We hacked the rules so Defense can “get shit done” like tech firms

Image credit: Defense Digital Service

Image credit: Defense Digital Service

The Department of Defense’s newly expanded bug bounty was just as much about hacking government culture as it was about finding actual software flaws.

Thanks to Defense Digital Service (DDS), the unit that drove the DoD’s month-long Hack the Pentagon bug bounty pilot, Defense received 138 qualifying bug reports from 117 of the 1,410 the hackers that registered for the bounty.

DDS’ “bureaucracy hacker” Lisa Wiswell highlighted on Monday in a post on Medium that the first valid report arrived just 13 minutes after the pilot went live.

But getting the program off the ground wasn't easy. Wiswell and her team needed to “hack them all” — meaning lawyers, contracting officers, and DoD bureaucrats — to plot a new path for Defense to navigate “around our outdated and often restrictive policies so we can get shit done at a pace consistent with the tech sector.”

DDS is an arm of the White House's “startup” unit, the U.S. Digital Service, which runs a small team of engineers and techies who are tasked with redesigning the government’s online services.

DoD paid hackers between $100 and $15,000 for each report while the program overall costed $150,000 to run.

Paying for and finding the bugs was an important goal, but U.S. secretary of Defense Ash Carter highlighted on Friday that the exercise was also a new cost-saving approach to government procurement.

"[The $150,000 was] not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said.

Carter said Defense will now run a permanent bug bounty and provide legal ways for citizens to report security flaws.

The results of the bounty were a “big win” in changing Defense attitudes towards hackers and the security community, according to Wisnell.

“There was a time when DoD branded even the most professional hackers as criminals,” she noted.

The results “proved to the skeptics who believed hackers are dangerous, childish, and intentional lawbreakers, that instead, the hackers who participated in Hack the Pentagon were extremely helpful,” she added.

Wisnell also provided some more details about how the DoD would over coming months “extend olive branches to the hacker community”.

One effort will be a new DoD responsible disclosure policy and a legal avenue for private citizens to report software bugs. This policy outlines the rules for reporting bugs and are aimed at giving software makers enough time to fix and issue a patch for flaws before a reporter publishes their findings.

“Rolling out an enduring vulnerability discovery and disclosure program will begin to normalize this as just another tool in our security toolkit — just as industry has done,” wrote Wisnell.

She also noted that the DoD’s persistent bug bounty would include “specific DoD websites, applications, binary code, networks, and systems.” This expands on the pilot’s five public facing websites, including defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil.

The DDS has also hired Google’s head of combatting web spam, Matt Cutts, who announced on Friday he was “taking a leave from Google” for an unspecified role with DDS for several months.

If his personal views do take shape during his tenure, more government agencies could be adopting bug bounties in the near future, which he thinks could help the government prevent future security incidents, such as the breach of the US government’s Office of Personnel Management (OPM), which exposed private information of 22 million people who’d applied for government vacancies.

“This is my personal opinion, but if bug bounty programs become more common in the government, that would mean that lots more people would be protected from hacks or identity theft,” he wrote on Hacker News.

Join the CSO newsletter!

Error: Please check your email address.

Tags Bug Bounty ProgramHack the pentagonBug bountyDoDDDSUS Secretary of Defensehackercyber security

More about GoogleNews

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place