Today, Secretary of Defense Ash Carter released the final results from the Hack the Pentagon cybersecurity initiative, the first bug bounty in the history of the federal government. At an event in the Pentagon, the Secretary also personally thanked two hackers who participated in the competition, Craig Arendt and David Dworken.
Arendt, a computer security researcher, helped DoD identify a number of vulnerabilities. Dworken, an 18-year-old, recent high school graduate from the Washington, D.C., area, also submitted several vulnerabilities during the competition.
The Hack the Pentagon pilot launched on April 18, and ran until May 12.
The core purpose of the pilot was to bolster the Department’s digital defenses. The U.S. government is constantly under attack by hackers, and DoD is no exception.
“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks,” said Secretary Carter. “What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference – hackers who want to help keep our people and nation safer.”
The challenge was conducted against five public-facing websites, including defense.gov. None of the Department’s critical networks were part of the competition. The bug bounty challenge was hosted by HackerOne, a Silicon Valley-based firm that offers vulnerability disclosure and bug bounty as a service.
More than 1,400 eligible hackers completed the registration and were invited to participate in Hack the Pentagon and more than 250 submitted at least one vulnerability report. Of all the submissions DoD received, 138 were determined to be legitimate, unique and eligible for a bounty.
Defense Media Activity quickly worked to remediate each of these vulnerabilities. The entire cost of the Hack the Pentagon pilot was $150,000, with about half going to the hackers themselves. Hiring an outside contractor to conduct a similar security test could have cost more than $1 million.
According to the high school hacker, David Dworken, the competition was a unique opportunity to help the Department of Defense. “It was a great experience,” said Dworken who has participated in similar competitions. “I just started doing more and more of these bug bounty programs and found it rewarding. Both the monetary part of it and doing something that is good and beneficial to protect data online in general.”
The pilot marks the first in a series of programs designed to test and find vulnerabilities in the department’s applications, websites and networks.
Starting this month, DoD is embarking on three follow-on initiatives. First, will be the development of a vulnerability disclosure process and policy for DoD so anyone with information about vulnerabilities in DoD systems, networks, applications, or websites can submit it to the department without fear of prosecution. Next will be the expansion of bug bounty programs to other DoD Components, in particular the Services, by developing a sustainable DoD-wide contract vehicle. Lastly, incentives will be included in our acquisition policies and guidance so that contractors practice greater transparency, and open their own systems for testing – especially DoD source code.
While the pilot program was successful, it doesn’t end here, according to Chris Lynch, director of Defense Digital Service (DDS). The DDS team is credited with the initial idea of the Hack the Pentagon initiative and, ultimately, bringing it to fruition.
“What we want to figure out is how we can use this in a way that is able to be used on nearly any level of classification, or any type of activity,” said Lynch. “We’re not there yet. We’re going to start to work through and look at other layers as well. We recognize that this is a really valuable tool. It’s a huge change for the Department of Defense in terms of how we recognize the ability for people to come in and help us secure systems themselves. There are lots of things we can apply it to.”
Release No: NR-225-16
June 17, 2016