In early March, the United States Department of Defense challenged cybersecurity experts to hack some of its public websites.
Known as "Hack the Pentagon," the pilot project allowed hackers to identify vulnerabilities in the department's security before the government's adversaries do.
Months later, more than 250 participants out of 1,400 have sent in at least one vulnerability report, with 138 of those vulnerabilities determined to be unique, legitimate and "eligible for a bounty," the department said.
White Hat Hacking
Such flaws in security were detected by an 18-year-old who spent 10 to 15 hours between classes hacking U.S. Defense websites.
David Dworken, who has just graduated from high school, is one of two white hat hackers praised by Defense Secretary Ash Carter on June 17 for successfully finding security flaws.
White hat hackers such as Dworken and Stratum Security consultant Craig Arendt, who was also recognized by Carter, specialize in breaking into systems to assess and test the security of an organization.
In contrast, black hat hackers engage in malicious hacking. They often breach security and exploit them for personal gain.
Carter says black hat hackers and state-sponsored actors want to challenge and take advantage of the department's networks.
He also said what they have not fully appreciated before the program was the presence of white hat hackers who actually want to make a difference instead of spreading harm.
Dworken reported six "bugs" in security, but did not receive a bounty because they had already been reported, according to Reuters.
He said some of the flaws would have allowed black hat hackers to steal account information and display whatever they wanted on the websites.
Dworken, who will take up computer science at Northeastern University, said he had been approached by recruiters about possible internships over the summer. He said his first experience with detecting vulnerabilities was in 10th grade, when he discovered bugs on his school website.
What This Means For Security
The program is considered as a cost-effective method to scour five of the defense department's websites, which include dodlive.mil, defense.gov, dvidshub.net, dimoc.mil and myafn.net for bugs in security.
Instead of coordinating with security firms, which would likely cost $1 million, the department recruited amateurs to do it for much less.
Now, it costs approximately $150,000. The Pentagon paid about $75,000 to successful hackers in small amounts that range from $100 to $15,000.
Hack the Pentagon, which lasted from April 18 to May 12, was limited only to public websites. The hackers did not have access to weapons code and other highly sensitive areas.
Just like the Improv DARPA weapons program, Hack the Pentagon is important for security as it allows the government to prevent and anticipate potential issues, especially from adversaries.
"The more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters," said Carter.
Photo: John Ward | Flickr