After the huge success of the Hack the Pentagon bug bounty program, members of the Department of Defense and participating organizations are calling on other government agencies to copy the DoD program to improve cybersecurity.
“There could be a lot more, and we can all help a lot more. And we want to be able to produce those results and help secure the government a lot more. So we just need other departments to be as open as the DoD was for this program,” said Justin Calmus, head of hacker success at HackerOne, which provided the platform for the Hack the Pentagon program.
Calmus and others spoke at the Akamai Government Forum on Tuesday to go over the challenges and success of a government bug bounty program.
Corey Harrison, deputy director of the Defense Digital Service, explained that though the program was successful, getting the department on board with inviting hackers into DoD systems was a constant struggle.
“We had to fight for every piece of this,” said Harrison, explaining that he was told to “get the hell out” of people’s offices for suggesting the idea and that the name “Hack the Pentagon” was a nonstarter.
“When they came to us, I was basically having no part of it,” said James Garrett, operations chief for the Department of Defense Public Web program.
Harrison explained that, as hard as it was to start the program, the fact that DoD was able to accomplish it with such success could inspire other agencies to do the same.
“I’d like to see other folks do more bug bounties,” Harrison said. “We’ll get totally beat up for it. Sure, just beat us all up and throw us out of the parking lot. But if it works, other agencies and other organizations have something to point to and say, ‘hey, I want to do that.’ I would love to see more of that, not just at Department of Defense but at other agencies as well.”
“The government in general has a huge IP space, they have so many assets. And to protect all those assets and keep an eye on everything is difficult,” Calmus said. “Leveraging a community of hackers and researchers is a really good way to get your costs as savings. You’re not paying for their time, you’re paying for them to produce results.”
Calmus told MeriTalk that these bug bounty programs not only enable agencies to reduce cost on network security, but they also establish important relationships between hackers and the government.
“The most important thing that comes from hackathons is the relationship building. That goes a long, long way,” Calmus said. “When I was a CIO and I built that relationship with hackers, I used to get text messages when vulnerabilities were about to be submitted. That relationship went so far. And it’s awesome, it’s probably the best part of dealing with the community and dealing with vulnerabilities.”
According to Calmus, the hackers themselves, both in the U.S. and abroad, are motivated by the chance to exercise some patriotism by legally hacking the government.
“It’s always been a personal dream of mine to be able to help the government, and to do so legally is fantastic. It feels very patriotic to be able to do this kind of stuff,” Calmus said. “There was actually a 13-year-old kid from Pakistan and he found a vulnerability in DoD and he was very, very excited that he was able to participate for one, and two that he was able to help the U.S. be more secure. So, it was pretty awesome to hear him say that.”
Though Calmus said that there is still some resistance to bug bounty models, agencies are beginning to come around to the advantages. And hackers are jumping on the chance to disclose vulnerabilities to the government without punishment.
“If you’re a good hacker or researcher, there was no way for you to disclose those vulnerabilities to us,” said Harrison.
“A hacker or researcher should never feel bad to disclose a vulnerability,” agreed Calmus.