Hack the Pentagon: ‘Better if DoD made its systems secure in the first place’

An aerial view of the Pentagon building in Washington © Jason Reed
The notion of the Pentagon trying to break into its own systems in order to find out whether it’s secure is not terrible, said Gary McGraw, chief technology officer of Cigital. It’s better to test things ahead of time and build in security, he added.

The Pentagon is inviting volunteers to hack its websites offering a cash prize. It is a part of a government-sponsored ‘Hack the Pentagon’ pilot program aimed at weeding out security flaws. However, only vetted specialists are welcomed to take part in the program.

RT: What’s your take on this program? What is the purpose of launching it?

Gary McGraw: I think that the best way to go about doing something like this is to build things to be secure in the first place. So the notion of trying to break something in order to find out, whether it’s secure is not terrible, but it’s much better to design things to be secure, to test them ahead of time and to build security in.

RT: The Pentagon wants the hackers who want to take part in the program to give away their personal information. Will it be a problem for many, so that the real computer geniuses will stay away of the project?

GM: Some people think that it’s a problem with this program, but I am less concerned about giving away personal information, than I am concerned about approaching the problem from the wrong side. So the idea that you can build a security system by breaking it at the end of the life cycle is absolutely wrong.

… It’s very clear that not all of the hackers that are participating in bug bounty programs are criminals, or would have a problem passing a background check. One question you might ask though is: why they would do that if they don’t have to do that in other cases.

RT: What are your personal expectations?

GM: My expectations are that the Pentagon will finally figure out that they should build things properly in the first place and not try to pay people to break them once they have already built them. Perhaps their defense contractors should figure out how to approach this problem properly through security engineering instead of just approaching it through hacking. 

Marc Rogers, head of security at Defcon, says the Pentagon “is being smart” looking for outside talent to help it find vulnerabilities in the systems. 

RT: What do you think is the purpose of the Pentagon launching this kind of program which is going to engage real hackers?

Marc Rogers: I think it’s simple: the Pentagon has realized that they need outside talent to help them with securing their systems. The US government has been hacked numerous times over the last few years. It is clear that the traditional services that they employ to protect them aren’t working. So being smart they’ve realized that the best thing to do is to find real hackers and to get them to look for vulnerabilities.

RT:The Pentagon Press Secretary Peter Cook said in March that only vetted computer security specialists will be allowed ‘to hack’ DoD (Department of Defense) public web pages. Doesn’t that mean that a lot of really skillful hackers will be kept out of the program?

MR: I think the rules that are put in place are a mistake. Those rules will scare away most of the real hackers. Professional hackers don’t like people looking too closely. A lot of really skilled hackers have some sort of checkered past because they started out doing bad things before they became good. That means they are going to exclude some of the brightest and some of the best from participating. But this is early days – this is kind of the US government getting comfortable with the idea of letting hackers loose to protect their systems. Hopefully one or two professional hackers will respond and will give them confidence and next time they’ll take away some of these ridiculous rules.

RT: Why do you think the DoD is implementing these kinds of rules?

MR: The rules are a hangover from the kind of mistrust of the past. If you go back about 10 years, if you look at the attitude the US authorities and the US government had toward hackers – that they were evil and dangerous – over these 10 years they have gradually come around to realize that most of them are just kids, they are also very skilled and they are the people who are going to solve these problems. But there are still some legacy concerns – there are still probably quite a few people, who have been in the government for a long time, who still don’t trust hackers. This is a kind of a baby step in the right direction.

The statements, views and opinions expressed in this column are solely those of the author and do not necessarily represent those of RT.