Department of US Defense recently announced that it will be working on expanding its “Hack the Pentagon” bug bounty program, announced in 2016.
The Department of US Defense apparently has decided on expanding bug bounty program due to rising cyber security threats. It can be thought that it is a result of the same concern as the decision to expand the program was announced after federal report was published indicating glaring cyber security concerns.
Though the original pilot program “Hack the Pentagon” was introduced to challenge hackers to find vulnerabilities on Pentagon’s public websites and a predetermined department system. The program proved extremely successful as hackers were able to identify more than 3000 vulnerabilities in the department since then.
Ethical hackers have already received amount of $330,000 for the project by the department. The success of the project which has enabled department to identify serious vulnerabilities has finally decided to expand the scope of the program beyond hardware and physical systems within the Pentagon in collaboration with bug bounty platforms HackerOne, Bugcrowd and Synack.
This will enable ethical hackers to not just find vulnerabilities on Pentagon public websites but also find flaws within more sensitive systems at the Pentagon, including those required for “defense mission needs,”
As per the statement given by Chris Lynch, director of the Defense Digital Service “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative,”
He further said that “Expanding our crowd sourced security work allows us to build a deeper bench of tech talent and bring more diverse perspectives to protect and defend our assets.”
The ceiling for this expansion launched for three bounty companies will be around $34 million. As cyber warfare is increasingly becoming outsourced US has identifies that the fight against it can also be outsourced. The program comes at a critical moment for the Pentagon. Cyber security has become one of the major concern for the US amid strained international relations with countries like China, Russia and Iran using cyber attacks for espionage and retaliation over the Trump sanctions.
The expanded program has the potential to help US in addressing the glaring cyber security concerns that were been indicated by US Government Accountability Office recently in context to shortcomings with passwords and servers.
The intensity of vulnerabilities can be gauged by the incident wherein one hacker was able to guess an administrator’s password in nine seconds. Weapon system today are highly dependent on digital controls. Such vulnerabilities have the potential to cause great damage.
Defense Department operators were unable to effectively respond to the hacks, the report said. “DoD testers routinely found mission-critical cyber vulnerabilities in nearly all weapon systems that were under development,”
Initially, Defense Department dismissed the GAO’s report as “unrealistic,” pointing out that the testers had access that outside hackers wouldn’t. However will this program they wont have privilege and the real situation will too surface.