Skepticism Surrounds U.S. Defense Department's 'Hack the Pentagon' Pilot

Skeptics say the program’s restrictions will limit interest from the freewheeling, independent security researchers that the U.S. military wants to court.

by Sean Sposito, San Francisco Chronicle / April 12, 2016

(TNS) -- If critics are to be believed, there are some bugs in the Department of Defense’s pilot to have hackers poke at its public websites.

The Hack the Pentagon program, announced in March and set to launch next week, has drawn skeptics who say the program’s restrictions will limit interest from the freewheeling, independent security researchers the U.S. military wants to court.

Bug bounty programs like the upcoming Pentagon trial dole out rewards to researchers who find flaws. Bounties most often run in the hundreds of dollars per issue found and reported.

But, “it is incredulous that to get paid in the (Hack the Pentagon) bug bounty, you have to pass a background check,” tweeted Charlie Miller, an Uber security engineer, and a former NSA analyst.

Not long after, he followed up, sarcastically: “Luckily, all the hackers who can’t pass a background check will stop hacking the Pentagon because they want to follow the rules.”

The department is spending $150,000 on the program. The agency didn’t respond to several questions sent by The Chronicle over email, but did point to a recent TechCrunch article written by the director of the Defense Digital Service, Christopher Lynch, whose office is leading Hack the Pentagon.

In 2012, according to Lynch, a quarter of all visits to public, Defense Department websites “were nefarious in some way.” That amounts to roughly a billion attempts to breach security, he wrote.

Meanwhile, the department has already begun taking applications. Hack the Pentagon is set to launch its pilot Monday. It will run for 20 days.

And, yes, in addition to a “basic criminal background screening,” it comes with other caveats:

  • Researchers must be able to work in the U.S. and pay taxes;
  • they must not live in a country currently under U.S. trade sanctions (such as Iran or North Korea); and
  • they must not be on the Treasury’s Specially Designated Nationals List, a database of people and organizations identified as being involved in terrorism, drug trafficking and other criminal activities.

“While any U.S. taxpayer can play Hack the Pentagon without fear of prosecution, those with serious issues in their past must know in advance that they won’t get paid if they fail a background check,” wrote Lynch in his TechCrunch article.

Those restrictions obviously narrow down who can participate, said Gary McGraw, the chief technology officer at software security consulting firm Cigital.

“I don’t know why anyone would” participate, he said, adding he thinks the agency should expend its resources doing other things, such as “producing code that doesn’t suck.”

McGraw said that it would be simpler for a security researcher to just report an issue to, say, the people who maintain WordPress, an online publishing tool used by more than a quarter of all websites, than perhaps to a Defense Department website using its software.

“Most of the exploits that these people are going to find in Defense Department servers and applications are going to be in code that everyone else uses, too,” he said.

The department is listening to these critiques, said Katie Moussouris, a former Microsoft security strategist. Over the course of several years, she helped the department shape its thinking about cooperating with security researchers.

“They are also doing an experiment, themselves, seeing who from the population is willing to help them and willing to go through a light-touch background check,” said Moussouris, an independent consultant who recently left HackerOne, which is facilitating the department’s pilot. “What amount of the population has these skills and is willing to help?”

She added that Microsoft — whose bug bounty program she helped launch in 2013 — faced similar criticisms at the start. “However, it’s been proven, once the pilot is used as a learning experience, expansions (of the program) can and do happen,” she said. “This is exactly the model that we expect to see, here.”

Alex Rice, HackerOne’s chief technology officer, said such screening isn’t unheard of.

“Every one of these programs has some kind of constraint on the front of it,” he said, alluding to similar bug bounty pilots rolled out by private companies.

Many of those pilots occur completely outside of the purview of public debate.

“The fact that the DoD is waiving that and we’re able to have a public debate about it, that’s pretty phenomenal,” Rice said.

©2016 the San Francisco Chronicle. Distributed by Tribune Content Agency, LLC.