Bug Catchers

DOD hearts hackers


In March, the Department of Defense issued an official invitation to "hack the Pentagon." In a bid to improve security that mimics longstanding practice in private industry, the military invited hackers to find vulnerabilities in the 488 websites it currently runs.

The program is the brainchild of the Defense Digital Service, an office that's supposed to bring youth, engineering expertise, and tech savvy to the feds' kludgy bureaucracy. "I am always challenging our people to think outside the five-sided box that is the Pentagon," said Secretary of Defense Ash Carter in a press release. "Inviting responsible hackers to test our cybersecurity certainly meets that test."

But political concerns have altered the program in ways that are likely to decrease its effectiveness. Only "verified hackers" will be allowed to participate, and they'll have to pass a background check and register with the government—something the best and brightest in the field might be reluctant to do, for obvious reasons. The Defense Department will also provide participants with access to "predetermined department systems" for a "controlled, limited duration," further reducing the probability the program will catch a real security vulnerability.

The pilot program is part of a broader response to recent incursions on federal digital security, including last year's breach in the United States Office of Personnel Management, which compromised the private information of 21.5 million government employees. Less than a month before the new program was announced, an unknown hacker posted a list of nearly 20,000 FBI agents and 9,000 Department of Homeland Security officers online.