On Wednesday, the Pentagon invited hackers who have been vetted to test the cyber security of some of the Defence Department’s websites in a pilot project set to start next month, and the first program of its kind initiated by the federal government.
The “Hack the Pentagon” project echoes similar competitions known as “bug bounties” run by many US companies, such as United Continental Holdings, to discover security holes in their networks and systems.
These programs allow cyber experts to identify problems before hackers can exploit them, thereby saving money and time in the event of security compromises.
“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security”, said Defense Secretary Ash Carter in a statement unveiling the program.
He also told reporters that the Pentagon must learn from best practices in the industry, since the military was “not getting good grades across the enterprise” for its cyber security.
“We can’t just keep doing what we’re doing. The world changes too fast; our competitors change too fast”, he said during a discussion at the RSA conference.
DJ Patil, the chief data scientist at the White House and a former executive with LinkedIn and eBay, said that bug bounties were the most efficient way to secure networks when software is becoming more complex and difficult to test.
He added that other federal agencies were following the project and may follow suit, enhancing collaboration and taking advantage of economies of scale.
“When people hear ‘bug bounty,’ they think we are just opening ourselves to attack, but what people forget is, we are always in this day and age under attack”, he said. “By bringing crowds to the problem … you’re getting a jump on the curve”.
The Pentagon has previously tested its own networks using so-called “red teams”, but the pilot would open some of its networks to cyber challenges from across the industry and academia.
Participants in the program must also be US citizens and must undertake a background check before they’re allowed loose on a specific public-facing computer system. The Pentagon said that more sensitive networks and weapons programs would not be initially included.
The initiative is being led by the Pentagon’s Defence Digital Service, which was created in November to bring tech experts into the military for short periods.