Pentagon waives penalties for hackers to test its cybersecurity
November 21, 2016
WASHINGTON — The Pentagon has approved all so-called “white hat” hackers to test the cybersecurity of its public websites without fear of prosecution, the Defense Department announced Monday.
Any hackers who promise to “do no harm” can attempt to hack into the Defense Department’s many public websites as long as they report any potential security vulnerabilities directly to Pentagon officials, in an expansion of a pilot program launched earlier this year known as “Hack the Pentagon,” defense officials announced. The new program, called the Vulnerability Disclosure Policy, marks the first time a federal agency has asked for public assistance in protecting its websites from threats. The program is backed by the Department of Justice.
Defense Secretary Ash Carter described the policy as “see something, say something.”
“We want to encourage computer security researchers to help us improve our defenses,” Carter said in a statement. “This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security.”
Carter launched the initial “Hack the Pentagon” bug bounty challenge in April. The monthlong initiative allowed about 1,400 hackers approved by the Pentagon to test five Defense Department websites for security vulnerabilities that could have allowed malicious attacks where personal information could have been stolen, or where hackers could have hijacked the website to force it to post unauthorized content. The hackers discovered 138 vulnerabilities, and the Defense Department paid them a total of $75,000 for their efforts.
The new initiative will not pay any of the hackers. Pentagon officials hope they will challenge Defense Department websites’ security as a public service.
Monday also marked the opening of registration for “white hat” hackers to enroll in the Defense Department’s second bug bounty program, “Hack the Army.” The initiative asks vetted hackers to find vulnerabilities in some of the Army’s non-public web applications in exchange for reward money.
Army Secretary Eric Fanning announced the new bounty program earlier this month. He said it was designed to help prevent the kind of attack hackers launched in 2015 on the Office of Personnel Management’s database that led to the theft of millions of Defense Department employees’ personal information.
In addition to that hack, other federal government systems in recent years have faced repeated threats. In January 2015, an Islamic State group-affiliate called the “Cyber Caliphate” briefly hijacked some U.S. Central Command websites.
Carter has vowed to continue to expand cybersecurity and find additional ways for the public to help the Pentagon secure its websites. Additional bug bounty programs through the other military services are expected in the future, according to the Defense Department.