Hack the Pentagon: Leap Forward or Retrograde Action?
I want to make sure that you understand that I think that the “Hack the Pentagon” project is a great idea. I also want to make it clear that I think it is far too little, far too late.
To put things in perspective for those unfamiliar with history: The DOD was a leading character in one of the earliest known cases of “cyber-espionage” back in the 1980s. It has been a participant in some of the most significant events in computer/cyber-security history. The DOD literally wrote the book on what the kids are calling “cyber” these days, and contrary to popular belief has been doing it far longer and better than most can imagine.
And now its 2016 and they’re letting a few select people poke around on a web site for a chance to win a few thousand dollars.
Where to begin?
The sum total prize money available is $150,000. DOD-budget-wise that’s the loose change in some Assistant to the Assistant Deputy Undersecretary’s sofa cushions. That’s maybe the price of a low-rent 0-day, depending on the system it works on and the capability it provides. If ten parties sign up for this project and they all discover one respectable vulnerability, that’s $15,000/company. If they find more than ten vulnerabilities, which you know they’re going to do, the reward-to-work ratio drops off precipitously.
Testers can only work against certain systems. I get it: you don’t want a bunch of randos picking at the scabs of mission-critical systems. But real bad guys are not going to respect your artificial boundaries.
Only “U.S. Persons” can participate, and then only those who can pass a background check are eligible to get paid. This is, in the words of the government, to ensure that “taxpayer dollars are spent wisely.” Which would be funny if every case of waste/fraud/abuse wasn’t committed by people who’d passed background checks. Its funnier when you consider these same systems are being tested for vulnerabilities right now by people who are not U.S. Persons.
The Secretary of Defense said “This initiative will put the department’s cybersecurity to the test in an innovative but responsible way,” which is like saying walking to the grocery store is a novel way of solving world hunger and global warming. He went on to say: “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot,” which is like asking Pro Bowlers to sign up for your High School Punt-Pass-Kick competition.
I get that this is a pilot, so everything is on a much smaller scope and scale than would be ideal, but this is an effort that should have seen the light of day in the late 90s, not the mid-‘10s. A serious pilot, one that would actually illustrate the breadth and depth of problems on publicly facing sites, would have 100x the funding (still a rounding error in the DOD budget). It would not preclude people who’ve made mistakes in the past (some of the best minds in the business) from being compensated, and it would apply to every non-mission-critical site.
The DOD is not a stranger to offensive testing. They have very smart and skilled people who could have made this a much larger and more meaningful project than it is, but clearly none of those people had the juice to make it happen. Instead we get ‘Hack the Pentagon,’ which as a concept is decades too late and as a practical matter far too simple to produce meaningful results.