD face in cyber security will likely be the most sophisticated in the world and therefore their defence and response system will need to be even more sophisticated. This level of sophisticated cyber security knowledge is highly limited and highly sought after in today’s environment and I would question whether a model based on crowdsourcing can really the solution rather than just a part of the solution that helps with the low hanging fruit (patching etc.).

    Personally I believe crowdsourcing needs to be a part of the solution to the DoD’s cyber security defence, but that it will likely remain a small part as the DoD will need to continue to rely on training and retaining a staff of highly skilled cyber security staff, contracting highly skilled security services firms and buying/trading threat intelligence with other government agencies and private organisations to keep the organisation safe from cyber war and crime.

Leave a comment