Today Defense Secretary Ash Carter announced the military’s first-ever “Hack the Pentagon” program in which “vetted hackers” will be paid a “bug bounty” to find vulnerabilities in what Carter called an “unprecedented effort to test our digital security.”
The hackers won’t be set loose on just any Pentagon systems, however; they’ll only be allowed to find holes in a “predetermined asset” in a “controlled, limited duration program.”
“This bug bounty will not compromise any of the department’s critical, mission-facing systems,” Carter said. “Instead, it will challenge our digital security in new and innovative ways.”
Carter said that “participants” in the program will have to be registered and to submit to a background check before taking to the keyboard.
“We can’t give every great white hat hacker to come in and help us, but this allows us to use their skill sets, their expertise, to help us really build better more secure… make the country more secure,” a Defense Department official told reporters today. “We’re excited about it. But not only is it a best practice, it augments and allows us to build to the great teams that we already have at the [Department of Defense].“ “White hat” hackers generally refer to “good-guy” hackers who point out vulnerabilities for security purposes, rather than to exploit them.
Bug bounty programs are common in private industry, and major players like Google, Facebook and Microsoft already use them to expose vulnerabilities in their own software. In some cases, the companies are competing against underground black markets in which software vulnerabilities are hot commodities and can sell for hundreds of thousands of dollars for the most exotic and useful ones, according to cyber security experts.
The government program, scheduled to begin in April, “is a demonstration of my continued commitment to drive the Pentagon to identify new ways to improve [the Defense Department’s] security measures as our interests in cyberspace evolve,” Carter said.
Carter said more information about the program will be released later in the year.