Built to Scale - Introducing hackthepentagon.mil
Hackthepentagon.mil
By: jinyoung englund
Acting Deputy Chief Digital and Artificial Intelligence Officer, Directorate for Digital Services & DDS DIRECTOR
Hack the Pentagon – It’s a culture.
Seven years ago, we pitched a radical idea – let’s invite hackers to hack the Pentagon.
Easier said than done.
Not only did we have to get past the side-eyes thrown our way whenever we talked about it, we also had to figure out how the Department of Defense (DoD) could legally engage hackers, provide access to our systems and assets without endangering national security, and pay them for their findings.
Surprisingly, getting the contract vehicle and money was the easy part. The real challenge was cultural – changing the culture from the original cybersecurity play book of passively scanning for vulnerabilities to proactively hunting for them.
As such, while advanced tools and automation can be helpful, we believe humans remain essential in defending against cybersecurity breaches. As we shift from an information to an intelligence age, the winning blow will be dealt by humans supported by intelligent machines.
This is why we intentionally invite hackers to break into our systems and assets. By incorporating bug bounties into our overall cybersecurity strategy, we’re updating the cybersecurity playbook to assume breach and think like an adversary.
Hack the Pentagon – It’s a COMMUNITY.
So in 2016, we invited hackers to Hack the Pentagon, launching the first-ever bug bounty program in the federal government to secure critical DoD information systems.
Back then, the word “hacker” conjured up images of a shadowy figure, face hidden under a hoodie, eyes reflecting the glare of the computer screen as s/he tried to break into a system, most likely to either steal something of value or wreak havoc in order to demand a ransom.
By “hacker” we actually mean the growing number of a largely untapped global community of security researchers, also known as ethical or white hat hackers, whose expertise could be used for good. Hosting bug bounties allow vetted independent security researchers to access sensitive systems without retribution and instead, receive financial rewards (“bounties”) for proactively discovering, investigating, and reporting vulnerabilities (“bugs”) so that they can be remediated.
Since Hack the Pentagon’s initial launch, DDS has run over 40+ bug bounties with over 1,400 ethical hackers who have collectively flagged 2,100+ vulnerabilities for remediation.
We found bug bounties to be a cost-effective way for DoD to identify and patch vulnerabilities. And while responsible stewardship of taxpayer money is important, the greater value to DoD and our overall national security posture is being connected to a global community of cybersecurity experts contributing to our national security.
Hack the Pentagon – It’s a call to action, and we need your help to scale.
At DDS, we are a small, yet mighty, team that facilitate each and every bug bounty. We walk each DoD organization through the process of hosting a bug bounty from start to finish. To date, we’ve coached and run bug bounties with DARPA, HHS, the U.S. Air Force, U.S. Army, DISA, and SOCOM. Given that DoD is nearly 3 million people strong, we have just scratched the surface. We still have a lot more to do and a long way to go.
So we built www.hackthepentagon.mil as a first-step resource to DoD, vendors, and security researchers who want to partner with us to run or participate in a bug bounty to secure DoD systems and assets.
Check it out.
Spread the word.
And join us!
