The Department of Defense is recruiting hackers to try to get into the “five-sided box”.
He may have been ahead of his time. Gary McKinnon—or “Solo” as he was known on line—admits to hacking into Pentagon and other U.S. government computers in 2001 and 2002 in a search for secret UFO files.
If he had waited until April 2016, he might have earned money for the hack. As it was, he faced $2 million in fines and 70 years behind bars.
Now, the Pentagon has announced its new “bug bounty” program, a chance for hackers to uncover bugs or flaws in the Department of Defense’s computer systems and get paid.
“You’d much rather find the vulnerabilities in your networks this way than the other way,” said Secretary of Defense Ashton Carter at the RSA conference in San Francisco, according to eWeek.
The news brought praise from some people working in cybersecurity.
“The bug bounty initiative from the U.S. Department of Defense is a huge step forward in modern security,” HackerOne’s Katie Moussouris told Archer News.
“Excellent step,” said Casey Ellis of Bugcrowd. “They need it. It’s the only way they’ll get access to enough people to be able to compete with the adversary.”
Thank you, Pentagon
Ellis co-founded Bugcrowd, a company that sets up bug bounty programs for companies like Pinterest, Fitbit, Tesla Motors and Western Union, connecting them with hackers who will look for vulnerabilities, with the promise of money in return.
He wrote a message to the Department of Defense on the Bugcrowd site.
“Congratulations on your decision to make a stand around thinking progressively in this area,” he said. “You’ve gotten ahead of the curve, and that’s a wonderful thing not just for you but for the Internet at large.”
Not just any hacker
You will have to register and go through a background check in order to participate in the “Hack the Pentagon” program, according to a statement from the Department of Defense.
It is not a free-for-all. You will be vetted, and then you all be allowed to to join in a “controlled, limited time duration program” to search for flaws on a specific system, the statement said.
You will not get to hack the department’s critical systems for money, the department said. The Pentagon will provide more information in the weeks to come, with the program set to start in April.
The trust issue
The Pentagon is facing a key issue, Ellis said online—“How can we embrace and engage the talents of people we’ve traditionally distrusted?”
The trust issue may be a hurdle for the government, but not for attackers.
“Our adversary isn’t subject to our concerns around trust,” Ellis wrote.
He said most of Bugcrowd’s clients go on to relax their trust controls, reaching a wider group of white hat hackers.
“Start small, and focus on finding a the appropriate level of trust that will get you over the bar and get started,” he advised in his message to the Department of Defense.
“Once you experience the benefits from accessing a broader range of talent under a more efficient economic model, work to expand the scope of what you’ll allow people to test and those you’ll invite,” he added. “The results will be worth the effort and initial discomfort.”
How hard will it be to hack the Pentagon?
“The Pentagon will be a hard target, but there are always ways in,” Ellis told Archer News, “And with the right incentive in place, the crowd is excellent at finding them.”
Attackers have successfully infiltrated Pentagon computers before, and not just “Solo” in his classified UFO info quest.
Hackers made a “sophisticated cyber intrusion” into the Pentagon’s Joint Staff unclassified e-mail system last July, CNBC reported. The attack used an automated system to steal “massive amounts of data”—though none of it classified—in sixty seconds, and the Department of Defense shut down the e-mail system for two weeks to clean it out and build up defenses, according to CNBC.
In April 2015, Secretary Carter announced hackers had burrowed into an unclassified Pentagon computer system earlier in the year, CNN reported.
“(The hackers) discovered an old vulnerability in one of our legacy networks that hadn’t been patched,” Carter said, according to CNN. “While it’s worrisome they achieved some unauthorized access to our unclassified network, we quickly identified the compromise, and had a crack team of incident responders hunting the intruders within 24 hours.”
And the Department of Defense warned 20,000 employees in September that hackers attacked the Pentagon food court computer system, stole credit and debit card information, and used it to make fraudulent purchases, reported Military.com.
“Depending on the chosen target, and how much the Pentagon has hardened that target, it may be difficult or there may be some low-hanging fruit,” said Moussouris, whose company organizes bug bounty programs for General Motors, Snapchat, Airbnb, Dropbox, Twitter and more.
“I think that for a pilot bug bounty program, the important thing will be to work out how to respond to and fix the issues quickly, especially if the hackers identify critical holes,” she added.
First time
The Pentagon says this is the first time the federal government has tried a cyber bug bounty program.
Moussouris told Archer News that this could inspire other agencies and companies to follow suit.
“Not only will it enable the U.S. to find new technical security talent, but it will pave the way for other government agencies and other industries like finance, automobiles, and healthcare to explore working directly with hackers to find security bugs,” Moussouris said.