Relevant links are at the bottom of this post.
WASHINGTON, Nov. 21, 2016 — Two initiatives were rolled out today to strengthen the cyber security environment in the Defense Department and the Army, DoD officials announced.
The first initiative is part of the “Hack the Pentagon” program that debuted last spring, officials said. Called the Vulnerability Disclosure Policy, it provides a legal avenue for digital security researchers who find and disclose vulnerabilities in DoD’s public websites.
The policy gives researchers clear guidance for testing and disclosing vulnerabilities, and also commits DoD to work openly and in good faith with outside researchers, officials said.
“The Vulnerability Disclosure Policy is like ‘see something, say something’ for the digital domain, Defense Secretary Ash Carter said.
“We want to encourage computer security researchers to help us improve our defenses. This policy gives them a legal pathway to bolster the department’s cybersecurity and ultimately the nation’s security,” the secretary said.
DoD Effort Aligns With Private Sector
The Hack the Pentagon pilot was the first bug bounty in the history of the federal government, officials said.
Using vetted hackers, DoD used a similar method to that of commercial-sector crowdsourcing, which identifies security vulnerabilities in DoD’s systems. ”Hack the Pentagon” was modeled after similar competitions conducted by some of the nation’s biggest companies to improve the security and delivery of networks, products, and digital services, according to officials.
When Hack the Pentagon results were released in June, the department recognized a need to provide a standard avenue for researchers to report vulnerabilities, said DoD’s Cyber Policy Senior Advisor, Charley Snyder and Defense Digital Service Bureaucracy Hacker Lisa Wiswell in a briefing with reporters Nov. 18.
The new policy, effective today, allows for a safe, secure, and legal opportunity for researchers to report such vulnerabilities, Snyder and Wiswell said.
While private industry produces similar policies, DoD’s initiative is the first in the federal government, officials said.
DoD consulted with the Justice Department’s criminal division when developing DoD’s Vulnerability Disclosure Policy, and Leslie Caldwell, DOJ’s assistant attorney general, called the initiative “a laudable way to help computer security researchers use their skills in an effective, beneficial and lawful manner to reduce security vulnerabilities.”
‘Hack The Army’ Debuts Today
The second initiative launching today is “Hack the Army,” the second bug-bounty challenge in DoD, Wiswell said, adding the Army’s initiative is modeled after the initial “Hack the Pentagon” challenge. Registration for the program begins today.
The Army bug bounty challenge will employ about 500 vetted security researchers, and will focus more on operationally relevant web sites, particularly those that affect Army recruiting, officials noted.
Army Secretary Eric Fanning announced his department’s cyber security challenge earlier this month as it partners with DoD’s Defense Digital Service.
“The security of these foundational systems is incredibly important to me, and security is everyone’s responsibility,” Fanning said.
The Army’s bug bounty program, much like DoD’s effort, will provide incentives to researchers to focus on specific high-priority networks and systems.
Officials said DoD has focused on efforts to modernize security, and to find ways to tap into sources of talent across the country. Both the Army and DoD programs and policies align with those goals, they added.
(Follow Terri Moon Cronk on Twitter: @MoonCronkDoD)