How the Risk-Averse DoD Learned to Stop Worrying and Love the Hackers
There are few, if any, organizations more risk-averse than the U.S. Department of Defense. But even this staid agency has realized the security benefits of working with hackers, such as saving U.S. taxpayers $64 million in just 3 years.
At Security@ 2019, Megan Furman, Deputy Director of the Defense Digital Service moderated a conversation between Kris Johnson, Director of the Department of Defense Vulnerability Disclosure Program (VDP), and Jack Cable, a hacker and current Stanford University student. They focused on the DoD’s “See Something Say Something” program of vulnerability disclosure and bug bounty programs, in which hackers have discovered more than 11,000 valid vulnerabilities.
The DoD has come a long way from their first Hack the Pentagon bug bounty challenge, which was open only to U.S. citizens and lasted just one month. The results were so promising, however, it was followed with Hack the Army, Hack the Air Force, Hack the Air Force 2.0, and Hack the Defense Travel System . Even the Marine’s eventually got on board with Hack the Marine Corps.
So how did the DoD manage to win the hearts and minds of such a staunchly risk-averse organization?
“People have seen the term ‘hacker’ as a four-letter word within the Department,” said Kris. “They’ve seen (hackers) as adversaries.” His team worked (and still works) to change the perception of hacker-powered security from one of fear to one grounded in facts. Turns out the way to win over skeptics is by demonstrably reducing risk, so Kris points to the results. “Researchers are telling us what’s wrong with our systems,” Kris said. “We have a ton of success stories.”
That success has helped to change the old perception of hackers and has encouraged the DoD to proactively embrace hacker-powered security across their organization. Saving $64 million and achieving nearly 800% ROI didn’t hurt, either.
“Hackers are now considered partners,” Kris added.
What also helps overcome a reluctance to use hacker-powered security is a military phrase: unknown unknowns. In other words, admitting that your organization needs help with security and risk because you don’t have the right internal resources, skills, or people.
Jack, who has participated in the DoD’s programs since the very first Hack the Pentagon (when he was still in high school!), talked about the need for specific and skilled cybersecurity expertise that most organization’s don’t have.
“Being in a room full of 20 Marine generals, being the only technical person, the only hacker, in the room, it’s really effective to show how important (security) is and that we need technical people to make these decisions,” said Jack. Megan agreed, adding that “it’s incredibly common to sit in a room and realize that no one else there could tell you what an API is or what security even means.”
It’s also the outside-of-the-box thinking hacker’s bring to a security program that frequently leads to the discovery of potential vulnerabilities. Chaining multiple smaller, potentially overlooked bugs is one way a smart hacker might find a security gap. Being unfamiliar with a technology also helps, as does the curiosity to look in different places specifically with an eye for bugs. Having the right mindset helps, too.
“It’s really essential to have the additional perspective of someone who thinks like an adversary,” added Jack.
The hacker’s perspective, however, doesn’t see a bug bounty program as opening up an organization to additional risk. Systems are already open to the public and criminals aren’t following any rules, reporting their findings, or asking questions. Bounty programs, on the other hand, have scopes and rules, can limit who is involved, and can even vet hackers to invite only those with specific experience, or who’ve passed background checks, or who are from specific countries. The DoD used the latter to limit early program participation to the so-called Five Eyes countries of the U.S., the United Kingdom, Canada, Australia, or New Zealand.
“There are rules about what you can and can’t do (in a bug bounty program),” said Jack. “The reality is that hackers want to help you and they want to help themselves, so they’re going to abide by the rules. There are technical precautions you can take to make sure your testing is safe.”
Going forward, Kris sees hacker-powered security as a partnership because the organization and hackers are working together to make everyone safer. That’s helped him expand the DoD’s use of hacker-powered security and get this risk-averse agency comfortable working with the hacker community. Jack agreed, saying that “both hackers and organizations have the same goal in mind, and that’s finding vulnerabilities and preventing them from being exploited.”
To watch this and other Security@ 2019 sessions, visit hackerone.com/security-at/2019.