US military to pay bounties to security experts who ‘hack the Pentagon’

© Rick Wilking
The US Department of Defense has invited pre-approved hackers to test the security of the Pentagon and disclose vulnerabilities for cash rewards. This will be the first such challenge ever offered by the federal government.

The “Hack the Pentagon” pilot program, announced by the Defense Department on Wednesday, will challenge vetted hackers to break into public Pentagon websites in order to test their security. The first-program is modeled after “bug bounties” that have been conducted by large US companies to discover vulnerabilities in their networks, but until now such endeavors have been relegated to the private sector.

The challenge is intended to bring bugs to the attention of responsible authorities before bad actors can exploit them. For example, Facebook said that it paid almost $1 million in 2015 to 210 independent researchers who told the social media giant about bugs that could degrade the user experience.

The DoD’s bug bounty program is due to begin in April, but candidates need to register and pass a background check before being allowed the opportunity to try to (legally) hack the Pentagon. The approved hackers will take part in a “controlled, limited duration program that will allow them to identify vulnerabilities on a predetermined department system,” on certain non-critical components such as public Pentagon websites. In the future, the Pentagon plans to extend the challenge by making applications and networks fair game as well.

People taking part in the competition will be eligible for a financial reward, but the DoD hasn’t given any numbers yet.

“I am always challenging our people to think outside the five-sided box that is the Pentagon,” Secretary of Defense Ashton Carter wrote in a statement. “Inviting responsible hackers to test our cybersecurity certainly meets that test. I am confident this innovative initiative will strengthen our digital defenses and ultimately enhance our national security.”

READ MORE: Second OPM hack puts 21.5 million people at risk

Carter told reporters that the Pentagon, which has the highest IT spending of any organization in the world, needs to adopt best practices because it’s "not getting good grades across the enterprise.”

"We can’t just keep doing what we’re doing. The world changes too fast; our competitors change too fast," he said at the RSA cybersecurity conference, according to Reuters.

Also in attendance at RSA was former Google CEO Eric Schmidt, who will head a new Pentagon advisory board that intends to bring the tech industry’s innovation to the US military.

Secretary of Defense Ash Carter holds a press conference with former Google CEO Eric Schmidt in San Francisco, March 2, 2016 © Ash Carter

Schmidt, who now serves as executive chairman of Google’s parent company Alphabet Inc., said that the new Defense Innovation Advisory Board would help bridge a gap between how the military and Silicon Valley operate, according to Reuters.

The US government has become increasingly plagued by cyberattacks in recent years, the most disastrous of which was the breach of the Office of Personnel Management that resulted in the private information of millions of government employees being revealed.  Last year, the Pentagon itself suffered a hack that resulted in its unclassified email system being shut down for weeks.