Are you involved in cyber-security? Ever wanted to test the Pentagon’s digital defenses, without the risk of spending the rest of your life in a dim concrete box?
Now’s your chance: the Department of Defense has launched (so to speak) a “Hack the Pentagon” initiative, featuring a bounty for anyone who finds flaws in the department’s public Webpages.
“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Ash Carter, U.S. Secretary of Defense, wrote in a statement accompanying the initiative’s announcement. “Inviting responsible hackers to test our cyber-security certainly meets that test.”
What defines a ‘responsible’ hacker? According to the Department of Defense, it means candidates will need to pass a background check. If they make it through, hackers will participate in a “controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system.” So no, you won’t get a chance to participate in your very own version of WarGames.
While the Pentagon wants its public-facing Webpages picked through for flaws, it will not allow hackers in the program to touch critical, mission-facing systems. Nor has it revealed the actual bounties for discovering bugs.
Bug bounties are all the rage these days among private companies, and with good reason: at least on paper, crowd-sourcing a bug-hunt will save time and money. Why rely on a couple dozen in-house security pros to cover every possible attack vector when thousands of outsiders will cheerfully do it instead?
But not every executive thinks that throwing thousands of tech pros at a Website is an acceptable way of uncovering vulnerabilities. “Why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find it really is ‘whack a code mole’) when I could spend that money on better prevention,” Mary Ann Davison, chief security officer at Oracle, wrote in a deleted blog posting last year, “like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”
Either way, the Pentagon’s bug-bounty program will debut in April; expect more details in coming weeks.