15 November 2016

The US Military Launches “Hack the Army,” Its Most Ambitious Bug Bounty Yet


RICHARD ELLIS

VIRTUALLY EVER BIG tech company offers cash rewards to hackers who find vulnerabilities in their software. Not to be left out, this year the Pentagon announced its first bug bounty to try to expand how the government defends its systems. Now the Army is joining in as well, with its inaugural “Hack the Army” bug bounty kicking off this month. 

Announced by outgoing secretary of the Army Eric Fanning, the program asks hackers to vet and find flaws in the Army’s digital recruiting infrastructure. Unlike Hack the Pentagon, which only asked hackers to assess static websites, Hack the Army focuses on recruitment sites and databases of personal information about both new applicants and existing army personnel. The program isn’t open to everyone; it’s invite-only so hackers can be vetted. Any military and government personnel who want to participate, though, get automatic entry. 

“We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” Fanning said in a press conference. “We’re looking for new ways of doing business.” 

The digital services involved in recruitment are “mission critical” according to Fanning, but they certainly don’t sound as crucial as, say, the navigation and communication systems in combat vehicles. It makes sense to keep the stakes relatively low at the start, though. Bounty programs are a big cultural departure for agencies like the Army that hold institutionalized secrecy at their core. Fanning describes the hackers that will participate in the program as, “people we might normally have avoided, and much of the Department [of Defense] still does.” By gradually adding and expanding bug bounty programs, agencies can adjust to accommodate them. 

The security consulting firm HackerOne, which helps institutions establish bug bounties, facilitates both Hack the Pentagon and Hack the Army. Alex Rice, the CEO of the firm, says that he hopes the programs will spread across the military, since HackerOne’s contract with the Department of Defense allows any DoD agency to get a bug bounty going. “You absolutely start seeing this effect when people witness the benefits of collaboration toward security goals. They start to look for even more creative ways to apply it.” 

Since the Army’s bug bounty program and HackerOne’s broader DoD contract have already started, they will continue during the Trump administration. Whether Trump’s military appointees will support the approach and potentially want to expand the programs is unknown. Secretary of the Army Fanning, for one, says he plans to be relaxing on a beach on Jan. 20. If Hack the Army can prove its usefulness with recruitment sites and databases, hackers may get the chance to take on more exciting military systems.

No comments: