from the how-do-you-do,-fellow-computer-geeks dept
The Department of Defense (home of the NSA!) has decided it's finally time to start looking to outsiders for help securing government systems. It has started a bug bounty program, which in true cyberwar machine fashion, will scare away more helpful hackers than it will gather.
Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.So, hackers will pretty much need to obtain security clearance to play around in the Defense Department's walled sandbox, which apparently doesn't contain anything the DoD should really be concerned about.
Once vetted, hackers will participate in a controlled, limited duration program allowing them to identify vulnerabilities on a predetermined department system.
Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.Despite these limitations, Defense Secretary Ash Carter thinks the program will be a success. He believes the DoD and whatever hackers actually make it past the vetting process will "enhance national security" by playing controlled cyberwar games in a controlled environment.
Carter wants to see more cooperative efforts in the future. But his department has been anything but friendly to security researchers and hackers in the past. In an "open letter" to Secretary Carter, Robert Graham of Errata Security points out he's received veiled threats from the DoD in the past targeting his research efforts.
For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.An earlier post on the subject of the government's "war on hackers" adds a few more details, along with the possible consequences of not performing research in accordance with the department's "rules."
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real -- giving the government the ability to declare my scans "malicious" and to seize all my assets. It's the Treasury Department who makes these decisions -- from their eyes, "security research" is indistinguishable from witchcraft, so all us researchers are malicious.This sort of thing undermines Ash Carter's olive branches and bug bounties. The Defense Department wants help, but only from certain people (those who can pass its vetting process) and only in certain areas, under direct supervision and for a limited time. The areas where intrusions would wreak the most havoc will not have the benefit of having another set of eyes on them.
Carter wants a partnership but partnerships are built on trust. The DoD has threatened researchers in the past and it's now demanding anyone entering its bug bounty program to survive its vetting process. The DoD isn't willing to trust anyone, but it's asking private companies and citizens to lend it some trustworthiness without offering a repayment plan or even an equitable position on the ground floor.