The government wants you…to hack it?

How the US government is relying on open innovation to combat cyberterrorism

As personalized data and digital IP become competitive advantages for companies across all industries, security breaches have grown more frequent and costly (increasing 27% and 23%, respectively, within the last year1), resulting in catastrophic reputation and financial consequences.

Traditionally, computer/ network security was handled in-house, with teams of developers, researchers, and QA personnel carefully testing a system to discover and repair exploitable flaws. However, as digital attacks have become more sophisticated, they have outstripped the internal security capabilities of most companies. This need has given rise to ‘bug bounties’, contests where organizations sponsor prizes for the developer community to stress test their systems in order to find vulnerabilities (‘bugs’). This use of open innovation to discover security flaws has been a “widely understood best practice in the private sector”2, but recently, the federal government has also adopted this crowdsourcing approach to help secure its own systems. Government agencies, already facing a cybersecurity talent shortage3, have realized that the magnitude of the security problems requires them to utilize open innovation as a vital weapon to combat digital threats.

Cybersecurity efforts benefit greatly from distributed innovation. The field is moving too quickly for any individual or group to fully keep up with all of the developments, and open innovation provides the creativity, objectivity, and scale needed to attack these issues from multiple angles, supplementing the government’s native security efforts. It enables the government to capitalize on the collective wisdom of the tech community, by leveraging participants with diverse expertise to strengthen their security development process.

In 2016, the Pentagon hosted the first ‘Hack the Pentagon’ program, inviting hackers to discover vulnerabilities in public facing Department of Defense websites. This was a landmark event for several reasons:

  1. This was the first bug bounty contest sponsored by a federal agency, reflecting an increasing willingness to use open innovation and “allow private citizens to offer their diverse range of talent to contribute and strengthen our nation’s security”4
  2. It supported hacking as a valuable tool to assess and improve security, sharply contrasting the prevailing legal restrictions on these types of activities

Since that program’s successful resolution of 138 security issues, comparable contests have been conducted for the Army, the Air Force, and the Defense Travel System, all with similarly successful outcomes [Exhibit 1]. Not only have these events produced substantial technical results, but they have also won over the support of leaders within these organizations [Exhibit 3] who recognize both the intellectual value-add of these open source efforts, as well as financial benefits, noting “a security audit and vulnerability assessment, […] would have cost us more than $1 million [compared to $150,000]”5.

Longer term, these programs are growing rapidly, with bipartisan legislation in place to commence similar projects at the Department of Homeland Security6 and the State Department7 [Exhibit 2], and more generalized recommendations being made through the Executive branch8. In parallel, this has also stimulated conversations on updating existing cybercrime legislation, such as the Computer Fraud and Abuse Act, which could empower the open source community by easing strict punishments for hacking-related actions. The Department of Justice has already recommended adoption of “vulnerability disclosure policies” (VDPs)9, which allow interested parties to find and report security risks without fear of civil penalties, and ensuring that government will work “openly and in good faith with researchers”10.

As cybersecurity evolves alongside technology, there are tremendous opportunities available to better utilize open innovation to tackle future security issues:

  1. Mandatory bug bounty programs—every government agency has a heavy digital presence, and there should be a requirement for open bounty programs to ensure ongoing security
  2. Update cybercrime legislation—Archaic legislation do not prevent sophisticated, international cyber terrorists from committing digital crimes. While VDP adoption is a crucial first step, the government should update the laws to loosen restrictions and stimulate digital creativity to keep pace with global security needs. This will reinforce the growth of open innovation communities, and their ability to experiment in this space
  3. Use open innovation to develop new software systems—the current use of open innovation has focused on remediating vulnerabilities in existing, legacy systems. Going forward, the government can leverage the knowledge base of the open source community to build new systems from scratch. Starting with a transparent codebase will allow greater feedback on security best practices throughout the creation and implementation process.

However, major questions still surround the role of open innovation in federal cybersecurity:

  1. What security risks are associated with providing transparency into digital government systems, and do these projects meaningfully prevent cyberattacks?
  2. If the government over relies on these bounty programs as a core facet of its security development, and the open source community loses interest, how would the government keep pace? How does the government maintain scalable interest in their projects?

(796 words)

Exhibit 1:

Agency Date Contest days # Verified vulnerabilities Total prize money
Pentagon11 2016 25 138 $75,000
Army12 2016 22 118 $100,000
Air Force13 2017 25 207 $130,000
Air Force 2.014 2017 20 106 $103,883
Defense Travel System15 2018 29 65 $78,650
Marine Corps16 2018 20 150 $150,000
Total17 650+ $500,000+

 

Exhibit 2:7

Exhibit 3:17

Citations:

  1. 2017 Cost of Cyber Crime Study. Accenture, 2017, pp. 3–4, 2017 Cost of Cyber Crime Study, https://www.accenture.com/t20171006T095146Z__w__/us-en/_acnmedia/PDF-62/Accenture-2017CostCybercrime-US-FINAL.pdf.
  2. United States, Congress, Cong., Department of Defense. “Hacking the Pentagon.” Hacking the Pentagon, US Digital Service, 2017. 115th Congress, report, https://www.usds.gov/report-to-congress/2017/fall/hack-the-pentagon/.
  3. “Cyber In-Security II: Closing the Federal Talent Gap.” Booz Allen Hamilton, Apr. 2015, federalnewsradio.com/wp-content/uploads/pdfs/pps_cyber.pdf.
  4. United States, Congress, Cong., Department of Defense. “Hacking the Pentagon.” Hacking the Pentagon, US Digital Service, 2017. 115th Congress, report, https://www.usds.gov/report-to-congress/2017/fall/hack-the-pentagon/.
  5. “Carter Announces ‘Hack the Pentagon’ Program Results.” US Department of Defense, 17 June 2016, dod.defense.gov/News/Article/Article/802828/carter-announces-hack-the-pentagon-program-results/.
  6. Hack the Department of Homeland Security Act of 2017, S. 1281, 115th Cong. (2018).
  7. Hack Your State Department Act, H.R.5433, 115th Cong. (2018).
  8. Report to the President on Federal IT Modernization. CIO Council, 2017, p. 7, https://itmodernization.cio.gov/assets/report/Report%20to%20the%20President%20on%20IT%20Modernization%20-%20Final.pdf.
  9. “A Framework for a Vulnerability Disclosure Program for Online Systems.” Department of Defense, July 2017, justice.gov/criminal-ccips/page/file/983996/download.
  10. “DOD Announces Digital Vulnerability Disclosure Policy and ‘Hack the Army’ Kick-Off.” US Department of Defense, 21 Nov. 2016, dod.defense.gov/News/News-Releases/News-Release-View/Article/1009956/dod-announces-digital-vulnerability-disclosure-policy-and-hack-the-army-kick-off/.
  11. “Hack the Pentagon.” HackerOne, 2016, hackerone.com/resources/hack-the-pentagon.
  12. “Hack The Army Results Are In.” HackerOne, 19 Jan. 2017, hackerone.com/blog/Hack-The-Army-Results-Are-In.
  13. “Aim High…Find! Fix! Win!” HackerOne, 10 Aug. 2017, hackerone.com/blog/hack-the-air-force-results.
  14. “U.S. Air Force Boosts Security With Second Bug Bounty Challenge on HackerOne.” BusinessWire, 15 Feb. 2018, businesswire.com/news/home/20180215005220/en/U.S.-Air-Force-Boosts-Security-Bug-Bounty.
  15. “U.S. Department of Defense Secures the DTS With Help From Hackers on HackerOne.” BusinessWire, 30 May 2018, businesswire.com/news/home/20180530005149/en/U.S.-Department-Defense-Secures-DTS-Hackers-HackerOne.
  16. “Hack the Marine Corps Bug Bounty Challenge Concludes.” BusinessWire, 3 Oct. 2018, businesswire.com/news/home/20181003005605/en/Hack-Marine-Corps-Bug-Bounty-Challenge-Concludes.
  17. Mickos, Marten. “The Best Is Yet To Come.” HackerOne, 24 Oct. 2018, hackerone.com/blog/Best-Yet-Come-DOD-Awards-New-Hack-Pentagon-Contract-HackerOne.

Previous:

ZOZO’S AMBITION: CAN YOU QUANTIFY “COOL”?

Next:

A Tactical Advantage? Additive Manufacturing in the US Military

Student comments on The government wants you…to hack it?

  1. I really enjoyed learning about the government’s decision to crowd-source their cyber security. You make a compelling argument for the importance of using outside parties to expose security risks. In response to your concern about the public losing interest and the government agencies not being able to keep up their security threshold, one counter measure could be changing their hiring practices. Obviously, potential employees would need to be adequately screened and deemed low-risk from a national security perspective, but the government agencies could try to hire employees or consultants at market rates from unconventional backgrounds. When testing for security, it would be important to have diversity of thought and experience to be the most effective.

  2. Great illustration of a problem that is very well addressed by open innovation.

    I think that extending the program to not only identify bugs but also to identify high-potential candidates for hiring would address some of the risks of the public “losing interest” and make the security improvements more sustainable. I think we saw this approach work quite well in the Valve case in our LEAD course, where outside video game “mod” developers were frequently hired full time.

    I do agree that there are more security risks involved in government hiring relative to video game hiring, so additional background checking may be necessary.

  3. The use of open innovation to combat cyberterrorism against the U.S. government is a fascinating application of the method at a federal scale. Particularly where there is a ready and able community of hackers, who might love the prestige of hacking into government security systems, this is an innovative way of leveraging those motivations in a positive way for the government. The security implications deserve their own consideration, and could not possibly be dealt with in a comprehensive manner here, but I will add another aspect to question is: is welcoming people to hack the U.S. government in a constructive way encourage them to hack the U.S. government in a destructive way?

  4. This was really interesting. I think that it is a brilliant strategy for the U.S. government to adopt crowdsourcing as a means to improve their network security. I actually don’t see that much inherent risk in this process. Firstly, I would assume that the people within this crowdsourcing models are not “bad actors”. Those trying to hack the U.S. government are probably trying to do so separately, and inviting the public to try this is probably not inviting bad actors. With that said, the government should obviously (and probably does) monitor exactly who is attempting the hack and understand if that person could at all be a potential threat. On your point on whether the government, as a result of crowdsourcing, is diluting its own internal capabilities, I would suggest that they could even try to hire some of the best hackers as a means to further improve their network security.

  5. I have always felt the government should consider more ways to use open innovation to crowdsource ideas and talent across a variety of sectors. This strategy offers a means to increase, encourage, and capitalize on civic engagement, allows the government to include constituents in an effective way, and respond to their ideas and beliefs to better serve the people at large.

    In the case of federal cybersecurity, open innovation is a brilliant way to engage top programming talent. Programmers are enticed by the growing number of large technology firms, and as the industry continues to boom, the government will increasingly struggle to employ top talent. Open innovation offers a way for the government to access engineers and capitalize on the creativity and skills of its constituents.

    I agree that there is a unique risk in providing transparency with regards to federal cybersecurity systems, and that transparency could indeed be counterproductive to the government’s mission of cyber protection. The government must consider how to encourage engagement and collaboration among participating programmers while maintaining control and being judicious about which information it exposes to whom.

  6. This is really interesting! I had no clue that we were so honest about the vulnerability of the Pentagon, for example — doesn’t it send a bad message to other governments that we aren’t particularly confident in the safety of our cyber systems…? Seems like we shouldn’t be so open about our flaws!

    A big outstanding question for me after reading your piece is how hackers are compensated (if at all) for their labor. If hackers are saving these departments ~$1 million, shouldn’t they share in those profits? I often struggle with crowdsourced “competitions” like these — it feels like a way for institutions to avoid actually paying people for their hard work and creativity.

  7. This is such an fascinating article, thank you for sharing! Really enjoyed learning about this topic.

    Your question about the security risks with the transparencies associated with these bounties is particularly interesting. As I read your article, I wondered what are the political and international ramifications of openly having contests that highlight flaws within our system? This would be counteracted if the 136 solutions have truly been viable and transformational and there hasn’t been a rise in later breaches related to understanding of systems through such contests. Your question had me thinking about your recommendations as well – I completely see why every department with a digital presence should consider having such contests, but I am loathe to unleash open innovation on the software building site. Giving that type of control of the building of systems and not just focusing on prevention through these contests worries me. The open innovation would be sourced by non-government workers and it may not behoove the government to have intellectual property like this be created by a public that they can access.

Leave a comment