Pentagon invites hackers to test its computer security

The Defense Department plans to invite hackers to break into its computer systems so it can find and fix weaknesses before they're exploited for real, joining a growing number of organizations that are getting security help from the public.

The initiative will be called "Hack the Pentagon" the department said in a news release Tuesday.


"I am always challenging our people to think outside the five-sided box that is the Pentagon," Defense Secretary Ashton B. Carter said in a statement. "Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security."

Such invitations are commonly called "bug bounty" programs. The organization that wants help will put up a cash rewards or the promise of public recognition in the hopes encouraging hackers to report problems directly rather than trying to sell security flaws on black markets.


Facebook, United Airlines and Microsoft all run such programs, as do many other major technology companies, but it's the first time the federal government has tried one out.

The Defense Department program will not be a free-for-all. The Defense Department said it will vet participants and only allow them to attack certain systems — computer networks that are critical to ongoing missions will be off limits.

The Pentagon has been the victim of high profile attacks in the past. Last year, hackers believed to be based in Russia broke into the unclassified email systems of the Joint Chiefs of Staff.

The department currently relies on dedicated groups of hackers known as red teams at the National Security Agency and elsewhere to probe its defenses and try to think like the enemy. But opening up the process to outside researchers and experts should bring a broader set of perspectives to bear.

Rock Stevens, an Army captain currently on leave at the University of Maryland, said the department's systems are so large that insiders alone can't find all the problems.

"There's no way you're going to have dedicated teams doing this even 24/7 that are going to find every vulnerability," he said.

Stevens and another officer based in Maryland warned last year that users of the Defense Department's computers were scared to report security problems for fear of being suspected of trying to gain access to information they were not supposed to.

"Personnel are hesitant to disclose known vulnerabilities in systems out of a fear of reprisal," Stevens and Capt. Michael Weigand wrote in a journal article advocating the creation of a bounty program.


"Revocation of security clearances, loss of access to IT systems, and punitive action under the Uniform Code of Military Justice are all viable outcomes for someone who casually stumbles upon an interesting finding during everyday work."

Stevens said the paper caught the attention of some senior officials but he's not sure it directly contributed to the Pentagon's new plan.

"Either way, this is an enormous step forward," he said.