The American Army has recently launched the “Hack the Army” campaign. This is a bug bounty program in which the Army will offer cash rewards to hackers who find vulnerabilities in some selected systems and websites. This “Hack the Army” is a direct successor of previous "Hack the Pentagon" program launched earlier this year with the support from HackerOne, an organization dedicated to making the Internet a safer place for users. The program has brought many surprising discoveries when it comes to government websites. It was even commented by U.S. Defense Secretary who emphasized that this way is cheaper than the use of traditional penetration tests and tiger teams (which require a lot of expensive contractors). Moreover offering bug bounties, as many commercial software firms have discovered, is a lot cheaper and usually generates better results. As a result many even some of the biggest software companies, like Google, Microsoft or Facebook are using “bug bounty” programs because of these advantages.
Meanwhile the American army only recently have started to realize the huge potential of this method and is changing its attitude about hackers. For a long time the government and army were more focused on traditional methods used to train security teams. These are often very well trained but you can’t have all required skill sets or different points of view within these teams. This shortcoming is solved by crowdsourcing (a bug bounty available to anyone) which is probably the best way to get the most useful skills you need in a rapidly changing world.
HackerOne the security consulting firm under contract with the Pentagon has set up a screening process to register willing members of the public who want to participate in the “challenge”. Also eligible are civilians working for government and active duty military personnel. Current program goes one step further than its predecessor which offered security researcher’s access only to static websites that weren't operationally-significant as targets. This time around the researchers will be able to “hunt for bugs” in Army recruiting systems which are much more dynamic environment.
Many security researchers agree that program will be a proof that bringing in creative hackers from a wide variety of backgrounds can fundamentally improve the way American army protects its soldiers and systems. It should be noted that crowdsourcing among so called “white hat hackers” will not replace trained security teams but synergy between the two approaches should drastically improve army defense capability vs modern cybernetic threats.
Thus the Hack The Army program follows in the wake of a 2014 Department of Defense effort to hire 3,000 Internet and software engineers without going through the standard screening process for such civilian specialists. While the top pay was not great ($143,000 a year) the big thing was people with real software and Internet skills could be hired. There was also apparently an understanding that some types of youthful indiscretions (black hat hacking) could be overlooked. All this leeway was allowed, which is rare, because the Department of Defense is the largest user of networks and computers on the planet. Since it was Department of Defense research (and money) that developed the Internet it has also the most vulnerable to attack. Unfortunately the attackers (spies, mercenary hackers or just very skilled and bored but talented hackers) have a lot more skills than the people the Department of Defense currently has playing defense. In effect there is a Cyber War and the Department of Defense finds itself outnumbered and outgunned. Desperate measures are required. -- Przemysław Juraszek