Éditoriaux Défense Sécurité Terrorisme Zones de conflits Logistique Livres de référence Liens
Terre Air Mer Gendarmerie Renseignement Infoguerre Cyber Recherche

Carter Announces

Carter Announces 'Hack the Pentagon' Program Results

By Lisa Ferdinando, DoD News, Defense Media Activity.
Washington D.C. — (DoD News) — June 17, 2016 — Cracking open his laptop between classes as he finished up his senior year in high school, 18-year-old David Dworken was on an important mission for the Pentagon, according to Defense Secretary Ash Carter.

Defense Secretary Ash Carter announces the results of the "Hack the Pentagon" pilot program at the Pentagon, June 17, 2016.

Dworken was among the more than 1,400 hackers invited to take part in the first bug bounty program for the federal government, Carter said today at an event in which he was joined by Dworken and others involved in the "Hack the Pentagon" pilot program.

More than 250 participants submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be "legitimate, unique and eligible for a bounty," Carter said.

The pilot program, which ran from April 18 to May 12, cost $150,000, Carter said.

"It's not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million," Carter said.

The program, according to Carter, is a cost-effective way to supplement and support the people who defend the government’s computer networks. The Defense Department worked with the Silicon Valley-based company HackerOne to fix all the vulnerabilities, Carter said.

Building on Bug Bounty Program

The Defense Department is investing aggressively in innovation, including in people, practices and technologies, Carter said. The “Hack the Pentagon” program combined all those elements to "considerable success," he said.

In addition to the security fixes, the department has "built stronger bridges to innovative citizens who want to make a difference to our defense mission," he said.

Carter said there needs to be a pathway for ethical hackers and security researchers to report vulnerabilities in DoD networks and systems. As a result, the department is creating a central point of contact for researchers and technologists to point out gaps, he said.

In addition, Carter said, the bug bounty program is going to be expanded to other parts of the department. He is directing all DoD components to review where such programs can be used.

DoD will also include incentives in its acquisition guidance and policies so contractors who work on DoD systems can take advantage of innovative approaches to cybersecurity testing, he said.

"When it comes to information and technology, the defense establishment usually relies on closed systems," he said. "But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters."

Lessons Learned

The pilot program was conducted against publicly available websites, according to Chris Lynch, the director of the Defense Digital Service, the DoD agency that led the program. Mission critical systems were not involved, he pointed out.

He said they were looking for vulnerabilities that would allow someone to gain access to a system through a current user or allow a hacker to maliciously gain access to other networks or other systems.

"Even though it was a public set of websites, there's a lot that we can learn from even what seemed to be fairly simple publicly accessible sites," Lynch said.

The program targeted five public-facing websites: defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman.

The payouts ranged from about $100, all the way up to $15,000 to a participant who had multiple submissions, according to Lisa Wiswell, with the Defense Digital Service.

Hacker at Work

Dworken, who just graduated June 13 from a local high school, said he discovered six vulnerabilities that focused on standard web security.

"I generally just worked on it during any free time I had, during free periods," according to Dworken, who said he will study computer science in college with aspirations of a cybersecurity career.

While the vulnerabilities he discovered had already been reported by other hackers and he did not receive any payout, he said he was still happy to be a part of the program.

"Even without a bounty, these things are still, personally for me, incredibly rewarding," he said. "There is the greater-good aspect of it, especially when working with the federal government for something I obviously care deeply about."
(Follow Lisa Ferdinando on Twitter: @FerdinandoDoDNews)

Related Biographies :
Ash Carter

Related Links :
Special Report: DoD Cyber Security

Derniers articles

Verdun 2016 : La légende de la « tranchée des baïonnettes »
Eyes in the Dark: Navy Dive Helmet Display Emerges as Game-Changer
OIR Official: Captured Info Describes ISIL Operations in Manbij
Cyber, Space, Middle East Join Nuclear Triad Topics at Deterrence Meeting
Carter Opens Second DoD Innovation Hub in Boston
Triomphe de St-Cyr : le Vietnam sur les rangs
Dwight D. Eisenhower Conducts First OIR Missions from Arabian Gulf
L’amiral Prazuck prend la manœuvre de la Marine
Airmen Practice Rescuing Downed Pilots in Pacific Thunder 16-2
On ne lutte pas contre les moustiques avec une Kalachnikov...
Enemy Mine: Underwater Drones Hunt Buried Targets, Save Lives
Daesh Publications Are Translated Into Eleven Languages
Opération Chammal : 10 000 heures de vol en opération pour les Mirage 2000 basés en Jordanie
Le Drian : Daech : une réponse à plusieurs niveaux
Carter: Defense Ministers Agree on Next Steps in Counter-ISIL Fight
Carter Convenes Counter-ISIL Coalition Meeting at Andrews
Carter Welcomes France’s Increased Counter-ISIL Support
100-Plus Aircraft Fly in for Exercise Red Flag 16-3
Growlers Soar With B-1s Around Ellsworth AFB
A-10s Deploy to Slovakia for Cross-Border Training
We Don’t Fight Against Mosquitoes With a Kalashnikov
Bug-Hunting Computers to Compete in DARPA Cyber Grand Challenge
Chiefs of US and Chinese Navies Agree on Need for Cooperation
DoD Cyber Strategy Defines How Officials Discern Cyber Incidents from Armed Attacks
Vice Adm. Tighe Takes Charge of Information Warfare, Naval Intelligence
Truman Strike Group Completes Eight-Month Deployment
KC-46 Completes Milestone by Refueling Fighter Jet, Cargo Plane
Air Dominance and the Critical Role of Fifth Generation Fighters
Une nation est une âme
The Challenges of Ungoverned Spaces
Carter Salutes Iraqi Forces, Announces 560 U.S. Troops to Deploy to Iraq
Obama: U.S. Commitment to European Security is Unwavering in Pivotal Time for NATO
International Court to Decide Sovereignty Issue in South China Sea
La SPA 75 est centenaire !
U.S. to Deploy THAAD Missile Battery to South Korea
Maintien en condition des matériels : reprendre l’initiative
La veste « léopard », premier uniforme militaire de camouflage
Océan Indien 2016 : Opérations & Coopération
Truman Transits Strait of Gibraltar
Navy Unveils National Museum of the American Sailor
New Navy, Old Tar
Marcel Dassault parrain de la nouvelle promotion d’officiers de l’École de l’Air
RIMPAC 2016 : Ravitaillement à la mer pour le Prairial avant l’arrivée à Hawaii
Bataille de la Somme, l’oubliée
U.S., Iceland Sign Security Cooperation Agreement
Cléopatra : la frégate Jean Bart entre dans l’histoire du BPC Gamal Abdel Nasser
Surveiller l’espace maritime français aussi par satellite
America's Navy-Marine Corps Team Fuse for RIMPAC 2016
Stratégie France : Plaidoyer pour une véritable coopération franco-allemande
La lumière du Droit rayonne au bout du chemin

Directeur de la publication : Joël-François Dumont
Comité de rédaction : Jacques de Lestapis, Hugues Dumont, François de Vries (Bruxelles), Hans-Ulrich Helfer (Suisse), Michael Hellerforth (Allemagne).
Comité militaire : VAE Guy Labouérie (†), GAA François Mermet (2S), CF Patrice Théry (Asie).