Everything is heating up on Capitol Hill: President Obama is proffering a new Supreme Court Justice nominee. The next presidential race is as much a circus as it is a true campaign. Apple and the FBI are still going at it (while other government agencies have started speaking out in favor of encryption). And the US Department of Defense recently announced its first-ever “Hack the Pentagon” bug bounty program. Mainstream media may not be overly impressed with the March 2, 2016 announcement, but the infosec community has taken note.
The bug bounty program, slated to begin in April, offers “vetted hackers” the opportunity to attempt to discover vulnerabilities in the DoD’s websites, applications, and networks, according to www.defense.gov. Understandably, only certain, non-critical systems will be part of the pilot, and hackers who want to participate must submit to background checks and will be given a limited timeframe in which to do their digging. The Pentagon is dipping its toe into the water ever so slightly, but this is a good move, says Joshua Corman, CTO of Sonatype and Founder of I am the Cavalry.
Some in the security community are grumbling about the program, asking why they (or their colleagues) would spend sparse spare time using hard-earned skills to work on what would normally merit a handsome wage. Others are questioning the vetting requirement and arguing that allowing testing only on pre-determined websites defeats the purpose of “thinking like an attacker.” It’s true: a bona fide attacker—or nation state—isn’t going to stop when they’re outside the parameters of the program. Those adversaries are going to persist until they find what they’re after, whether snooping is permitted or not. The best part of being a black hat hacker (I have to assume) is that there are no limitations, no rules about “dos and don’ts,” and no one saying, “That’s not allowed.” That kind of open field stacks the deck in favor of the criminal, of course. While The Pentagon isn’t ready to roll out the red carpet to just any security professional, the fact that a government agency is starting to think like a private enterprise is a very, very good thing. “Rather than criticizing their baby steps,” offers Corman, “we should find what’s right with [the program].”
Much talk among government agencies has percolated about improving cybersecurity. This program is showing that they’re willing to pay it more than lip service (a nominal prize for vulnerabilities found will be offered, but the purpose of the monetary reward, says Corman, is not to compensate researchers as full time employees, but to offer an honorarium for committing to the cause).
You know that you have seen this all before
This shift in tactics is important, and Corman, Jen Ellis, Vice President of Community and Public Affairs at Rapid7, and their peers have been spending time in Washington over the last year or so advocating for the right to research. At present, bug hunting without explicit permission is “in a grey area of law,” says Ellis, and not just anyone can hack an organization’s website and say, “Look what I found! This is great for you!” For obvious reasons, public and private sector companies alike are pretty sensitive when a vulnerability to its networks, apps, or website(s) is revealed, even if the revelation is reported confidentially. The government, in particular, has been reticent to allow a crowdsourcing approach, but it’s been proven that more eyes looking at a problem from various angles has positive results when it comes to information security vulnerabilities and exploits. The “too many cooks in the kitchen” cliché does not apply here. Different types of adversaries have different methods and motivations, so it’s important to have different thought processes around how one’s organization could be attacked to understand where the higher walls and wider motes must be built.
A quick Google search for “government breaches” returns quite an impressive list, so it’s encouraging to see the DoD looking into the tools and assistance that will help keep systems more secure. The department has acknowledged that they are not in a position to “hire every great ‘white hat’ hacker to come in and help.” By emulating successful programs in the private sector, however, they are admitting that they understand the scope of the problem and that reaching out beyond their four walls will help them “deliver comprehensive, more secure solutions” within the government as well as allow them to better protect the country. Leveraging security talent—skilled, resourceful people—who are adept at finding bugs will improve and speed the process of finding and remediating problems.
Don’t spend the days biting your own neck
Typically private citizens turn to the government and military for protection; this time it’s the other way around. And it’s about time. This pilot program, says Corman, “is implicit acknowledgment by the federal government of the need for white hat hackers and their value to the public good.” We haven’t solved all the puzzles yet, but this is one of the first steps in a true public-private sector collaboration that could yield demonstrable results.