Hacking the Pentagon

By Lisa Wiswell, Bureaucracy Hacker at the Defense Digital Service

Though I haven’t done any complex buffer overflows, and I only got through the basics of Haskell, I’m a “hacker” in my own right — hacking Government bureaucracies around our outdated and often restrictive policies so we can get shit done at a pace consistent with the tech sector. That’s my job here in the Defense Digital Service, the DoD’s arm of the White House’s U.S. Digital Service — the government startup the Administration stood up to bring private sector talent and best practices into the federal government to improve critical services.

For the past seven years, I’ve worked with the Department of Defense to evolve its culture, particularly to interact better with the hacker and security community.

There was a time when DoD branded even the most professional hackers as criminals. And who can blame them? The OPM hack where Chinese hackers stole sensitive personal information, including social security numbers, of nearly 22 million people from both inside and outside the Government — that was just the icing on the cake. Had we had the ability to open up the OPM systems to professional hackers, who knows, perhaps it could have been prevented.

But in the last few months, we have made real progress on this front, resulting in a healthier perspective on what hacking is and isn’t. Hackers can help keep the Internet a safer place — by uncovering security weaknesses, and reporting holes that put at risk our most critical systems and data so they can be remediated in near real-time. Leveraging the talent and expertise that hackers bring to security challenge is part of why some of the best tech companies leverage crowdsourced vulnerability discovery and disclosure programs — and why some of us at the Pentagon knew we needed to as well.

So, earlier this year, DDS convinced the Department to launch its first ever bug-bounty, “Hack the Pentagon.”

Hack the Pentagon — Pilot Statistics

And, I’m proud to report today that the pilot greatly exceeded all of our expectations. 1,410 hackers registered. 252 submitted at least one vulnerability report. 1,189 reports were submitted and of those, 138 reports qualified and were paid out. 117 were the total number of hackers that received payouts ranging from $100 to $15,000. And precisely zero registered hackers that intentionally did anything nefarious, or malicious.

This is a big win. It proved to the skeptics who believed hackers are dangerous, childish, and intentional lawbreakers, that instead, the hackers who participated in Hack the Pentagon were extremely helpful. This has illuminated a positive shift in our attitude toward the hacker community — as strong partners in technology, recognized for their talent and patriotism.

Lawyers, contracting officers, DoD bureaucrats…we had to hack it all. But we built the concept knowing that what was most important was to provide a new way to let Americans help make us safer at the end of the day. See, the bad guys aren’t waiting around for us to announce a bug bounty, or to win an award…the bad guys are constantly hacking away at our systems looking for our vulnerabilities.

The Secretary of Defense, Ash Carter, has shown he is committed to finding novel approaches to our most challenging security challenges, rather than just throwing more money, hardware, and software at the problem. That means we need to find legal avenues for private citizens to scan DoD networks, and to provide details to DoD networks owners about found vulnerabilities, best practices, and misconfigurations. Listen, if we’ve got bad ports open, are running old software versions, or have misconfiguration issues, we want you to tell us about it!

This will both advance the DoD’s security posture, and continue to extend olive branches to the hacker community, and researchers whose work entails scanning the Internet daily.

Over the next several months you’re going to hear about a number DoD initiatives that will engage private citizens, not affiliated with the US Government to help with our most complicated security concerns. First, as part of our commitment to providing a legal avenue for the discovery and disclosure of vulnerabilities for DoD networks, websites, systems, and applications, DoD plans to develop a responsible disclosure policy and process for private citizens to report DoD vulnerabilities without fear of violating laws or regulations.

Additionally, last week, Secretary Carter announced his plan to launch a persistent DoD Bug Bounty program to continue to allow hackers to be paid to find security flaws in specific DoD websites, applications, binary code, networks, and systems. Rolling out an enduring vulnerability discovery and disclosure program will begin to normalize this as just another tool in our security toolkit — just as industry has done.

All the challenges taking Hack the Pentagon to market were well worth it. They allowed us to shift our thought that “security through obscurity” is effective, to a position that security must be open, innovative, and engaged with the broader Internet ecosystem. So stay tuned for more exciting news from the Pentagon in the coming months!