Hack the Pentagon?! On Thursday, March 31, 2016, the Department of Defense, arguably the world’s most powerful organization, announced it will partner with HackerOne for the “Hack the Pentagon” pilot program. For many outside of tech, this may sound implausible, crazy and maybe even irresponsible. Let’s look at how technology has evolved to the point where even the U.S. government is asking hackers to take their best shot.
It turns out that neighborhood watch works. One of the most effective ways of finding bugs is to ask those in the community to look for and report vulnerabilities to you.
Not long ago, an individual who found a security vulnerability in a company’s software could find themselves in court for trying to report that bug to a company. Over time, attitudes have shifted significantly. What was a risky hobbyist activity is now a viable and enviable career opportunity. Instead of legal gag orders, hackers are receiving invitations from companies to come hack them. The rewards paid make the best hackers wealthy.
There are good reasons for this shift in attitude. Our increasing reliance on technology is causing our collective attack surface to grow faster than we can keep up with. Cybercriminals are getting more sophisticated. The cost of a breach is becoming unbearable, resulting in stolen personally identifiable information, business disruption, damaged brands and the firing of executives. At the same time, finding vulnerabilities requires people with highly specialized skills and experience, and no company can hire all the best minds in security. So companies are turning to the public, inviting the best and brightest hackers to help them. Bug bounty programs have become the answer.
At least 20 years old, the bug bounty concept was started by Netscape which called on its technical customer base to share bugs they found in exchange for rewards. It spread from there to other large makers of software like Mozilla, Google, Facebook and Microsoft. Today, bug bounty programs, and more generally vulnerability coordination programs, have become a best practice for any organization that needs to stay secure – and now that includes the Pentagon.
The majority of the world’s companies did not start out as software companies running agile development processes. They started out in manufacturing, automotive, retail, banking and myriad other industries. But now every company is a software company. And with this shift, all companies must adopt best practices in software development, which include activating the worldwide hacker community to find and report vulnerabilities in their connected software before criminals can exploit them.
In the networked economy, help is just one click away when you have a “security@” email inbox to receive vulnerability reports from the public. The Department of Defense is in good company; just this January, General Motors launched its public vulnerability coordination program, inviting hackers to report flaws found in their web properties and vehicles. A little earlier a bug bounty program was launched for the wifi-enabled Barbie doll. Just recently, Uber opened up its program to the public, and launched a loyalty program for hackers.
No organization is so powerful that it does not need outside help in identifying its bugs. And furthermore, to be fully powerful, we must admit the presence of vulnerabilities. Only then can they be identified and fixed, and we can all become more secure.
Thousands of white hat hackers stand ready to help those who are both willing to invite, and ready to accept, help. We’ve entered the era of the global neighborhood watch. It’s working, and it’s making the Internet more secure.
– Mårten Mickos