On Wednesday, Pentagon officials announced a new program offering financial incentives to white hat hackers who attack Department of Defense websites, calling the program “bug bounty.”
The program, set to begin in April, calls for the Pentagon to select a group of hackers, give them Defense Department targets, and ask them to inflict as much damage as possible. As part of the program, the hackers would report findings to the DoD, identifying cybersecurity gaps as well as possible patches, to ensure future protection against cyberterrorism.
Secretary of Defense Ashton Carter welcomed the plan, saying “I am always challenging our people to think outside the five-sided box that is the Pentagon.” He said that “inviting responsible hackers to test our cybersecurity certainly is in keeping with that imperative.” Carter believes the “innovative initiative will strengthen our digital defense enhancing US national security.”
Similar “bug bounty” programs have proliferated in recent years inside the private tech sector. The BugCrowd.com website provides a list of over 470 companies that employ competitive hackers, including tech giants Google, Microsoft, PayPal, and Yahoo.
One Pentagon office downplayed any risks associated with the novel ploy, arguing “Nobody who is a ‘bad guy’ is waiting around for us to introduce a bug bounty to go after a DoD effort. They’re not waiting. They’re doing it now.” In calling for the imperative, the official noted, “We’re constantly under attack already. I can’t possibly emphasize that any more. Just like we have warfighters that are constantly under attack, our networks are constantly being attacked here.”
Defense Secretary Carter supported the need for simulating cyberattacks by emulating the tech sector’s favored security ploy. “This is a best practice. We should be doing this. We should be thinking of this throughout the entire development of any new technology or product service that we offer within the DoD.
The question remains: Is the Pentagon seeking a novel way to detect and correct a flawed cybersecurity system, or will they pay hacktivists to embarrass them on the world stage? We’ll find out in April.