The Pentagon is paying hackers to test its key internal systems for vulnerabilities â€” and they are finding weaknesses faster than expected.
In a pilot project this past month, the Pentagonâ€™s Defense Digital Service let about 80 security researchers into a simulated â€œfile transfer mechanismâ€ the department depends on to send sensitive e-mails, documents and images between networks, including classified ones. The effort was important enough that staff for new Defense Secretary James Mattis were briefed on the ongoing program his first day on the job.
Lisa Wiswell, whose title at DDS is â€œbureaucracy hacker,â€ said she told Pentagon cyber analysts to be on standby after the program started Jan. 11, but added that nothing would likely turn up for a week. Within hours, though, the first report from a hacker highlighting a risk arrived.
â€œThat was surprising,â€ Wiswell said in an interview at her Pentagon office. â€œI was like, â€˜I donâ€™t know what else is going to come down the pike if weâ€™ve got stuff thatâ€™s falling this quickly.â€â€˜
With concerns about cyber vulnerabilities rising across the U.S. government, the cyber firm Synack Inc. received a three-year, $4 million contract in September to carry out â€œbug bountiesâ€ across the Pentagon. The Redwood City, California-based company vetted and recruited security researchers from the US, Canada, Australia and the UK, according to Mark Kuhr, Synackâ€™s chief technology officer and a former National Security Agency analyst. The exercise ran through Feb. 7, with more expected.
Because of security concerns, hackers didnâ€™t get direct access to operational networks. Instead, the digital service replicated the file transfer systems in a â€œcyber range,â€ a kind of digital laboratory resembling the original environment. The company also added extra security layers to make sure adversaries didnâ€™t compromise the hackersâ€™ computers or enter into the range.
â€œWe had to assume that their entire laptop is compromised â€” the Russians are sitting on the laptops â€” how do we prevent them from accessing the challenge,â€ Kuhr said. â€œHow do we prevent them from accessing any vulnerabilities that could be taken from the challenge?â€
Convincing senior leaders at the Pentagon that it was a safe endeavor took time and effort, the digital service said. Chris Lynch, director of the DDS, said he briefed Defense Secretary Mattisâ€™s staff on their first day in office about the program. The file transfer tool is important because it securely moves some of the most important information for Defense Department missions both within the Pentagon and in the field.
â€œWe have an absolute need to be able to relay a command, trust that itâ€™s going to get to a destination and interpret that and then do what it says,â€ Lynch said in an interview. â€œIf thereâ€™s any element when you donâ€™t have trust in that pipeline, that undermines a lot of how the department works.â€
The digital service urged hackers to try bypassing the file-transfer protections; pull data out of a network that they werenâ€™t supposed to have accessed; and â€œown the box,â€ or take control of the system. Officials wonâ€™t specify the gaps that were discovered, but say department cyber experts are now fixing the problems.
The program grew out of earlier projects by the digital service, which is part of the White Houseâ€™s U.S. Digital Service, started by the Obama administration and so far retained under President Donald Trump. Last year, the service held â€œHack the Pentagon,â€ where outsiders hunted for bugs in the Defense Departmentâ€™s public websites. The file transfer exercise marked the first attempt to pool hacking talent for internal networks.
For Hack the Pentagon, programmers were encouraged to publicly brag about their findings and share their identities. But in the latest initiative, the select hacking group is legally barred from revealing its research. Only Synack knows their names as the hackers were kept anonymous from Pentagon officials as well. Synack, which has done similar custom hacking programs at banks and credit card companies, also paid hackers based on the severity of the problem they uncovered. The biggest reward totaled $30,000 in the recent competition.
The experiment comes as the Defense Department faces challenges in handling cybersecurity. The department bolstered spending on capabilities and expertise to build better cyber defenses, yet during tests, critical combatant command missions remain at risk from advanced nation-state actors, according to the Pentagon testing directorâ€™s annual report published in January.
â€œCyber-attacks are clearly a part of modern warfare, and DOD networks are constantly under attack,â€ the report said. â€œHowever, DOD personnel too often treat network defense as an administration function, not a warfighting capability,â€ and until that approach changes, the department â€œwill continue to struggle to adequately defend its systems and networks from advanced cyber-attacks.â€
In addition, the need for â€œred teamsâ€ â€” cyber experts that test whether department networks and systems can withstand intrusions – has more than doubled in the past few years. But a significant number have left for the private sector, finding better salaries and more relaxed work settings. As a result, the remaining red teams â€œare unable to meet current DOD demand,â€ the testing director said.
The digital service says other parts of the Pentagon have expressed interest in doing similar tailored hacking projects, including around the security of ground command and control systems and internal human resources portals. Sometimes itâ€™s the simplest cracks found in the networks that most unsettle cyber experts.
â€œAn adversary doesnâ€™t need to spend millions of dollars focusing on the most serious, complicated flaws,â€ Wiswell said. â€œWhen we do stupid basic things you bet the adversary would rather use that vector into our networks because itâ€™s cheaper – weâ€™ve lowered the barrier to entry.â€