The use of so-called ethical hackers or “white hat” hackers has helped the Department of Defense (DoD) plug holes and address cybersecurity vulnerabilities in its complex computer networks. Since the original “Hack the Pentagon” initiative, which began in 2016, the DoD has expanded its Vulnerability Disclosure Program to include all publicly accessible information systems.
“The department has always maintained the perspective that DoD websites were only the beginning as they account for a fraction of our overall attack surface,” said Kristopher Johnson, director of the DoD’s Vulnerability Disclosure Program.
Since its launch, ethical hackers have submitted more than 29,000 vulnerability reports, and more than 70% of those have been determined to be valid. This has allowed DoD’s cyber professionals to address threats. Johnson added that he also expected that going forward the number of threats will reduce do the increased efforts.
Beyond the Public-Facing Websites
The Vulnerability Disclosure Program is being expanded beyond the public-facing websites and applications, and will allow ethical hackers to research and report the vulnerabilities of all DoD publically-accessible networks, frequency-based communication, Internet of Things (IoT), and industrial control systems and more.
“This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” added Brett Goldstein, the director of the Defense Digital Service.
“The expansion of the DoD’s vulnerability disclosure program is a strategic move to further capitalize on the talents of the white hat hacker community to identify and weed out weaknesses and exposures in military systems,” said John Hale, Ph.D., chairperson of computer science and professor of bioinformatics and computational biology at the University of Tulsa.
“IoT and industrial control systems are now within the scope of this program, which is a vital addition, as these kinds of systems commonly perform mission critical functions,” Hale told ClearanceJobs. “It will be interesting to see how this initiative scales out, as there is bound to be an order of magnitude increase in disclosures.”
Crowd Sourced Bug Bounty
The United States Army has conducted its own “Hack The Army” challenges, while the United States Air Force has hired “bug bounty” firm Synack to use white hat hackers to look for weaknesses in the most critical IT systems. These efforts will likely continue as they serve as a force multiplier for the services.
“It is a crowd sources exercise,” explained Matthew J. Schmidt, PhD, associate professor of national security, at the University of New Haven.
“The key to crowd sourcing is large numbers, and these efforts by the DoD are certainly getting the numbers,” Schmidt told Clearances. “This also highlights the number of vulnerabilities that are out there.”
Moreover, it also enables the Pentagon and the services to do more with fewer people. While the “weight of the federal government” is often cited, it is worth noting that federal employees can also be overworked, underpaid and there aren’t enough them.
“As someone who was a former federal employee, I can attest to being overworked and underpaid, and that is even true in the world of IT and cybersecurity,” added Schmidt. “These efforts also address the philosophy that the government hasn’t really caught up to the 21st century in how it handles some issues internally.”
The other purpose that the Vulnerability Disclosure Program can serve is in finding holes in systems that many government employees may not be familiar with today. That because the government has continued to utilize a mix of networks running a variety of programs, some of which may have been written before today’s IT staff was born.
“It isn’t just that these systems are antiquated, but there are a plethora of systems that are patched together and that can cause problems,” explained Schmidt. “The more patches, the more vulnerabilities that could be out there.”
The other purpose that these bounties provide is allowing those to potentially serve their country, without actually enlisting or even becoming a government employee.
“These programs do enlist people in another way,” said Schmidt. “That brings in a culture that has actually been disconnected from the government. These programs offer a capacity for them to serve.”