CybersecurityArmy issues “Hack the Army” challenge

Hack the Arm call to arms // Source: army.mil

On 11 November at the Capital Factory in Austin, Texas, Army Secretary Eric Fanning announced plans to launch the federal government’s most ambitious “bug bounty” challenge, known as “Hack the Army.”

Building off the Army’s previous “Hack the Pentagon” program earlier this year and similar initiatives advanced by private sector companies, the Army will offer cash rewards to hackers who find vulnerabilities in select, public-facing Army Web sites. “We’re not agile enough to keep up with a number of things that are happening in the tech world and in other places outside the Department of Defense,” Fanning explained. “We’re looking for new ways of doing business.”

The U.S. Army notes that unlike the Hack the Pentagon program, which offered hackers static Web sites that were not operationally significant as targets, Hack the Army will offer dynamic exchanges of personal identifiable information, sites considered critical to the Army’s recruiting mission.

Over the next few weeks, HackerOne, a security consulting firm under contract with the Pentagon, will invite a group of security researchers and bug hunters to participate in the Army challenge. According to Fanning, the challenge represents a break with the past. Previously, the government has sought to avoid working with the hacker community.

“Here, we are not just meeting them face-to-face, we are challenging them,” he said. “Take your best shot. Bring it on.”

The Army’s bug bounty program will be open to properly-registered members of the public, but in another first, Fanning announced that U.S. government civilians and active duty military personnel will also be authorized to participate.

“What Hack the Pentagon validated is that there are large numbers of technologists and innovators who want to make a contribution to our nation’s security, but lack a legal avenue to do so,” Fanning said.

Registration for the program opened 21 November at https://hackerone.com/hackthearmy. Soon, the full list of Army websites and databases that bug hunters will be permitted to hack under the program will be provided to registered and invited participants.

“These assets have deep ties to the Army’s core operations, and as Secretary of the Army, the security of these foundational systems are incredibly important to me,” Fanning said.

Department of Defense’s Defense Digital Service, which oversaw the Hack the Pentagon initiative, said the bounty program is about changing attitudes inside the government about hackers.

“Our workforce is static. There’s a finite number and finite set of skills. Crowdsourcing is really the only way to get the dynamic skills you need that a static workforce can’t get you.” said Lisa Wiswell of Defense Digital Service.

Chris Lynch the head of Defense Digital Service added, “Hack the Army [will show] that bringing in creative hackers from a wide variety of backgrounds can fundamentally improve the way we protect our soldiers and secure our systems.”

Fanning agrees. In a world where traditional security approaches are increasingly insufficient, he believes, more creative approaches to security challenges are needed.

“There are people all over the world that are trying to get access to our systems, our data, and our information for malicious purposes,” he said.

“Although we have a very well trained, incredibly capable security team in the military [and DOD], it’s not enough. The more different sets of eyes, more different teams … that we can bring to this problem, the more secure we’re going to feel about our information.”