In an increasingly connected world, cybersecurity is a growing concern, and the US government has been taking steps to tighten its digital defenses. In March, the Department of Defense (DoD) invited hackers to "Hack the Pentagon" in a competition designed to identify vulnerabilities in its public-facing websites. The results of the bug bounty pilot have now been released.
Government systems are under a constant barrage of attempted attacks, which prompted the creation of Hack the Pentagon, the US federal government's first bug bounty competition. The pilot program ran from April 18 to May 12, and attracted some 1,400 hackers to test the limits of the DoD's online security.
"We know that state-sponsored actors and black-hat (criminal) hackers want to challenge and exploit our networks," says Secretary of Defense, Ash Carter. "What we didn't fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer."
Hack the Pentagon was organized by the Defense Digital Service (DDS), the branch of the DoD dedicated to cybersecurity, and hosted by HackerOne, a Silicon Valley-based company that provides services to find and patch bugs in online systems before criminals can find and exploit them.
During the competition, 1,400 participants were set loose on five public-facing government websites, including defense.gov, and challenged with finding potential exploits and reporting them. Of 1,189 reports filed, 138 of them were determined to be unique and valid concerns, and rewards were granted to the hackers who uncovered them. In all, US$71,200 was awarded, with bugs fetching an average bounty of $588, depending on type and severity. The entire cost of the program was $150,000, which is much lower than the more than $1 million it is estimated to have cost to employ the services of an outside professional contractor.
Cross-site scripting (XSS) issues, which allow hackers to insert code that alters web pages for other users, were the most commonly reported vulnerability, which is unsurprising given their frequency around the web. The next most common types of vulnerabilities were Information Disclosure and Cross-Site Request Forgery (CRSF), which allow hackers to use the credentials of a trusted user to perform unchecked actions.
The single most severe vulnerability found, and as a result the highest-paid bounty, was for an SQL injection, which injects chunks of code into a web application and can be used to gain access to information stored in databases. Each of the vulnerabilities identified by the hackers has been addressed by the Defense Media Activity.
Hack the Pentagon was just the beginning, with the Department of Defense announcing several follow-on projects. Along with additional bug bounty programs to be run periodically, policies will be revised to allow white-hat hackers in the public to find exploits in official websites and applications, and submit vulnerability reports on them without fear of prosecution. New incentives will also be incorporated into the DoD's policies, to encourage contractors to be transparent in their work and open their code up to this kind of testing.
"What we want to figure out is how we can use this in a way that is able to be used on nearly any level of classification, or any type of activity," says Chris Lynch, director of DDS. "We're not there yet. We're going to start to work through and look at other layers as well. We recognize that this is a really valuable tool. It's a huge change for the Department of Defense in terms of how we recognize the ability for people to come in and help us secure systems themselves. There are lots of things we can apply it to."