The name, I was told, was a non-starter. There was simply no way we would call it Hack the Pentagon. None. You simply can’t call it that. Here’s a tall glass of Nope.
So naturally… we called it Hack the Pentagon.
So with much fanfare and press, on March 31st, 2016, the Department of Defense unveiled the registration page for the first ever federal bug bounty. A day later would have been April Fools Day.
Perhaps that would have been a bit more amusing, but in a world where the Department of Defense invites white hat hackers around the United States to come help us better secure our technology and warfighters… we played it safe and opened it up the day before. It felt like the right thing to do.
That being said I’ve seen tweets asking if it’s an April Fools prank. Good news: it’s not.
Digital Service in the United States government is a precious thing. With an office in the Pentagon and a team consisting of former Google, Shopify, and Palantir employees, we’re coming together to transform one of the world’s biggest bureaucracies.
This is an amazing moment in time. My team, the Defense Digital Service (DDS) exists to bring in the best processes, talent, and technology from private sector into the DoD. An offshoot from the United States Digital Service (USDS) at the White House, we’re tasked with transforming how the Pentagon builds and delivers digital services and products to the three million civilian and military employees in the U.S. and around the world.
I regularly get confused with the IT guy, an AV camera operator, or a vending machine supplier at the Pentagon because I wear a hoodie, and that’s okay. We exist to bring in new ideas and to challenge the way things have been done because some of our approaches to technology need rethinking.
This program is my team’s first public initiative and we couldn’t be more proud, despite making parts of the five-sided box that we call the Pentagon feel a little uncomfortable at times. And why wouldn’t they feel that way? After years of policy built around punishing those from the outside who would research or test our defenses, Hack the Pentagon feels antithetical to the way things have been done for many, many years.
Taking Hack the Pentagon to market has been exhilarating, scary, and challenging. Sometimes all of those emotions would hit at the same time. We built the concept and program in DDS knowing that what was most important was to provide a new way to let Americans help make us all safer at the end of the day.
See, the bad guys aren’t waiting around for us to announce a bug bounty or to win an award… the bad guys are constantly hacking away at our systems looking for weaknesses. Today’s adversary can be comfortably sitting behind a keyboard sipping coffee but their impact can be devastating.
In 2012 alone, DoD public websites had 4 billion visits and 25% of them were nefarious in some way. Think about that – a billion attempts to undermine security. And that’s just a couple of websites. It’s a mind numbing challenge that we have to step up to.
But we have to step up to that challenge in a way that respects our responsibility to the American taxpayer. The $150,000 cost of this program is a mere drop in the bucket when weighed against the $6.7B budget at the DoD for digital security, but we need to ensure that, like all federal funding, the payouts don’t go to convicted sex offenders or other felons.
So while any U.S. taxpayer can play Hack the Pentagon without fear of prosecution, those with serious issues in their past must know in advance that they won’t get paid if they fail a background check. And while we recognize that there is a lot of talent in the world, we have to limit participation to U.S. taxpayers only.
And so it was on the day before April Fools, Hack the Pentagon opened its doors. Just over 24 hours after announcement we had over 500 registrations with over 10 qualified hackers signing up per hour.
That shows the desire to help and be a part of making the US Defense Department or the Pentagon better, stronger, and more secure. We’ve had an outpouring of support from people all over the world looking to help because it’s something that many of us believe in dearly. To say the DDS team is proud is an understatement – this is a big gain for how the United States Government can improve security and we look forward to seeing other agencies use this model.
The next big date is April 18th, 2016, when the bounty actually starts.
If you have the skills and care about making America more secure, I hope you’ll sign up and give it a shot. Bringing in best practices from private sector will help us truly transform the federal government, and I’d like to have you come along with us.
Come hack the Pentagon.