An inaugural crowdsourced security inspection of Defense Department computing networks uncovered hundreds of vulnerabilities at a fraction of the cost of a third-party network audit, Secretary of Defense Ash Carter said Friday.
The “Hack The Pentagon” event was not only the first “bug bounty” conducted by the Pentagon, it was the first such program in the entire federal government. Bug bounties, in which benign hackers are recruited to probe a network for vulnerabilities and are rewarded for finding legitimate security flaws, are a common practice in the private sector, Carter said.
A total 1,400 eligible hackers from 44 states participated in the inaugural “Hack The Pentagon” competition. They collectively identified 250 perceived vulnerabilities and submitted reports on each. Of those, 138 vulnerabilities were determined to be legitimate, unique security flaws and eligible a bounty.
The vulnerabilities, if found by an enemy hacker, would have caused major “trouble,” Carter said Friday at a Pentagon press conference announcing the program results. All the eligible vulnerabilities have been remedied, he added.
“These were ones we were not aware of and now we have the opportunity to fix them,” Carter said. “It’s better than hiring someone to do that or finding out the hard way.”
Bringing private “white hat” hackers on board to hack the Pentagon cost a total $150,000, Carter said. Hiring a private firm to perform a network security audit would cost more than $1 million, he said.
“Beyond the security fixes we have made we have built stronger bridges” to private sector efforts to secure computing networks, Carter said.
Carter has ordered every component of the Defense Department to initiate bug bounties of their own as an affordable, efficient way to fix and maintain network security.