At noon on Wednesday, 500 hackers from across the country began attacking the U.S. Army’s digital recruitment infrastructure, including websites and databases containing the personal information of new applicants and existing Army personnel. They will spend the next three weeks probing the systems to identify previously unknown vulnerabilities in return for “tens of thousands of dollars” in cash rewards, in a program called Hack the U.S. Army.
Asking hackers to help find vulnerabilities isn’t exactly a new concept. “Bug bounty” programs are de rigueur for Silicon Valley giants like Facebook, Google, Microsoft, and, most recently, Apple, which use them to find flaws that in-house developers never would. But it is new for the U.S. military, and it’s a major step into the unknown.
“The Army is reaching out directly to a group of technologies and researchers who are trained in figuring out how to break into computer networks they’re not supposed to, people we normally would have avoided,” Secretary of the Army Eric Fanning said when announcing the program.
Hack the Army is the latest expansion of a program launched earlier this year that encourages hackers — ones with a clean criminal record and Social Security number — to attack the government’s online systems in order to expose vulnerabilities before truly malevolent hackers, or hostile governments, get there first.
The U.S. military broke new ground with its first bug bounty program, called Hack the Pentagon, which was held in April and May. That first foray involved some 1,400 hackers and uncovered 138 vulnerabilities, with the Department of Defense paying out a combined $71,200 to the successful hackers. The total cost of the program was $150,000 — where it would have cost $1 million to hire an outside firm to conduct a similar evaluation of the Pentagon’s security, the government said.
As a result of the success of that program, the DOD green-lit Hack the Army to start this week. This time around, however, the hackers aren’t just going after static websites; they’re also hitting “mission critical” parts of the Army’s infrastructure as the government looks to expand the scope of this program.
Two private security companies have been tapped to run the bug bounty programs, including Hack the Army. HackerOne and Synack last month signed a joint $7 million contract with the government to run up to 14 of these programs across many of the government’s digital properties in the coming years.
Alex Rice, CTO of HackerOne and former head of product security at Facebook, said the inaugural program was “pretty incredibly successful,” adding that inviting hackers to attack your systems is a great way to improve security.
“No matter who your adversaries are, you are absolutely improving your security by asking the friendly hacker community to role-play with you a bit and identify [vulnerabilities] you may have missed,” Rice told VICE News.
The latest call for hackers comes just one week after the U.S. Navy announced that personal details including names and Social Security numbers of 134,386 current and former soldiers were compromised when hackers accessed a laptop being used by a Navy contractor. This follows in a series of embarrassing security breaches for the government in recent years, including the theft of over 20 million personal records from the Office of Personnel Management and the hacking of the Democratic National Committee’s server in October.
The hackers involved in the latest program won’t have access to critical systems, such as navigation controls for drones or sensitive Army communications networks. But there is some risk in working with hackers.
“It’s not always clear who you are dealing with. You don’t know whether you are working with a white hat or a black hat,” Gus Anagnos, the former head of PayPal’s bounty program and a current Synack employee, said in an interview last year.
The DOD aims to limit the risk by only using hackers who are eligible to work in the U.S. and who pass security and criminal background checks. But some in the industry say that won’t bring the best results: Several security experts claim that the stringent background checks hackers must pass to be accepted into the bug bounty program end up excluding a lot of the best talent out there.
One big problem in restricting who can take part in the bug hunts is the risk that hackers who find vulnerabilities but can’t cash in on them will look elsewhere for reward. There’s no shortage of places where a vulnerability into a government website or database could be sold.
Another potential problem: If the bug bounty program isn’t working properly, the participating hackers might decide to go rogue. This happened to Facebook in 2013, when a hacker tried to submit a vulnerability to its bug bounty program, was refused, and then proceeded to hack the Facebook page of CEO Mark Zuckerberg.
But the government is at least trying, and launching the bug bounty programs shows a willingness to change its attitude.
“What’s changed is the government’s willingness to allow you to hack us,” Lisa Wiswell from the DOD’s Defense Digital Service office, said in April. “Many in government are more humble now than historically, and they are coming around and acknowledging that we need help.”