The agency’s mandate is to help the DoD close its technology talent and capability gap relative to the private sector in building its critical systems, which requires openness to both external innovation and better sharing of innovative solutions internally. In the medium term, the DoD seeks to elevate the capabilities and influence of the Defensive Digital Service agency beyond its current role of administering ad hoc bug bounty programs and the VDP. Given the lack of monetary incentives tied to the VDP, the DoD will need to react to discovered vulnerabilities in a timely manner, communicate action(s) taken on the submissions, and reasonably communicate the impact and outcomes of the process in order to attract future participation (and further scale) at very little cost. As ideas to improve the DoD’s web security flow in from citizen hackers, the Department needs to learn to effectively manage this feedback loop. The Department is also running and refining its Vulnerability Disclosure Policy (VDP), its ongoing policy and process for security researchers to report vulnerabilities in any DoD public-facing website or web application, which is separate from the bug bounty programs. In the short term, following the success of its “Hack the Pentagon” pilot program, the DoD has continued to replicate such time-bound bug bounty programs throughout its branches (Army, Air Force, etc). As the director of the Defensive Digital Service has said, “When our adversaries carry out malicious attacks, they don’t hold back and aren’t afraid to be creative.” Finally, the DoD recognizes the cost-effectiveness of bug bounties, having paid $150,000 to hackers for verified results in its pilot program, compared to an estimated $1 million had the Department gone through the “normal process of hiring an outside firm to do a security audit and vulnerability assessment.” The DoD also recognizes that sourcing more minds and expanding creativity to identify problems and solutions to cybersecurity challenges is crucial.
An October 2018 GAO report cited the DoD’s challenges with “ cybersecurity personnel, particularly those with weapon systems cybersecurity expertise,” as well as the tendency for DoD cybersecurity professionals to leave for better paying private sector jobs after gaining enough experience. First, cultivating and maintaining cybersecurity talent is difficult.
This method of open innovation is now becoming important to the DoD for three reasons. Since then, the DoD has paid out over $350,000 to “ethical hackers” through its growing bug bounty programs, which are facilitated by private sector vulnerability coordination platforms such as HackerOne and Synack. This changed in 2016, when the DoD stopped relying solely on internal personnel for its information security initiatives by experimenting with controlled bug bounty programs in which civilians were invited to expose vulnerabilities in public-facing DoD websites. Department of Defense (DoD) was not open to crowdsourced improvements to its cybersecurity infrastructure, strictly enforcing the Computer Fraud and Abuse Act against those attempting to hack its websites and systems.
In these programs, outside hackers are paid by organizations to legally expose cybersecurity vulnerabilities, which are then addressed internally. Bug bounty programs have long been used by private corporations, especially those in the technology sector, as a cost-effective way to fix product issues and improve product security.
0 kommentar(er)
