White-Hat Hackers Find 138 Cyber Vulnerabilities at Pentagon

Defense Secretary Ash Carter speaks about the fight against ISIS at the Pentagon on March 25, 2016. (AP Photo/Mauel Balce Ceneta)

ARLINGTON, Va. — Defense Secretary Ashton Carter said today that the Pentagon saved money finding cyber vulnerabilities by inviting white-hat hackers to hack the Department of Defense.

At a “Hack the Pentagon” event today honoring some of the winning hackers, Carter said that out of 1,400 hackers invited to take part in the challenge more than 250 participated from 44 states and discovered one or more vulnerability reports.

Those reports were then sent through a contractor, HackerOne, to determine if they were “legitimate, unique and eligible for a bounty.” Out of the reports, 138 made the cut.

Carter said the cyber security flaws uncovered “would have been trouble,” and “that’s why they’re eligible for a reward.

“Today, a little more than a month after the pilot finished, we’ve remediated each and every one of these vulnerabilities found. In total now, this pilot cost $150,000. It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” he said.

“Also, by allowing outside researchers to find holes and vulnerabilities on several sites and subdomains, we freed up our own cyber specialists to spend more time fixing them than finding them.”

One of the winning hackers, a high school student who lives in the Beltway, joined Carter at the event.

“For them and many others, this was about more than a reward or a bounty, it was about an opportunity to contribute to making our country safer,” the Defense secretary said.

The Pentagon is going to expand the “bug bounty” programs and create a “standing point of contact for researchers and technologists to safely and securely submit information about DoD security gaps that they come upon.”

“We’re going to include incentives in our acquisition guidance and policies so that contractors who work on DOD systems can also take advantage of innovative approaches to cybersecurity testing. For example, in some circumstances, we will encourage contractors to make their technologies available for independent security reviews such as bug bounties before they deliver them to us. This will help them make their code more secure from the start, and before it’s installed on our system,” Carter said.

“We know that state-sponsored actors and black-hat hackers want to challenge and exploit our networks. We know that. What we didn’t fully appreciate before this pilot was how many white-hat hackers there are who want to make a difference, who want to help keep our people and our nation safer.”

The Defense chief didn’t elaborate on the “wide range” of vulnerabilities found, “but the good thing about this is they’re reported to us.”

“These are ones we weren’t aware of. And now we have the opportunity to fix them,” Carter said. “And again, it’s a lot better than either hiring somebody to do that for you, or finding out the hard way.”