A
lthough the idea of bug bounties reportedly originated in the mid-1990s at Netscape. Rice traced it back even further, digging up a Hunter & Ready advertisement from 1983 that offered to reward hackers who discovered bugs in its VRTX operating system with Volkswagen Beetles. “Get a bug if you find a bug,” the tagline read.
Bug bounty programs didn’t hit the mainstream until Google instituted the first extensive bug bounty in 2010, quickly followed by Facebook, Yahoo and other tech companies. Apple came late to the concept, launching an invitation-only program last year.
The Defense Digital Service, the Pentagon-based wing of the U.S. Digital Service, has encouraged the Defense Department to catch up with the industry. Born out of the disastrous launch of healthcare.gov, USDS pairs tech workers with government agencies to improve technical competency.
Chris Lynch heads the Defense Digital Service and has championed bug bounties within the Pentagon and with skeptical hackers who didn’t believe he could get the project off the ground.
“We know for a fact that sending a wide variety of hackers into a wide environment will result in something meaningful. It is a fact. We cannot hire every amazing hacker and have them come work for us, but we can do these crowdsourced bug bounties,” Lynch says. “I’m done with being afraid to know what our vulnerabilities are. That’s not okay.”
The Defense Department tested the waters with Hack The Pentagon, which invited participants to attack public-facing Department of Defense websites. Hack The Pentagon was considered a proof-of-concept project — a way for bug bounty advocates like Lynch to show that the program would improve security without risking the breach of classified material or crucial systems. After the program’s success, worries about what would happen if the agency welcomed hackers began to fade.
I’m done with being afraid to know what our vulnerabilities are.
“Those qualms are lessened today than they were six months ago,” says Lieutenant General Paul Nakasone, who leads Army Cyber Command. “My first thought was, ‘Wow, it only took them 10 minutes to identify a vulnerability. How long would it have taken for us to discover?’” (According to official Hack The Army stats, the first vulnerability was reported in just five minutes.)
Lt. Gen. Nakasone’s teams help patch the problems uncovered by bug bounty participants. Containing hackers within an agreed-upon network with established rules has helped ease concerns, he explained. As an olive branch, the Army didn’t require participating hackers to undergo background checks prior to joining the program, even though some private companies make background checks mandatory. Instead, Hack The Army participants only have to undergo a background check if they want to collect their financial reward.
Hack The Army also gave hackers more exciting targets than the public-facing domains like defense.gov that were up for attack during Hack the Pentagon. The Army edition of the program included recruitment websites with access to personal data and recruiting stations across the U.S.
“We chose intentionally this suite of assets, knowing they were the crown jewels,” says Lisa Wiswell, the digital security lead of Defense Digital Service. “It’s where we have recruits enter their personally identifiable information and all kinds of stuff. We do a lot to secure it today.”
0 comments:
Post a Comment