Carter Announces 'Hack the
Pentagon' Program Results
By Lisa Ferdinando, DoD News,
Defense Media Activity.
Washington D.C. — (DoD
News) — June 17, 2016 — Cracking open his laptop between classes as he
finished up his senior year in high school, 18-year-old David Dworken was on an
important mission for the Pentagon, according to Defense Secretary Ash Carter.
Defense Secretary Ash Carter announces
the results of the "Hack the Pentagon" pilot program at the Pentagon, June 17,
Dworken was among the more than 1,400 hackers invited to take
part in the first bug bounty program for the federal government, Carter said
today at an event in which he was joined by Dworken and others involved in the
"Hack the Pentagon" pilot program.
More than 250 participants submitted at least one
vulnerability report, with 138 of those vulnerabilities determined to be "legitimate,
unique and eligible for a bounty," Carter said.
The pilot program, which ran from April 18 to May 12, cost
$150,000, Carter said.
"It's not a small sum, but if we had gone through the normal
process of hiring an outside firm to do a security audit and vulnerability
assessment, which is what we usually do, it would have cost us more than $1
million," Carter said.
The program, according to Carter, is a cost-effective way to
supplement and support the people who defend the government’s computer networks.
The Defense Department worked with the Silicon Valley-based company HackerOne to
fix all the vulnerabilities, Carter said.
Building on Bug Bounty Program
The Defense Department is investing aggressively in
innovation, including in people, practices and technologies, Carter said. The
“Hack the Pentagon” program combined all those elements to "considerable success,"
In addition to the security fixes, the department has "built
stronger bridges to innovative citizens who want to make a difference to our
defense mission," he said.
Carter said there needs to be a pathway for ethical hackers
and security researchers to report vulnerabilities in DoD networks and systems.
As a result, the department is creating a central point of contact for
researchers and technologists to point out gaps, he said.
In addition, Carter said, the bug bounty program is going to
be expanded to other parts of the department. He is directing all DoD components
to review where such programs can be used.
DoD will also include incentives in its acquisition guidance
and policies so contractors who work on DoD systems can take advantage of
innovative approaches to cybersecurity testing, he said.
"When it comes to information and technology, the defense
establishment usually relies on closed systems," he said. "But the more friendly
eyes we have on some of our systems and websites, the more gaps we can find, the
more vulnerabilities we can fix, and the greater security we can provide to our
The pilot program was conducted against publicly available
websites, according to Chris Lynch, the director of the Defense Digital Service,
the DoD agency that led the program. Mission critical systems were not involved,
he pointed out.
He said they were looking for vulnerabilities that would
allow someone to gain access to a system through a current user or allow a
hacker to maliciously gain access to other networks or other systems.
"Even though it was a public set of websites, there's a lot
that we can learn from even what seemed to be fairly simple publicly accessible
sites," Lynch said.
The program targeted five public-facing websites: defense.gov,
dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman.
The payouts ranged from about $100, all the way up to $15,000
to a participant who had multiple submissions, according to Lisa Wiswell, with
the Defense Digital Service.
Hacker at Work
Dworken, who just graduated June 13 from a local high school,
said he discovered six vulnerabilities that focused on standard web security.
"I generally just worked on it during any free time I had,
during free periods," according to Dworken, who said he will study computer
science in college with aspirations of a cybersecurity career.
While the vulnerabilities he discovered had already been
reported by other hackers and he did not receive any payout, he said he was
still happy to be a part of the program.
"Even without a bounty, these things are still, personally
for me, incredibly rewarding," he said. "There is the greater-good aspect of it,
especially when working with the federal government for something I obviously
care deeply about."
(Follow Lisa Ferdinando on Twitter: @FerdinandoDoDNews)
Related Biographies :
Related Links :
Special Report: DoD Cyber Security