Nafeesa Syeed (Bloomberg) -- The Pentagon is paying hackers to test its key internal systems for vulnerabilities -- and they are finding weaknesses faster than expected.
In a pilot project this past month, the Pentagon’s Defense Digital Service let about 80 security researchers into a simulated “file transfer mechanism” the department depends on to send sensitive e-mails, documents and images between networks, including classified ones. The effort was important enough that staff for new Defense Secretary James Mattis were briefed on the ongoing program his first day on the job.
Lisa Wiswell, whose title at DDS is “bureaucracy hacker,” said she told Pentagon cyber analysts to be on standby after the program started Jan. 11, but added that nothing would likely turn up for a week. Within hours, though, the first report from a hacker highlighting a risk arrived.
“That was surprising,” Wiswell said in an interview at her Pentagon office. “I was like, ‘I don’t know what else is going to come down the pike if we’ve got stuff that’s falling this quickly.”’
Wesley Wineberg, a security researcher based near Seattle who took part in the experiment, said it was his first time looking into a government system. He hadn’t expected it to be from the Defense Department.
“Parts of the system appeared to have been well designed and reviewed from a security perspective, and other parts were quite weak," Wineberg said via e-mail. “Over the years I have learned not to have any expectation that a system will be any more secure than another system just because of its importance or criticality.”
With concerns about cyber vulnerabilities rising across the U.S. government, the cyber firm Synack Inc. received a three-year, $4 million contract in September to carry out “bug bounties” across the Pentagon. The Redwood City, California-based company vetted and recruited security researchers from the U.S., Canada, Australia and the U.K., according to Mark Kuhr, Synack’s chief technology officer and a former National Security Agency analyst. The exercise ran through Feb. 7, with more expected.
Because of security concerns, hackers didn’t get direct access to operational networks. Instead, the digital service replicated the file transfer systems in a “cyber range,” a kind of digital laboratory resembling the original environment. The company also added extra security layers to make sure adversaries didn’t compromise the hackers’ computers or enter into the range.
“We had to assume that their entire laptop is compromised -- the Russians are sitting on the laptops -- how do we prevent them from accessing the challenge,” Kuhr said. “How do we prevent them from accessing any vulnerabilities that could be taken from the challenge?”
Convincing senior leaders at the Pentagon that it was a safe endeavor took time and effort, the digital service said. Chris Lynch, director of the DDS, said he briefed Defense Secretary Mattis’s staff on their first day in office about the program. The file transfer tool is important because it securely moves some of the most important information for Defense Department missions both within the Pentagon and in the field.
“We have an absolute need to be able to relay a command, trust that it’s going to get to a destination and interpret that and then do what it says,” Lynch said in an interview. “If there’s any element when you don’t have trust in that pipeline, that undermines a lot of how the department works.”
The digital service urged hackers to try bypassing the file-transfer protections; pull data out of a network that they weren’t supposed to have accessed; and “own the box,” or take control of the system. Officials won’t specify the gaps that were discovered, but say department cyber experts are now fixing the problems.
The program grew out of earlier projects by the digital service, which is part of the White House’s U.S. Digital Service, started by the Obama administration and so far retained under President Donald Trump. Last year, the service held “Hack the Pentagon,” where outsiders hunted for bugs in the Defense Department’s public websites. The file transfer exercise marked the first attempt to pool hacking talent for internal networks.
Synack, which has done similar custom hacking programs at banks and credit card companies, paid hackers based on the severity of the problem they uncovered. The biggest reward totaled $30,000 in the recent competition.
The experiment comes as the Defense Department faces challenges in handling cybersecurity. The department bolstered spending on capabilities and expertise to build better cyber defenses, yet during tests, critical combatant command missions remain at risk from advanced nation-state actors, according to the Pentagon testing director’s annual report published in January.
“Cyber-attacks are clearly a part of modern warfare, and DOD networks are constantly under attack,” the report said. “However, DOD personnel too often treat network defense as an administration function, not a warfighting capability,” and until that approach changes, the department "will continue to struggle to adequately defend its systems and networks from advanced cyber-attacks.”
In addition, the need for “red teams” - cyber experts that test whether department networks and systems can withstand intrusions - has more than doubled in the past few years. But a significant number have left for the private sector, finding better salaries and more relaxed work settings. As a result, the remaining red teams “are unable to meet current DOD demand,” the testing director said.
The digital service says other parts of the Pentagon have expressed interest in doing similar tailored hacking projects, including around the security of ground command and control systems and internal human resources portals. Sometimes it’s the simplest cracks found in the networks that most unsettle cyber experts.
“An adversary doesn’t need to spend millions of dollars focusing on the most serious, complicated flaws,” Wiswell said. “When we do stupid basic things you bet the adversary would rather use that vector into our networks because it’s cheaper - we’ve lowered the barrier to entry.”