It has been said that cyberspace will be the next battlefield.
If that is the case what would be the juiciest target for those cyber warriors?
Probably the Pentagon.
Well, for about four weeks, approximately 1,400 hackers have been studiously competing against each other to find technical vulnerabilities within the Department of Defense’s (DOD) public web sites.
As part of a unique pilot program named “Hack the Pentagon,” which ran from April 18 to May 12, DOD invited vetted hackers to conduct “vulnerability identification and analysis on the department’s public webpages.” It is “the first cyber bug bounty program in the history of the federal government” and “the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites, and networks.”
Other networks, including the department’s critical, mission-facing systems were not part of the bug bounty pilot program, according to the Pentagon.
When Secretary of Defense Ash Carter announced the competition back in April, he said, “I am always challenging our people to think outside the five-sided box that is the Pentagon…Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”
Apparently it did, as during award ceremonies on Friday, Carter announced that more than 250 “hackers” submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be “legitimate, unique and eligible for a bounty.”
How much did it cost the taxpayers?
The pilot program cost $150,000, including about $75,000 in reward prizes. “It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” Carter said.
Two of the “bug bounty” participants sharing the honors at a Pentagon ceremony were Craig Arendt and David Dworken.
Defense Ash Carter congratulates 18-year-old David Dworken, left, and Craig Arendt, center, for finding vulnerabilities in DODs websites during the department’s “Hack the Pentagon” competition. DoD photo by Navy Petty Officer 1st Class Tim D. Godbee
“[Arendt] is a prolific security researcher who helped us identify a number of vulnerabilities and [Dworken] is a high school student who lives right here in the Washington area. For them and many others, this was about more than a reward or a bounty, it was about an opportunity to contribute to making our country safer,” Carter said.
Arendt found 22 bugs and won about $2,000. Dworken, who just graduated June 13 from a local high school, discovered six vulnerabilities that focused on standard web security, but did not win a cash award because “he wasn’t the first to find any of the vulnerabilities that he reported,” according to the Stars and Stripes:
Dworken was still in class at the Maret School in Washington, D.C., when the competition launched April 18. He was finishing advanced placement courses that would allow him to get college credits that he will apply later this year at Northeastern University in Boston.
“So it was pretty busy for me,” he said Friday.
But Dworken would open up his laptop computer between classes “and remote into various servers that I own at home, or rent in a facility” and start prodding the sites. He worked at it for about 15 hours.
Although Dworken did not win any prize money, he still found it rewarding and said, he would “absolutely” come back to try and hack the Pentagon again, according to the Stripes.
Dworken– and other enterprising hackers — will get that opportunity again as Carter plans to expand the “the bug bounty program” to other parts of the department and is directing all DOD components to review where such programs can be used “as a valuable tool in their own security tool kit.”
Concluding his remarks at the awards ceremony, Carter said:
We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.
I want to take a moment now to personally thank — congratulate the two individuals who participated in the bug bounty, thank all the folks from the department who created Hack the Pentagon, and then I’ll take a few questions from you all before I get a chance to take David and Craig back once again and chat a little bit more in my office.
Lead image: DOD
Sources:
http://www.defense.gov/News-Article-View/Article/802828/carter-announces-hack-the-pentagon-program-results?source=GovDelivery
http://www.defense.gov/News/News-Transcripts/Transcript-View/Article/802660/remarks-by-secretary-carter-at-hack-the-pentagon-ceremony
