Hack the Pentagon, and you could win $150,000

Hackers are trying to break into The Pentagon.

There’s nothing unusual about that, of course. The difference this time is that The US Department of Defense is inviting hackers to find security vulnerabilities in some of its public websites, and is offering bounty payments of up to $150,000 for those who discover flaws.

There are, of course, some rules about the “Hack the Pentagon” bug bounty program, as the US DoD is keen for chaos not to ensue during the US goverment’s first commercial bug bounty program. These include:

• You must have pre-registered and been approved to take part in the program.
• You must be eligible to work in the United States.
• You can’t be residing in a country currently under US trade sanctions – sorry Syrian and North Korean hackers, you’re not welcome!
• You can’t be on the US Department of Treasury’s list of bad guys and organisations who have engaged in terrorism, drug trafficking and other crimes – I guess they’re worried about bad publicity.
• Every participant has to agree to undergo a background check – no background check, no payout.

Furthermore, there’s bad news if you work for the United States Digital Service (USDS) – you’re not eligible for any payouts. Presumably the Depatrtment of Defense feels you should be finding any vulnerabilities and flaws as part of your regular job.

It’s worth pointing out that the Defense Department is keeping tight reins on bug hunters, limiting the scope of the bounty program to a defined list of public websites for a controlled duration of time (the hunt runs until May 12 2016) and not involving critical, mission-facing computer systems.

And I have no doubt that some researchers will be dissuaded from participating by the rules – and may feel uncomfortable with the idea of sharing their personal information with the US authorities for the purposes of a background check.

All the same, it’s good to see the US government embracing an initiative to bolster its security that has proven successful for many commercial companies in recent years. After all, it’s better for any vulnerabilities to be reported to the Department of Defense than sold on underground markets to other groups such as online criminals and foreign states.

“This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” said US Secretary of Defense Ash Carter. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”

I have long been an advocate that it is better to hack yourself (or hire penetration testers to check your systems for vulnerabilities) than wait for a malicious hacker to break into your network. At the same time, it’s important to not leave security considerations until the end of a project – security should be an important consideration from the very beginning.

Clearly we’ve come a long way since British computer hacker Gary McKinnon broke into classified Pentagon computer systems in his search for evidence that the United States was covering up evidence of extraterrestrial technology. The Department of Defense remains resolute that any hacking against its systems has to happen on its own terms, but it’s clearly not of the opinion that all in the hacking community have bad intentions.

And that sounds like a good thing to me.