The Pentagon expands the scope of its vulnerability bounty program

DF-ST-87-06962

The program will now consider physical systems flaws reports

Cybersecurity and digital forensics specialists from the International Institute of Cyber Security report that the Department of Defense is in the process of expanding its vulnerability bounty program, known as “Hack the Pentagon”, to include its hardware assets, leveraging the platforms Synack, HackerOne and Bugcrowd to attract more personalities to this program.

The news has been released two weeks after the Government Accountability Office (GAO) published a report detailing cybersecurity issues in some of the Defense Department’s weapons systems.

A package that includes a three-year contract and an indefinite amount that spans the three bug reporting organizations will attract more hackers to verify the Department of Defense websites, hardware, and physical systems.

“Finding innovative ways to identify vulnerabilities and strengthen security has never been more important”, said Chris Lynch, a digital forensics expert from the Department of Defense, in a statement. “When our adversaries carry out malicious attacks, they do not stop and do not fail to explore all their possibilities. The expansion of our security and collaborative work allows us to build a deeper bank of technological talent and offer more diverse perspectives to protect and defend our assets. We are excited to see that the program continues to grow and generates benefits for the entire Department”.

Since the start of the Hack the Pentagon program in 2016, cybersecurity and digital forensics experts who have participated in it have reported more than 5k code vulnerabilities, and have executed six public demonstrations, including Hack the Marine Corps the most recent Department of Defense cybersecurity event, last August. Other hacking sessions have focused on the Air Force systems, the Army and the Defense Travel Service.

“In the current environment, joint security work is critical because all systems are vulnerable and there is a massive shortage of resources trained to address these incidents”, said Ashish Gupta, CEO and president of Bugcrowd, on his personal blog. “While we cannot control the actions of our adversaries, we can control our most vulnerable points. But we can only do so if we know our systems well enough”, he mentioned.

In accordance with the contract, the government expects companies to execute at least eight limited-time samples and five continuous samples during the first year of the contract. Each program will last between three months and a full year. The amounts offered by the program have not been disclosed.

It may not be surprising that the Pentagon is expanding its approach to include physical systems. The news of this expansion occurs shortly after the GAO described the Department of Defense as “a unit that is just beginning to deal with the scale of vulnerabilities” in its offensive military team. The GAO reported that in the tests applied to the major weapon systems in development, the evaluators were able to take control of the systems “with relative ease and to operate largely without being detected”.

“The department’s weapons are more computer-operated than ever, so it’s not surprising that there are more attack vectors”, the GAO report mentions. “However, until relatively recently, the Department of Defense had not prioritized the work of cybersecurity”.

For digital forensics experts, this news is a big step in the right direction. “The Pentagon has made significant progress in this area in recent years”, said Jim O’Gorman, an expert in cybersecurity. “To continue this positive drive, they must continue to emphasize the importance of testing and invest in increased training to develop the skills of their security teams”.