Which is the best way to discover security vulnerabilities affecting a computer system? Ask a group of hackers to test it. This is the concept behind a bounty program, an organization can hire hackers to test the system and ethically disclose the flaw, receiving a reward. Bug bounties are very popular initiatives among the communities of white hats, principal companies, including Facebook, Google and Microsoft. Facebook, for example, has already paid more than $3 million since 2011, when its bug bounty program was launched.
And what about if I tell you that the organization in question is the pentagon? Yes, it is true, ‘Hack the Pentagon’ is the initiative launched by the US Government, the first ever program of its kind, that aims to test the resilience to cyber attacks of the US defenses.
If the Pentagon will financial reward the hacker, it would be the first government-funded bug bounty initiative in the world.
“The Pentagon said on Wednesday it would invite vetted outside hackers to test the cybersecurity of some public U.S. Defense Department websites as part of a pilot project next month, in the first-ever such program offered by the federal government.”
“Hack the Pentagon” is modeled after similar competitions known as “bug bounties” that are conducted by big U.S. companies, including United Continental Holdings Inc to discover gaps in the security of their networks.” states the Reuters.
At time I was writing the bounty program has not been announced, until today, the Pentagon already uses its own internal security experts (so-called “red teams”) to test its networks, but openness to external hackers could give a major impetus in finding vulnerabilities in government systems, allowing to find new security holes.
The Hack the Pentagon initiative is welcome within the US government, in this way the expert at the Pentagon will be able to identify security issues before hackers can exploit them, with a significant improvement in term of cyber security.
“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.
According to the Reuters, the participants will have to be US citizens and submit to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.
The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015, meant to “improve the Department’s technological agility and solve its most complex IT problems.”
In October 2015, Current and former members of the department’s cyber wing of the US Army, Captain Michael Weigand and Captain Rock Stevens, published a paper urging a joint project between the Army Cyber Institute and the US Marine Corps Forces Cyberspace Command. The project aimed to establish a central program for disclosing software vulnerabilities on military systems.
The military experts highlighted how essential aspects of the software lifecycle, like patch management and penetration testing are very difficult to carry on these environments. The systems used in the US Army are exposed by an absence of centralized patch management and penetration testing are not allowed due to the nature of the systems.
They call for a radical change, including the introduction of bug bounties, today internal experts who discovered vulnerabilities have no incentive to report the flaw are no obliged to disclose it, the post refers this bad habit as a “do nothing” culture.
In the paper published on the Cyber Defense Review website, the duo proposed the creation of an Army Vulnerability Response Program (AVRP), a bug bounty program run by the US military.
The Army Vulnerability Response Program (AVRP) platforms proposed by the military expert have to enable service people to report bugs free of risk of retribution and say penetration tests should be promoted as vulnerability scans are inadequate.
“The AVRP will serve as the central reporting mechanism for vulnerabilities in Army networks and will receive reports on poor configurations or gaps in security that could allow attackers to degrade Army systems. These systems include Army digital training management systems, Army Battle Command Systems, logistics procurement systems, and combat platforms deployed in hostile environments. Researchers can report vulnerabilities through a phone hotline or an online submission portal. The AVRP will track all submissions, facilitate the flow of communication with affected entities, and play an integral role in resolving the vulnerability throughout US government networks,” the paper reads.
The creation of a bug bounty program is an urgency for the US Government, it comes after the numerous successfully attacks suffered by US entities, including OPM, the White House, and The State Department.
Security Affairs – (Hack the Pentagon, cyber security)