On James Mattis’ first day as Defense Secretary, he learned about bugs. A hacking team had discovered critical flaws in a tool the Defense Department uses to transfer computer files.
The team was part of a bug bounty program — expert hackers who are paid to find vulnerabilities in corporations or government agencies.
Pete Yaworski is one of 80 “white hat” hackers around the world who helped identify security issues in two of the DoD’s internal systems. The 32-year-old Canadian was on the DISCREET team at Synack, a security firm with a $4 million dollar contract to hack the Pentagon.
During the three-month project that ended in February, Yaworski and Synack’s team of hackers dove into critical systems to find vulnerabilities that could impact military missions overseas. Once the hacking began, it took just four hours to find important errors.
On Tuesday, Synack announced a $21 million round of funding led by Microsoft Ventures.
Unlike some engineers who spend their careers dedicated to bug hunting, Yaworksi is a self-taught hacker who spends his days as a computer engineer for the Ontario government. At night, he works as a Synack contractor, searching for security flaws in targets like the Pentagon. Yaworksi taught himself information security by taking classes on Coursera, reading research papers, joining online groups and, eventually, writing a book on bug bounties.
Hacking the Pentagon
Synack’s hackers were the first outsiders to go under the hood of private Pentagon systems, but their predecessors tackled public flaws and paved the way.
Last spring, Hack the Pentagon became the first bug bounty program for the U.S. government.
“Before that point, it would have been illegal for hackers to even look for a vulnerability on Department of Defense websites, even if their intent was to report those to get them fixed,” said Katie Moussouris, founder of Luta Security, who helped start Hack the Pentagon.
Following the success of the 21-day pilot, in which hundreds of hackers participated, the government announced expansion plans.
In November, the Defense Department launched its first ongoing vulnerability disclosure program — it’s now legal for researchers to identify and report flaws on .mil websites. Over the next three years, HackerOne and Luta Security will host up to 19 other public hacking challenges that target government systems.
There are some understandable caveats in the program. For instance, hackers can’t take down websites with denial of service attacks or target government employees to gain access to systems.
The U.S. strategy is now gaining traction overseas. In March, the UK government announced its first vulnerability disclosure pilot, with Luta Security’s assistance.
A boon for defense systems
By eliciting the help of outside hackers, the Defense Department is doing what some leaders in Washington hope will spread across the federal government: Using private cybersecurity talent for federal security problems.
The DoD and other government agencies have their own security specialists. But supplementing their resources with part-time hackers can provide a faster fix.
According to Chris Lynch, director of the Defense Digital Service, there is increasing interest in bug bounty programs, and it’s leading to a cultural shift within the agency.
“We have people coming out of the woodwork, saying, ‘Hey I’ve got this system and I’m looking for ways that I can use bug bounties,'” Lynch told CNNTech. “The fact I brief the Secretary of Defense on bug bounty programs and crowdsource bug vulnerability discovery programs is an amazing evolution. These things didn’t exist two years ago.”
Bounties for federal bugs vary. The highest bounty in the Synack challenge was $30,000. Usually, though, people aren’t doing it for the money. Both Lynch and Moussouris say hackers participate out of a sense of duty, or simply for the bragging rights to say they hacked the Pentagon.
Yaworski said he was motivated to make a difference. And though not a U.S. citizen, he was compelled by some sense of patriotism.
“I’d like to think that other governments are watching and looking at this, and considering the same opportunity for themselves,” Yaworski said. “Part of this was national pride as well. Maybe Canada steps up and does something similar.”