Bomb-makers, hackers wanted: US seeks public help to prevent attacks
By MATTHEW M. BURKE | STARS AND STRIPES Published: April 25, 2016
The U.S. government is recruiting hackers and bomb-makers to help strengthen American defenses in hopes of defusing possible terrorist attacks.
The Defense Advanced Research Projects Agency, or DARPA, announced in March that its Improv program was soliciting research proposals — with an emphasis on creativity — for prototypes and systems that could “threaten current military operations, equipment or personnel” made from commercially available technology such as cellphones.
Meanwhile, the Defense Department announced a pilot program, Hack the Pentagon, that is designed to identify and resolve security vulnerabilities within DOD websites.
“The goal of the program is to cast a wide net for ideas,” DARPA program manager John Main said of Improv. “We have experts who tell us some things that are possible, but the truth is that there is a huge variety of technology available to almost anyone, so a panel of experts can only tell us part of the story.
“Since essentially anyone can obtain this technology, it makes sense to understand what they might do with it. We are trying to engage many, many people and get their ideas so we can understand the full scope of what is possible with commercial technology.”
A threat can be anything from an improvised explosive device to an aerial drone with a payload delivery system to a water-borne device. However, the less obvious the instrument, the better. Contributors are encouraged to use parts and systems from the transportation, construction, maritime and communications sectors.
Improv took shape during the past few years, Main said, when officials began to notice the increased availability of “powerful, commercial, off-the-shelf technology” such as cellphones, Raspberry Pi board computers and Arduino microcontrollers. The government began investigating how adversaries might use these technologies to harm the United States.
“DARPA’s mission is to prevent technological surprise, so we are constantly evaluating how surprises might happen,” Main said. “[We are working] to understand the full scope of what is possible using off-the-shelf technology so we can make informed decisions about both offensive and defensive capabilities.”
Participants may reconfigure, repurpose, program, reprogram, modify, combine or recombine commercially available technology in any way; however, they must adhere to local, state and federal laws and regulations, DARPA said.
Officials hope to end up with a broad selection of technical specialists, researchers, developers and skilled hobbyists spanning diverse backgrounds, professions and experience levels.
Abstracts for the project were due April 13 with full proposals due May 25, the agency said. Later, there will be feasibility studies and prototype construction and evaluation.
DARPA hopes to award funding to multiple projects and to have the program completed by year’s end.
“What happens after that depends upon what we find,” Main said.
Hacking the Pentagon
DOD’s $150,000 Hack the Pentagon pilot program is being led by the Defense Digital Service, which was launched in November by Defense Secretary Ash Carter, a Pentagon statement said.
The program, which runs through May 12, is being operated in partnership with HackerOne, a Silicon Valley-based “bug bounty” firm. A bug bounty compensates “white hat” hackers for exposing bugs or vulnerabilities as opposed to being punished for exploiting them.
DOD spokesman Mark Wright told Stars and Stripes that people on the Treasury Department’s Specially Designated Nationals List, which includes those engaged in terrorism, drug trafficking and other crimes, are banned from taking part.
Qualified participants, who must undergo a basic criminal background check, are given information that is not being released to the public so they can seek weaknesses in unidentified government websites.
“Critical, mission-facing computer systems will not be involved in the program,” Pentagon Press Secretary Peter Cook said.
The idea came from similar programs in the private sector. If successful, the Pentagon hopes it can be expanded to other agencies.
“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” Carter said. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”
HackerOne will issue qualifying bounties no later than June 10.