January 19, 2017
The hacker prodding a public-facing Army recruitment website in early December stumbled upon a vulnerability, then another, until he found himself suddenly connected to an internal Department of Defense network that should have prompted him for special access credentials. By the end of that night, Pentagon employees were swapping frantic phone calls and considering a complete shut-down of the compromised network. The intrusion was unexpected, but more concerning was the fact that the hacker hadn’t set off any alarm bells — the Defense Department didn’t know he’d gotten into the internal network until he told them about it.
The hacker who found the vulnerabilities was participating in the Army’s first-ever bug bounty program, Hack The Army, a challenge that invites security researchers to put their skills to the test and pays them for their efforts. Defense Department security teams are trained to react swiftly to unexplained traffic on their networks, and not all of the Department’s 3.2 million members knew the bug bounty was underway, so the panic was understandable. But the Army sanctioned and even celebrated the hack of its recruitment website — it meant the bug bounty program was working.
“Frankly, my reaction was, ‘Great,’” Secretary of the Army Eric Fanning explains. “A lot of people’s first reaction to Hack The Army was, ‘Why would you invite people to hack you?’ Well, we’re being hacked every day, all day long, by people who are wishing to do us harm. So this idea of setting up this competition, vetting the participants, and then being in a situation where they tell us what they find is great. If they’re not finding vulnerabilities and, in some cases, finding vulnerabilities that really surprise us, then I don’t think the competition is doing all that we want it to do.”
Sec. Fanning’s reaction represents an evolution in the way government — following the lead of tech companies like Google and Facebook — views security research. Government agencies and private industry giants haven’t always been so nonchalant about getting hacked. Fears of foreign hackers have consumed Capitol Hill in the wake of large-scale data theft from the Office of Personnel Management and the Democratic National Committee, and companies have responded to bug reports with legal threats. Although many larger firms have established programs today that allow for safe vulnerability disclosure, hackers still have reasonable fears about prosecution and prison time.
“The shadow of that still lingers very strongly with security researchers,” says Alex Rice, the chief technology officer of HackerOne. “The risk is significant, and that’s true for the industry and especially for the government.”
HackerOne is one of several companies that offer bug bounty as a service, pairing the likes of Twitter, Uber and Dropbox with hackers who will test their sites and services for vulnerabilities. One of HackerOne’s latest clients is the Defense Department, which launched its first bug bounty, Hack The Pentagon, last spring and followed it with Hack The Army in November.
The Defense Department has been relatively slow to accept the concept of a bug bounty, adopting it only after years of implementation in the tech industry.