When the Pentagon wants to find a vulnerability, it calls a white hat hacker.
While some U.S. government agencies struggle with adopting more nimble IT technologies and practices, the Defense Department is showing how embracing programs such as bug hunting, vulnerability disclosure programs and hackathons can help uncover software flaws and keep infrastructure safe at a time when nation-state hacking is on the rise.
This same approach to bug hunting is also creating a market for white hat or ethical hackers with the right skills and talents to work with one of the U.S. government’s largest and most complex agencies.
While the Defense Department has been running “Hack the Pentagon” programs since 2016, a report released in late February shows how successful and important these and other initiatives have become in securing its vast IT infrastructure.
The unclassified report, prepared by the Defense Department’s Cyber Crime Center, looks at the DoD’s Vulnerability Disclosure Program (VDP) over the course of 2019, and finds a nearly 22 percent increase in the amount of submission reports compared to 2017. Of the 4,013 vulnerability reports submitted last year; 2,836 were validated by the Pentagon and assigned for mitigation. These vulnerabilities, the report notes, were previously unknown to the DoD and not found by automated network scanning software, red teams, manual configuration checks or cyber inspections.
All of this is the work of nearly 1,500 white hat hackers and researchers working in concert for the Defense Department. “The unity of effort every step of the way has been and remains truly incredible, making clear the value of ‘strength in numbers’ in aligning the capabilities and talents of multiple partner elements working together to achieve common ends,” Jeffrey Specht, the executive director of the DoD’s Cyber Crime Center, writes in the report.
Over the four years that the Pentagon has run its Vulnerability Disclosure Program, it has driven a new perspective on how a large government agency can work with outside security professionals to make a difference, says Deborah Chang, vice president of policy at HackerOne.
“‘Governments lead the way' isn’t a phrase you often hear, especially in technology,” Chang tells Dice. “But in the realm of hacker-powered security, governments and government agencies are decidedly progressive on their use and promotion of this proven approach to cybersecurity.”
Finding Timely Vulnerabilities
The 2019 DoD report finds that many of the vulnerability reports submitted to the Pentagon pertain to flaws in web services and servers. Over the past year, however, white hat hackers have also found an increasing number of security issues with VPN endpoints.
The focus on VPNs comes at a time when some of the most popular of these services, including ones used by the Defense Department, are under attack. In recent months, security firms have found that nation-state hackers have been attempting to exploit unpatched vulnerabilities in Fortinet, Pulse Secure and Palo Alto Networks VPN servers as well as Citrix remote gateways.
This is the benefit of having white hat and ethical hackers to call on: Finding those vulnerabilities that might be missed by the Pentagon’s own internal teams despite the amount of resources that the department can deploy, says Casey Ellis, CTO at Bugcrowd, a crowdsourced security company.
“The DoD has a tremendous internal penetration testing and red team, but it's still a finite resource in terms of the time they have for testing, and the skills and approaches they have in-house. The crowd augments this, and balances that equation against what the bad guys have available to them,” Ellis tells Dice. “As the speed of technology change continues to accelerate, the opportunity for government in private/public partnerships is to insource and double-down on the core responsibilities, while outsourcing the context and integrating learning from the experts.”
It’s these types of successes in finding software vulnerabilities that have pushed the rest of the U.S. government, through the Department of Homeland Security, to create a binding operational directive that would require all federal agencies, including civilian agencies, to adopt a VDP.
“While this directive speaks to the value that the outside security researcher community provides, it also underscores the importance of the full vulnerability life cycle, including how to communicate with security researchers acting in good-faith all the way to vulnerability handling and remediation,” Chang says.
Breaking Into White Hat Hacking
For those IT or security professionals looking to take advantage of these types of government-sponsored hacking and bug hunting programs can expect a decent payday, with the Defense Department spending about $34 million on these programs.
In terms of skills, Ben Sadeghipour, head of hacker operations at HackerOne, says that IT pros need an offensive mindset and to know some of the basics of security and hacking government systems.
“For example, if you are hacking on a web scope, being comfortable with the basics of Web technology and hacking concepts will help you hack any bug bounty program, including the DoD,” Sadeghipour says.
Ellis adds that good white hat hackers also need to think a bit like their black hat counterparts: “Curiosity, tenacity, and the tendency to enjoy thinking like a criminal while having no desire to actually be one.”