Hackers Wanted: Crowd-sourced security at the United States Department of Defense
Data breaches and cyber attacks are becoming more prominent and less predictable. To manage ever-increasing cyber risk, the U.S. Department of Defense created a bug bounty program for security vulnerabilities and used crowdsourcing to invite hackers to break into their systems.
The U.S. Department of Defense (DoD) has historically relied on internal testing and quality control processes to secure top-secret information and technology. Under Secretary of Defense Ash Carter’s leadership, the DoD shifted the culture of their security program from closed systems to crowd-sourced security. During the launch of the first bug bounty program in Federal government history, Secretary Carter stated, “’Security through obscurity” is often our default position. For many of our networks and applications, there’s good reason for that. But the more friendly eyes we have on some of our systems, networks, websites, and applications, the more gaps we can find, the more vulnerabilities we can fix, the greater security we can provide our warfighters [5].”
Hacker-Powered security
Hacker-Powered security utilizes the external hacker community to find unknown security vulnerabilities and reduce cyber risk. These activities are facilitated through bug-bounty programs, which proactively invite security researchers around the world to expose a company’s vulnerabilities in exchange for monetary and reputational rewards. The first bug-bounty program dates back to 1995, when Netscape offered cash for vulnerability reports against its web browser. Fifteen years later, these programs have become industry standard amongst technology companies like Google and PayPal. These bounty programs popularized crowdsourced security and fueled the growth of bug-bounty-focused startups like HackerOne and Bugcrowd, which offer platforms that connect organizations with ethical hackers, known as white-hat hackers. By crowd-sourcing security testing, organizations create an external monitoring system that identifies critical bugs faster than internal controls [6].
Launching Hack the Pentagon
In 2016, the DoD invited 1,400 hackers to identify and resolve security vulnerabilities within the Defense Department’s public facing website. It took 13 minutes to discover the first vulnerability and over the course of the next 6 hours, hackers submitted over 200 findings, earning $75,000 in reward money [1].The success of this pilot led to the expansion of bug-bounty programs to other departments within the DoD. Hack the Air Force paid out $103,883 in bounties to freelance hackers who discovered 106 vulnerabilities over a 20-day period [2].
Hack the Army paid $100,000 in bounties for 416 reports – the first bug was found in 5 minutes. The army asked hackers to target operationally significant websites and discovered a critical vulnerability that enabled attackers to move from a public facing website, www.goarmy.com to an internal DoD website that required special credentials to access. The hackers were able to access the DoD’s internal network through an open proxy, which meant the routing wasn’t shut down the way it should have been. Once reported the Army Cyber Protection Brigade was able to immediately remediate the issue, stopping future attackers from exploiting this chain of vulnerabilities [3].
The DoD’s bug-bounty programs have resulted in the successful resolution of 5,000 security vulnerabilities and have since expanded its scope to more sensitive systems like the department’s travel booking system. Defense Travel System (DTS) guards sensitive information for millions of government employees and contractors, making it one of the most widely-used pieces of enterprise software in the U.S. government. Hackers employed a variety of methods, including social engineering, to expose over 100 vulnerabilities [4].
Recommendations
While bug-bounty programs are now prevalent across the software industry, the security researchers who participate have faced decades of abuse in the form of formal legal suits filed, inappropriate referrals to authorities, public attacks, and misguided laws that seek to ban or criminalize good faith security research and publication [7]. When considering crowd-sourced security, organizations need to first establish a Vulnerability Disclosure Policy (VDP), which is the legal foundation that enables all bug-bounty programs and outlines a method for receiving vulnerability submissions from the outside world [8].
Following the success of their bug-bounty programs, the DoD published a VDP that described the legal avenue for any hacker to disclose vulnerabilities in any DoD public-facing systems. Hackers now have clear guidance on how to legally test for and disclose vulnerabilities in DoD’s websites that may be out of scope of live bug-bounty challenges. This policy is the first of its kind for the U.S. Government and serves as a bold commitment to bringing diverse perspectives to protect and defend the nation’s assets.
Governments have a responsibility to be responsible caretakers of the private data they guard. Will other branches of the Federal government adopt crowd-sourced security? How will this model work in government agencies that depend heavily on technical contractors? How can bug-bounty programs be implemented at the local level and amongst government-managed institutions like power plants? Trailblazing paths to make society safer is a vital role government need to take. The DoD has taken the opportunity to be leaders in working with the security researcher community. Hack the Pentagon should serve as a model for other government departments to follow, and I believe many more will. [794]
Works cited:
[1] Government – Hack The Pentagon – Hacker Powered Security Testing. (n.d.). Retrieved November 12, 2018, from https://www.hackerone.com/resources/hack-the-pentagon
[2] O’Neill, P. H. (2018, May 31). Pentagon’s latest bug bounty program pays out $80,000. Retrieved November 13, 2018, from https://www.cyberscoop.com/hack-the-dts-dod-hackerone-bug-bounty-pentagon
[3] Hack The Army Results Are In. (2017, January 19). Retrieved November 12, 2018, from https://www.hackerone.com/blog/Hack-The-Army-Results-Are-In
[4] Pomerleau, M. (2018, October 26). DoD bug bounty program to expand to more sensitive systems. Retrieved November 13, 2018, from https://www.fifthdomain.com/dod/2018/10/24/dod-bug-bounty-program-to-expand-to-more-sensitive-systems/
[5] Carter, Ash.“The Pentagon’s First Bug Bounty Exceeded All Expectations.” U.S. Department of Defense, June 17, 2016.
[6] Wong, C., Shema, M., & Warner, T. L. (2017). Crowdsourced Pen Testing for Dummies (1st ed., Vol. 1, Cobalt Edition). Hoboken, New Jersey: John Wiley & Sons.
[7] Evans, C. (2018, March 21). Protecting Security Researchers. Retrieved November 13, 2018, from https://blogs.dropbox.com/tech/2018/03/protecting-security-researchers/
[8] Vulnerability Disclosure Policy Basics: 5 Critical Components. (2017, August 10). Retrieved November 13, 2018, from https://www.hackerone.com/blog/Vulnerability-Disclosure-Policy-Basics-5-Critical-Components
Image source: https://www.synack.com/hack-the-pentagon/
Fascinating article! I was not aware that the DoD engaged white-hat hackers to identify potential vulnerabilities, but that actually seems like a very effective and comprehensive way of diagnosing risks. I agree that hack the Pentagon should serve as a model for other government departments to follow, and I certainly hope more will!
Very interesting piece Christine, thanks for sharing! I am not that familiar with this space, but very curious as to how this crowd-sourcing approach is viewed in the government and cyber security communities, and how other governments around the world address their cyber-security issues. As a layman, while this seems like a good approach to plugging potential vulnerabilities, I wonder if it still leaves systems open to attack through paths that have not yet been discovered. Do you think this is the best strategy available to the government at this point in time? I definitely agree that strategically important infrastructure such as power plants should be taking the appropriate cyber security steps. I wonder if this is something that could be federally mandated in the interest of national security, or whether it has to be more of a local push.
Bug bounty programs are utilized by the top technology firms and I am happy the DoD has found some way to integrate into open innovation. It is said that the best developers are those that choose their work and are not forced to work on specific programs by way of their employment. Bounty programs are also a better use of government funds since we would essentially be paying for solutions and not paying government workers to do minimal work and hire expensive outside consultants.
I love the idea of applying bug hunting to government programs and providing bounties for hackers who find vulnerabilities. I wondered about Ash Carter’s quote above- particularly the security through obscurity part. Do you think there is a risk with adverse selection where the government does not ask for hacker feedback/bounties on more sensitive programs because of their bias towards obscurity, and so low level systems are well reviewed but more mission critical ones are not? Or that bureaucracies may not even ask for feedback on their programs for a fear of losing credibility or career risk?
This is a terrifying statistic:
“It took 13 minutes to discover the first vulnerability and over the course of the next 6 hours, hackers submitted over 200 findings, earning $75,000 in reward money.”
This explains so much about my frustrations with Army IT platforms:
“Hack the Army paid $100,000 in bounties for 416 reports – the first bug was found in 5 minutes.”
Wonderful article!
This was amazing! It seems to be a proactive idea to encourage hackers, under the right terms, to identify weak spots. I’m wondering, however, if this has secondary effects. For example, what if a hacker who hacks the DoD is compensated more by an adversary to the United States? How can we ensure that white-hat hackers who get familiar with the DoD’s security system don’t become threats if compensated by non-US targets?
Really great to see that the DoD is using white-hat hackers to improve security. I definitely think these bug-hunting programs should be expanded to other parts of government. However, I agree with Nick Carraway – I am concerned about security and threats from adversaries. For the right price, a hacker may not disclose a a weak spot and then sell that information to another government. I hope people are better than this and perhaps I’ve just been watching too much Homeland, but I think there needs to be some more security/incentives/something in place to build more trust.
Thanks for sharing!
Super interesting article – this is the first I have heard of supervised hackings of the government! To your question on how to protect the hackers, my recommendation is to hire dedicated hacker teams for the various branches of the government. These hackers would work independently / outside of the formal organizations, but they would have to go through intense background checks, be included in employee databases, and routinely reviewed to ensure (1) their own safety/security, and (2) the safety/security of the government agency.
Very interesting article! It is scary to think the power the hackers have (and could potentially have) in our world. As we become more and more dependent on technology (autonomous cars, for example), it is frightening to think the impact that someone with bad intentions could have – without moving from home and hiding behind their computer. I see this as an initiative that says ‘we need all the help we can get’ on this issue – and there is undoubtedly a lot of tech talent in the world, that goes beyond the people that actually go through their IT recruiting processes. I think it is a marvelous initiative and I would hope that other countries take this as seriously as the United States Department of Defense, and also implement these type of initiatives within their Government Security systems.
Very interesting. It is both understandable and ironic that the high security systems are the very systems that don’t have the benefit of this type of constructive hacking, since those are arguably the most important sites to defend! The publication of a Vulnerability Disclosure Policy is also a great development – given the importance of whistleblower policies in corporates, it’s surprising that it’s taken the government so long to issue the VDP!
This is a great case of open “innovation”. Not only the government security system but also crypto currency trading platforms are targeted by hackers too. The fact that crypto currency hacking takes place several times a year somewhere in the world makes me think solving this issue is very difficult. Even if engineers build a perfect program, it may not stay perfect forever as the system has to be updated frequently. Is there any chance we can end this kind of problem?
It was surprising for me to find out about the vulnerability of DoD security systems mentioned in this article, given the staggering percentage of the US budget spent on this department! This makes me more uncomfortable about security threats from adversaries, not just on the DoD but in other online government spaces, in the meantime while the US government fixes the rest of their systems. As seen in the US elections, external influencers could easily gain access to sensitive US cyberspace, creating unprecedented national security threats, and it is only a matter of time before they will attack again. I just hope that other countries take this as seriously and follow the same footprints.