DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust
from the how-do-you-do,-fellow-computer-geeks dept
The Department of Defense (home of the NSA!) has decided it’s finally time to start looking to outsiders for help securing government systems. It has started a bug bounty program, which in true cyberwar machine fashion, will scare away more helpful hackers than it will gather.
Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.
Once vetted, hackers will participate in a controlled, limited duration program allowing them to identify vulnerabilities on a predetermined department system.
So, hackers will pretty much need to obtain security clearance to play around in the Defense Department’s walled sandbox, which apparently doesn’t contain anything the DoD should really be concerned about.
Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.
Despite these limitations, Defense Secretary Ash Carter thinks the program will be a success. He believes the DoD and whatever hackers actually make it past the vetting process will “enhance national security” by playing controlled cyberwar games in a controlled environment.
Carter wants to see more cooperative efforts in the future. But his department has been anything but friendly to security researchers and hackers in the past. In an “open letter” to Secretary Carter, Robert Graham of Errata Security points out he’s received veiled threats from the DoD in the past targeting his research efforts.
For security research, I regularly “mass scan” the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.
The Department of Defense didn’t merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
An earlier post on the subject of the government’s “war on hackers” adds a few more details, along with the possible consequences of not performing research in accordance with the department’s “rules.”
I have to exclude the DoD from my scans, because they make non-specific threats toward me in order to get me to stop. This Executive Order makes those threats real — giving the government the ability to declare my scans “malicious” and to seize all my assets. It’s the Treasury Department who makes these decisions — from their eyes, “security research” is indistinguishable from witchcraft, so all us researchers are malicious.
This sort of thing undermines Ash Carter’s olive branches and bug bounties. The Defense Department wants help, but only from certain people (those who can pass its vetting process) and only in certain areas, under direct supervision and for a limited time. The areas where intrusions would wreak the most havoc will not have the benefit of having another set of eyes on them.
Carter wants a partnership but partnerships are built on trust. The DoD has threatened researchers in the past and it’s now demanding anyone entering its bug bounty program to survive its vetting process. The DoD isn’t willing to trust anyone, but it’s asking private companies and citizens to lend it some trustworthiness without offering a repayment plan or even an equitable position on the ground floor.
Filed Under: bug bounty, cybersecurity, defense department, hack the pentagon, hacking
Comments on “DOM Defense Department Seeks SUB Hackers, Tech Companies For Partnership Built On Distrust”
This is a non-starter
“Under the pilot program, known as “Hack the Pentagon,” participants will be required to register and submit to a background check.”
Which means submitting huge amount of personal information to the OPM.
Which means handing it over to an agency that has already been massively hacked at least once…that we know of. And in all probability has been compromised repeatedly over a long period of time. And in all probability will be compromised repeatedly in the future.
Which means putting not only oneself, but one’s family at risk in order to do volunteer work for a government agency so incredibly overfunded that it can piss away billions on a fighter aircraft that kills its pilots.
Ummmm….no.
Re: This is a non-starter
That. Just find the vulnerabilities (if you want to have them address it) and release in the wild, damages be damned.
Re: This is a non-starter
I don’t know; I think of someone out there registering as Robert’); DROP TABLE Applicant;–. Could be lots of fun!
Re: This is a non-starter
“on a fighter aircraft that kills its pilots”
No wonder the USAF is complaining about not having enough personal.
What’s DOM and SUB?
Re: Re:
Dominant bureaucrats and a submissive citizens, (at least in the dreams of bureaucrats).
I don’t see what the problem is…
they have made sure that no US researchers want to get anywhere near them, which opens the door for snakeoil pet projects to secure things… no hacker wants to risk rendition to prove the emperor is naked (well publicly).
So we will spend billions to not be any more secure, while those in charge sit back knowing their corporate buddies got this covered… until the entire staffs tax refunds end up funneled out of the country.
This is not how you make things better, this is how you rattle your saber to keep the white hats from looking.
Your Background checks didn’t work out. We found out you’re a hacker – sorry.
I seem to remember a War Game before the Iraq war, in which the commander of the forces playing Iraq won. The military decided his tactics were not “fair” because they were unexpected. And the win was given to the commander of the American forces.
I can only assume that the same rules will apply.
Re: Re:
And rightly so! I mean really, has the man no honor, using tactics that his opponent didn’t expect and failing to take the honorable path and send detailed plans of his capabilities, gear and tactics to the other side beforehand?
Re: Re: Re:
US wargames and exercises frequently stack odds against the ‘blue’ forces at the start; what the exercise directorate are looking for is reaction and adaptation. If the ‘blue’ force actually wins an exercise more power to them.
This sounds like the same thing: the odds are stacked against the ‘white hats’ before things get underway.
Re: Re: Re:
They made a movie of that sort of reaction: Down Periscope.
Stack the odds against the ‘away’ team, then do everything in your power to hobble them when it looks like they’re going to win.
Now if you can avoid a “Murmansk Brushing Incident”…
come be our scapegoats is a rather untempting offer
Of course some areas of the Department, such as “critical, mission-facing systems,” will be off-limits during the pilot.
Is this the same kind of “off-limits” that applied to the Senate staff investigating the CIA’s systems? I mean, if they have bugs that can lead people using specially designed search engine to “restricted” files, then how much do you want to bet that security researchers specifically looking for bugs will get in? Unless of course, this whole thing is just a plot to do exactly that in order to prove that computer security is equivalent to terrorism.