'Hack the Pentagon' Program ExpandsVulnerability Disclosure Program Now Includes IoT Devices, Industrial Control Systems
The Department of Defense will expand its vulnerability disclosure program in the coming months, inviting ethical hackers to find flaws in a wider array of systems and applications within the Pentagon's public-facing networks.
The "Hack the Pentagon" program was launched in 2016 to encourage ethical hackers and security researchers to find flaws in public-facing Defense Department applications and websites. The program is overseen by the DOD Cyber Crime Center.
Now, the Pentagon is expanding the program to include all publicly accessible Defense Department systems, which includes IoT devices, industrial control systems, networks and frequency-based communication systems.
"The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface," says Kristopher Johnson, director of the department's vulnerability disclosure program.
Before DOD launched the program, ethical hackers and security researchers did not have a uniform way of contacting the Pentagon and disclosing flaws in systems or applications.
"Because of this, many vulnerabilities went unreported," says Brett Goldstein, the director of the Pentagon's Defense Digital Service. "The DOD vulnerability policy launched in 2016 because we demonstrated the efficacy of working with the hacker community and even hiring hackers to find and fix vulnerabilities in systems."
The Defense Department estimates that more than 29,000 vulnerabilities have been reported since the vulnerability disclosure system began, with more than 70% of these flaws determined to be valid.
Johnson expects far more flaws to be uncovered now that the Defense Department is expanding the program to all its public networks and systems.
Over the years, the Pentagon has partnered with HackerOne, a private firm with a platform that enables researchers to submit information about vulnerabilities and then receive cash rewards for their disclosures.
The expansion of the Pentagon's vulnerability disclosure program is a good step toward hardening its infrastructure against attacks, says Chad Hoffman, a former DOD intelligence analyst.
"The expansion is imperative for the DOD to continue to leverage private industry to identify vulnerable systems that are critical to missions across the department," says Hoffman, who is now the COO of security firm Analyst1. "But if the program doesn't correlate the vulnerabilities to the threat actors who are known to exploit them, there will be a logjam of prioritization of what to tackle first."
Other Agencies' Programs
In September 2020, the Cybersecurity and Infrastructure Security Agency ordered most executive branch agencies and departments to create their own vulnerability disclosure programs (see: US Agencies Must Create Vulnerability Disclosure Policies).
CISA is working toward creating standards for all federal agencies while providing guidelines on how vulnerabilities should be disclosed and mitigated.
In April, the DOD Cyber Crime Center and the Defense Counterintelligence and Security Agency launched a 12-month Defense Industrial Base Vulnerability Disclosure Program for third-party firms and companies that are part of the Defense Industrial Base Sector and work with the Pentagon to supply technology and research.
Branches of the U.S. military have also run their own vulnerability disclosure programs.
Earlier this year, the Army launched its third "Hack the Army" program in conjunction with the Defense Digital Service and HackerOne.
A 2018 vulnerability disclosure program run by the Air Force uncovered 120 vulnerabilities and paid out $130,000 to the hackers who uncovered them.