DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust

from the how-do-you-do,-fellow-computer-geeks dept

The Department of Defense (home of the NSA!) has decided it's finally time to start looking to outsiders for help securing government systems. It has started a bug bounty program, which in true cyberwar machine fashion, will scare away more helpful hackers than it will gather.

Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.

Once vetted, hackers will participate in a controlled, limited duration program allowing them to identify vulnerabilities on a predetermined department system.
So, hackers will pretty much need to obtain security clearance to play around in the Defense Department's walled sandbox, which apparently doesn't contain anything the DoD should really be concerned about.
Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.
Despite these limitations, Defense Secretary Ash Carter thinks the program will be a success. He believes the DoD and whatever hackers actually make it past the vetting process will "enhance national security" by playing controlled cyberwar games in a controlled environment.

Carter wants to see more cooperative efforts in the future. But his department has been anything but friendly to security researchers and hackers in the past. In an "open letter" to Secretary Carter, Robert Graham of Errata Security points out he's received veiled threats from the DoD in the past targeting his research efforts.
For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.

The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
An earlier post on the subject of the government's "war on hackers" adds a few more details, along with the possible consequences of not performing research in accordance with the department's "rules."
I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real -- giving the government the ability to declare my scans "malicious" and to seize all my assets. It's the Treasury Department who makes these decisions -- from their eyes, "security research" is indistinguishable from witchcraft, so all us researchers are malicious.
This sort of thing undermines Ash Carter's olive branches and bug bounties. The Defense Department wants help, but only from certain people (those who can pass its vetting process) and only in certain areas, under direct supervision and for a limited time. The areas where intrusions would wreak the most havoc will not have the benefit of having another set of eyes on them.

Carter wants a partnership but partnerships are built on trust. The DoD has threatened researchers in the past and it's now demanding anyone entering its bug bounty program to survive its vetting process. The DoD isn't willing to trust anyone, but it's asking private companies and citizens to lend it some trustworthiness without offering a repayment plan or even an equitable position on the ground floor.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Rich Kulawiec, 8 Mar 2016 @ 3:41am

    This is a non-starter

    "Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check."

    Which means submitting huge amount of personal information to the OPM.

    Which means handing it over to an agency that has already been massively hacked at least once...that we know of. And in all probability has been compromised repeatedly over a long period of time. And in all probability will be compromised repeatedly in the future.

    Which means putting not only oneself, but one's family at risk in order to do volunteer work for a government agency so incredibly overfunded that it can piss away billions on a fighter aircraft that kills its pilots.

    Ummmm....no.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Mar 2016 @ 3:52am

    What's DOM and SUB?

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 8 Mar 2016 @ 4:53am

    I don't see what the problem is...
    they have made sure that no US researchers want to get anywhere near them, which opens the door for snakeoil pet projects to secure things... no hacker wants to risk rendition to prove the emperor is naked (well publicly).

    So we will spend billions to not be any more secure, while those in charge sit back knowing their corporate buddies got this covered... until the entire staffs tax refunds end up funneled out of the country.

    This is not how you make things better, this is how you rattle your saber to keep the white hats from looking.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Mar 2016 @ 5:38am

    Your Background checks didn't work out. We found out you're a hacker - sorry.

    reply to this | link to this | view in chronology ]

  • icon
    Groaker (profile), 8 Mar 2016 @ 6:09am

    I seem to remember a War Game before the Iraq war, in which the commander of the forces playing Iraq won. The military decided his tactics were not "fair" because they were unexpected. And the win was given to the commander of the American forces.

    I can only assume that the same rules will apply.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 8 Mar 2016 @ 6:23am

      Re:

      And rightly so! I mean really, has the man no honor, using tactics that his opponent didn't expect and failing to take the honorable path and send detailed plans of his capabilities, gear and tactics to the other side beforehand?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Mar 2016 @ 7:56am

        Re: Re:

        US wargames and exercises frequently stack odds against the 'blue' forces at the start; what the exercise directorate are looking for is reaction and adaptation. If the 'blue' force actually wins an exercise more power to them.

        This sounds like the same thing: the odds are stacked against the 'white hats' before things get underway.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 8 Mar 2016 @ 8:14am

        Re: Re:

        They made a movie of that sort of reaction: Down Periscope.

        Stack the odds against the 'away' team, then do everything in your power to hobble them when it looks like they're going to win.

        Now if you can avoid a "Murmansk Brushing Incident"...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Mar 2016 @ 7:35am

    come be our scapegoats is a rather untempting offer

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 8 Mar 2016 @ 2:16pm

    Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.

    Is this the same kind of "off-limits" that applied to the Senate staff investigating the CIA's systems? I mean, if they have bugs that can lead people using specially designed search engine to "restricted" files, then how much do you want to bet that security researchers specifically looking for bugs will get in? Unless of course, this whole thing is just a plot to do exactly that in order to prove that computer security is equivalent to terrorism.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer
Anonymous number for texting and calling from Hushed. $25 lifetime membership, use code TECHDIRT25
Report this ad  |  Hide Techdirt ads
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.