DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust
from the how-do-you-do,-fellow-computer-geeks dept
The Department of Defense (home of the NSA!) has decided it's finally time to start looking to outsiders for help securing government systems. It has started a bug bounty program, which in true cyberwar machine fashion, will scare away more helpful hackers than it will gather.
Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.So, hackers will pretty much need to obtain security clearance to play around in the Defense Department's walled sandbox, which apparently doesn't contain anything the DoD should really be concerned about.
Once vetted, hackers will participate in a controlled, limited duration program allowing them to identify vulnerabilities on a predetermined department system.
Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.Despite these limitations, Defense Secretary Ash Carter thinks the program will be a success. He believes the DoD and whatever hackers actually make it past the vetting process will "enhance national security" by playing controlled cyberwar games in a controlled environment.
Carter wants to see more cooperative efforts in the future. But his department has been anything but friendly to security researchers and hackers in the past. In an "open letter" to Secretary Carter, Robert Graham of Errata Security points out he's received veiled threats from the DoD in the past targeting his research efforts.
For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.An earlier post on the subject of the government's "war on hackers" adds a few more details, along with the possible consequences of not performing research in accordance with the department's "rules."
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real -- giving the government the ability to declare my scans "malicious" and to seize all my assets. It's the Treasury Department who makes these decisions -- from their eyes, "security research" is indistinguishable from witchcraft, so all us researchers are malicious.This sort of thing undermines Ash Carter's olive branches and bug bounties. The Defense Department wants help, but only from certain people (those who can pass its vetting process) and only in certain areas, under direct supervision and for a limited time. The areas where intrusions would wreak the most havoc will not have the benefit of having another set of eyes on them.
Carter wants a partnership but partnerships are built on trust. The DoD has threatened researchers in the past and it's now demanding anyone entering its bug bounty program to survive its vetting process. The DoD isn't willing to trust anyone, but it's asking private companies and citizens to lend it some trustworthiness without offering a repayment plan or even an equitable position on the ground floor.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bug bounty, cybersecurity, defense department, hack the pentagon, hacking
Reader Comments
Subscribe: RSS
View by: Time | Thread
This is a non-starter
Which means submitting huge amount of personal information to the OPM.
Which means handing it over to an agency that has already been massively hacked at least once...that we know of. And in all probability has been compromised repeatedly over a long period of time. And in all probability will be compromised repeatedly in the future.
Which means putting not only oneself, but one's family at risk in order to do volunteer work for a government agency so incredibly overfunded that it can piss away billions on a fighter aircraft that kills its pilots.
Ummmm....no.
[ link to this | view in chronology ]
Re: This is a non-starter
[ link to this | view in chronology ]
Re: This is a non-starter
[ link to this | view in chronology ]
Re: This is a non-starter
No wonder the USAF is complaining about not having enough personal.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
they have made sure that no US researchers want to get anywhere near them, which opens the door for snakeoil pet projects to secure things... no hacker wants to risk rendition to prove the emperor is naked (well publicly).
So we will spend billions to not be any more secure, while those in charge sit back knowing their corporate buddies got this covered... until the entire staffs tax refunds end up funneled out of the country.
This is not how you make things better, this is how you rattle your saber to keep the white hats from looking.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I can only assume that the same rules will apply.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
This sounds like the same thing: the odds are stacked against the 'white hats' before things get underway.
[ link to this | view in chronology ]
Re: Re:
Stack the odds against the 'away' team, then do everything in your power to hobble them when it looks like they're going to win.
Now if you can avoid a "Murmansk Brushing Incident"...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Is this the same kind of "off-limits" that applied to the Senate staff investigating the CIA's systems? I mean, if they have bugs that can lead people using specially designed search engine to "restricted" files, then how much do you want to bet that security researchers specifically looking for bugs will get in? Unless of course, this whole thing is just a plot to do exactly that in order to prove that computer security is equivalent to terrorism.
[ link to this | view in chronology ]