Earlier this month the U.S. Army launched its “Hack the Army 3.0” challenge, which was meant to build upon two previous bug bounty programs. Open to both military and civilian participants, the challenge began on January 6 and will run through February 17. The Army announced its first event in November 2016, which actually followed up the March 2016 “Hack the Pentagon” bug bounty. Then-Secretary of the Army Eric Fanning announced the Army’s new program, and called it a part of “looking for new ways of doing business.”
More recently in April 2019, the U.S. Air Force also hired “bug bounty” firm Synack to work with so-called “ethical” or “white hat” hackers to look for weaknesses in the most critical IT systems, including those that were used for maintaining weapons technology. Events such as Hack the Army 3.0 provide a way for these white hat hackers to test the security of a network to determine if there are potential exploits, which can be plugged before a real attack can occur.
“Bug bounty programs are a unique and effective force multiplier for safeguarding critical Army networks, systems and data, and build on the efforts of our Army and DoD security professionals,” said Brigadier General Adam C. Volant, U.S. Army Cyber Command Director of Operations.
“By crowdsourcing solutions with the help of the world’s best military and civilian ethical hackers, we complement our existing security measures and provide an additional means to identify and fix vulnerabilities. Hack the Army 3.0 builds upon the successes and lessons of our prior bug bounty programs,” he added.
The Hack the Army 3.0 is the Defense Digital Service’s (DDS) 11th bug bounty program to be conducted with Hacker One and the third involving the U.S. Army. In total, the Department of Defense (DoD) has executed 14 public bounties on external-facing websites and applications, and 10 private bounties on a range of sensitive, internal DoD systems. Previous programs included the aforementioned Hack the Pentagon as well as the Hack the Air Force and Hack the Defense Travel System, while the past private bounties have tested logistics systems, physical hardware, and even personnel systems.
As with the past events, it is geared towards allowing cybersecurity researchers to uncover and disclose security vulnerabilities in military systems. Civilian white hat hackers who successfully discover any valid security bugs can also receive a financial reward for their efforts – hence the bounty part.
Building on Past Hacks
The original Hack the Army attracted a total of 371 white hat hackers, including 25 government employees, 17 of whom were uniformed military personnel. Over the two-month long challenge, the event produced 416 reports that yielded 118 valid vulnerabilities.
The success of the first Army bounty was followed up with late 2019’s Hack the Army 2.0, during which hackers from six countries found another 146 valid vulnerabilities on publicly accessible U.S. Army websites. The civilian hackers who took part in that event earned a total of $275,000 in bounties.
Hack the Army 3.0 is now underway, and this iteration is a collaboration between the U.S. Army Cyber Command (ARCYBER), DDS, and the Army Network Enterprise Technology Command. ARCYBER officials had stated when the event was announced last November that there would be increased participation by military members, as well as to look towards ways to conduct more frequent bug bounty programs in the future.
During the event, registered participants have legal consent to hack a variety of DoD assets to uncover and help fix vulnerabilities – a critical need in the aftermath of recent vulnerabilities. All DoD bounties require researchers who take part undergo a background check, while private bounties, or those testing internal systems, require that researchers also have a citizenship verification before being provided access to DoD systems and information.
Most of the private bounties have the added mandated that a virtual private network (VPN) be used to monitor and log research activity for system owner transparency and “deconfliction.” The last thing the DoD would want is bad actors to take part in the very event to increase security.