A project called Hack the Air Force is paying “white hat” hackers over $130,000 for finding weak points in its websites, the service announced this morning. It’s the Defense Department’s third “bug bounty” – a high-profile initiative of Obama’s last Defense Secretary, Ashton Carter, that’s survived under Trump.
[CORRECTED FIGURES} Hack the Pentagon found 138 unique, validated vulnerabilities last spring, Hack The Army found 118 late fall, and now Hack the Air Force found 207. Those numbers are unnervingly high, but the whole point is to get friendly hackers to find the weak points before hostile hackers can exploit them.
It’s a strictly regulated exercise, not the Wild West. All three iterations were run by crowdsourcing company HackerOne, which vets the participating hackers and runs a background check on them before they get their money. Some 272 “vetted hackers” participated in Hack the Air Force.
Many high-scoring participants were under 20, with the biggest bounties going to a 17-year-old. Most participants were US civilians, but two were active-duty troops and – a first for the program – 33 were foreign citizens. Before you panic that the Russians are coming, all 33 come from the “Five Eyes” countries with which the US shares its most sensitive intelligence: United Kingdom, Canada, Australia and New Zealand.
Hack The Air Force logo
Still, listening to any outsiders, let alone foreigners and teenagers, is a dramatic culture shift for the Defense Department. In fact, old policies actively discouraged the public from reporting vulnerabilities and ordered independent security experts not to probe Pentagon systems.
Leading the charge has been Chris Lynch of the Defense Digital Service, another Ash Carter creation that brings in Silicon Valley gurus in sneakers and hoodies for short tours shaking up the suit-and-uniform culture of the Pentagon. The technophilic Carter spent a lot of time and effort on outreach to the commercial tech sector, including multiple trips with reporters in tow, and founded three offices called DIUX (Defense Innovation Unit Experimental) in Palo Alto, Austin, and Boston. Secretary Jim Mattis hasn’t matched this enthusiasm – it’s harder to imagine who could equal Carter here – and it’s an open question whether these initiatives will survive.
The bug bounty program probably has a better chance than other Carter initiatives, in part because Carter’s equally technophilic deputy, Robert Work, stayed on under Mattis for months until Patrick Shanahan could be confirmed.
“Work carrying over smoothed things,” said James Lewis, cybersecurity expert at the Center for Strategic & International Studies. Plus, he told me, “the programs seem to be effective, so I wouldn’t be surprised to see people keep it.
It’s also helpful that cash incentives for crowdsourcing are already routine in the commercial sector. The Pentagon is simply borrowing a proven private sector technique here, something the Trump Administration generally approves.
Because the bug bounty technique originates in the private sector, however, it only applies to the Pentagon’s business systems, not its warfighting ones. The hackers aren’t finding vulnerabilities in weapons software or command-and-control networks, but in “public-facing” systems such as websites. Those are important mainly for companies doing business with the military and for reporters and the general public seeking information – an area where the US is often out-spun by Russian propagandists.
