Lessons learned from DoD’s bug bounties highlight gaps in talent, secrecy

The summer of 2017 might be shaping up to be a buggy one.

After two successful bug bounties at the Pentagon and the Army, a Defense Department official said plans were in the works for more crowdsourced cybersecurity testing.

“We will shortly be rolling out additional bug bounties for other services,” said Hunter Price, a digital services expert at DoD, during a March 30 Information Security and Privacy Advisory Board (ISPAB) meeting in Washington, D.C. “We are also encouraging various procurement shops to include bug bounties in their IT acquisition. So not just saying ‘OK developer, you need to have this pen[etration] tested,’ but also ‘developer, how to pen test it and run a bug bounty against it.’ That’s our plan.”

Price referred reporters to DoD’s press office for questions on when bug bounties would roll out and for which services, but he said interest, resource availability and testing priorities factor in to the decision-making process.

Download our free ebook to find out how agency CIOs and CHCOs implementing the president's reorganization executive order.

Advertisement

“These things go a lot easier when everyone is interested,” Price said, adding he’s seen attention in bug bounties from everyone from sergeants to the Secretary of Defense.

“Our goal is to roll this out to all DoD assets,” Price said. “As we continue to roll out bug bounties, we are getting the various cybersecurity teams, branch specific, whether it’s ARCYBER or the 24th Air Force, etc., to participate as much as we can, mostly as a training tool for them, so they can be exposed to research methods and vulnerabilities that they currently don’t look at.”

The Defense Department announced its first bug bounty in March 2016, with promises three months later to expand the program.

In the first “Hack the Pentagon” challenge, the department asked anyone with expertise in IT security to find security flaws on five of its largest public-facing websites, including the Defense.gov homepage. The first vulnerability report arrived seven minutes after the contest started, and 1,410 pro and amateur hackers from 44 states wound up making 1,189 reports of security problems during the three-week pilot in late April and early May (though many of those reports were duplicates of the same vulnerabilities).

DoD spent $150,000 on the pilot version of Hack the Pentagon, with about half the money going to administrative costs, including a contract with HackerOne, the private firm that helped run the challenge and the other half as bounties to the hackers who discovered the cybersecurity holes.

In October DoD awarded new contracts — $3 million to HackerOne and $4 million to Synack — to fund roughly 14 more such challenges. A month later the Army announced its Hack the Army program to expose cyber weaknesses in its networks.

House passes $700B defense bill, which includes pay raise for military personnel

The lessons DoD learned from the bounties, Price said, are that the government does not have access to the level of security talent that’s equivalent to the hackers, and that “secrecy is not security.”

“That is naive,” Price said. “The U.S. government is a very juicy target of a lot of different people; nation states, people who want to sell stuff to nation states, people who just want to attack us. Secrecy is not security when it comes to information assurance or cybersecurity.”

That’s something digital experts like Price have had to spend time teaching DoD employees about. While the bug bounties’ returns on investment are “just unparalleled” he said, those returns can also highlight vulnerabilities that make people uncomfortable.

“That comes in a few different forms,” Price said. “It comes in the form of, if we point people to these systems — or in the case of bug bounties on more secure assets — and we expose those assets and the people, we will be making them less secure.”

Price said another lesson learned from the bounties is that the government doesn’t have the ability to access the cybersecurity talent like the hackers participating in the bounties.

“It’s not a matter of money, we just cannot hire these people,” Price said. “And if we did hire these people, at least in DoD land, they would be put into programs that talk and work on cybersecurity in a way that is different than how hackers view things.”

ISPAB member Toby Levin said from what Price shared with the board, it sounded like some contractors were not accurately marketing their skills on their ability to perform.

“That’s something else that should be shared across government” Levin said.

The board is charged with advising the National Institute of Standards and Technology (NIST), the Office of Management and Budget director, and secretaries at the Commerce and Homeland Security departments, on issues of security and privacy for federal information systems.

But Price said that gets into the broader question within IT acquisition, and that “contractors sell what they expect the government wants.”

“If the government goes out and says we want you to find the very, very best hackers and to rip our security to shreds if possible, they will find people to do that,” Price said. “If the government says we want you to find five people with advanced degrees and vet them and give them background checks and send them to this building in suburban Virginia and conduct pen testing … they will do that and you will get a very, very different set of people.”

Christopher Boyer, assistant vice president of Global Public Policy at AT&T, and chairman of ISPAB, said it seemed common sense to have the ability for people to report on vulnerabilities for one of the most attacked entities on earth.

“I know that question for the board is whether or not you guys should be encouraging the rest of the government to adopt bug bounties,” Price said. “I think the answer is yes. The return on investment is incredible, both in terms of cost and in terms of making government assets more secure.”

A spectrum of experiences

One civilian agency that’s got the same line of thinking is the General Services Administration.

Eric Mill, senior adviser on Technology Transformation Service at GSA, said the agency is in the process of setting up its own bounty. GSA made the announcement and published a draft solicitation in January.

Mill said DoD’s bug bounty work has helped carve a path for other agencies to follow; however, agencies shouldn’t compare their processes and results exactly to Defense standards — like getting immediate high risk vulnerabilities or being flooded with all sorts of “fun things in your system.”

“There’s going to be a spectrum of experiences that agencies have,” Mill said. “I think that’s actually really important, because especially as you’re talking about trying to build in norms and practices around vulnerability disclosure governmentwide, you have to speak to the experiences that people have and are going to have.”

Boyer asked whether bug bounties were the type of thing that would make sense in a shared services model, and Mill said while it’s possible, you would also have to take into consideration the decentralized nature of the government, and the “whole constellation of vendors and contractors and offices that are responsible in different ways for different pieces of it.”