DoD' “Hack the Pentagon” follow-up initiative

by the Defense Media Activity.

Following the success of Hack the Pentagon, Carter recognized the value of the program and directed other DoD components and military services to adopt the crowd-sourced security concept.

“I’m directing all DoD components to review where bug bounties can be used by them as a valuable tool in their own security tool kit,” Carter said at the Hack the Pentagon ceremonyin June. “We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DoD systems can also take advantage of innovative approaches to cybersecurity testing.

“For example,” he continued, “in some circumstances, we will encourage contractors to make their technologies available for independent security reviews where bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it’s installed on our system.”

Carter said the program provides the researchers more than just an avenue for reporting vulnerabilities and gaps and a way to make networks more secure in the short term. “We’ve provided a road map for other government departments and agencies to crowd-source their own security,” he said.

Current, future projects
Wiswell said the Defense Digital Service is currently helping DoD’s transition from the Defense Travel System to a private-sector travel tool used by Fortune 500 companies.

“DTS is a great example of a system that needed fixing,” she said. “Every single DoD employee has to use DTS, and … from a user and technology perspective, it doesn’t work very well. “Our charge is to elevate existing software and software development processes across DoD up to private-sector standards.”

The Defense Digital Service is moving DTS from the existing DoD contractor-developed system to a commercial, cloud-based system. “We expect this to provide our military service members and civilian DoD employees with an improved travel experience, as well as save resources each year in unnecessary travel related costs,” Wiswell said.

She said DDS is working on many three- to six-month projects with the components and services to help with efficiencies. She also hopes that in the future, the DoD will put more rigor in developing software with security in mind and not just as an afterthought.

“It’s great to conduct these hacking activities against an operational system, but it’s also really important to look at the code and do some code analysis to make sure that it is secure too,” she said.

Wiswell said she encourages the components and services acquisition and contractors to use these new vehicles via HackerOne and Synack and reach out to DDS if they need assistance.

“The Hack the Pentagon pilot showed us that there are great benefits across the board, from leveraging a wider range of skill sets and the large cost-savings involved,” she said. “Hack the Pentagon was a big win for the department, and hopefully this contract vehicle will continue to accelerate progress across DoD and give longevity to this crowd-source model.”