DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust

from the how-do-you-do,-fellow-computer-geeks dept

The Department of Defense (home of the NSA!) has decided it’s finally time to start looking to outsiders for help securing government systems. It has started a bug bounty program, which in true cyberwar machine fashion, will scare away more helpful hackers than it will gather.

Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.

Once vetted, hackers will participate in a controlled, limited duration program allowing them to identify vulnerabilities on a predetermined department system.

So, hackers will pretty much need to obtain security clearance to play around in the Defense Department’s walled sandbox, which apparently doesn’t contain anything the DoD should really be concerned about.

Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.

Despite these limitations, Defense Secretary Ash Carter thinks the program will be a success. He believes the DoD and whatever hackers actually make it past the vetting process will “enhance national security” by playing controlled cyberwar games in a controlled environment.

Carter wants to see more cooperative efforts in the future. But his department has been anything but friendly to security researchers and hackers in the past. In an “open letter” to Secretary Carter, Robert Graham of Errata Security points out he’s received veiled threats from the DoD in the past targeting his research efforts.

For security research, I regularly “mass scan” the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.

The Department of Defense didn’t merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.

An earlier post on the subject of the government’s “war on hackers” adds a few more details, along with the possible consequences of not performing research in accordance with the department’s “rules.”

I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real — giving the government the ability to declare my scans “malicious” and to seize all my assets. It’s the Treasury Department who makes these decisions — from their eyes, “security research” is indistinguishable from witchcraft, so all us researchers are malicious.

This sort of thing undermines Ash Carter’s olive branches and bug bounties. The Defense Department wants help, but only from certain people (those who can pass its vetting process) and only in certain areas, under direct supervision and for a limited time. The areas where intrusions would wreak the most havoc will not have the benefit of having another set of eyes on them.

Carter wants a partnership but partnerships are built on trust. The DoD has threatened researchers in the past and it’s now demanding anyone entering its bug bounty program to survive its vetting process. The DoD isn’t willing to trust anyone, but it’s asking private companies and citizens to lend it some trustworthiness without offering a repayment plan or even an equitable position on the ground floor.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust”

Subscribe: RSS Leave a comment
Rich Kulawiec (profile) says:

This is a non-starter

“Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.”

Which means submitting huge amount of personal information to the OPM.

Which means handing it over to an agency that has already been massively hacked at least once…that we know of. And in all probability has been compromised repeatedly over a long period of time. And in all probability will be compromised repeatedly in the future.

Which means putting not only oneself, but one’s family at risk in order to do volunteer work for a government agency so incredibly overfunded that it can piss away billions on a fighter aircraft that kills its pilots.


That Anonymous Coward (profile) says:

I don’t see what the problem is…
they have made sure that no US researchers want to get anywhere near them, which opens the door for snakeoil pet projects to secure things… no hacker wants to risk rendition to prove the emperor is naked (well publicly).

So we will spend billions to not be any more secure, while those in charge sit back knowing their corporate buddies got this covered… until the entire staffs tax refunds end up funneled out of the country.

This is not how you make things better, this is how you rattle your saber to keep the white hats from looking.

Anonymous Coward says:

Re: Re: Re:

US wargames and exercises frequently stack odds against the ‘blue’ forces at the start; what the exercise directorate are looking for is reaction and adaptation. If the ‘blue’ force actually wins an exercise more power to them.

This sounds like the same thing: the odds are stacked against the ‘white hats’ before things get underway.

Anonymous Coward says:

Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.

Is this the same kind of “off-limits” that applied to the Senate staff investigating the CIA’s systems? I mean, if they have bugs that can lead people using specially designed search engine to “restricted” files, then how much do you want to bet that security researchers specifically looking for bugs will get in? Unless of course, this whole thing is just a plot to do exactly that in order to prove that computer security is equivalent to terrorism.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...