back

Ethical Hacking: How the Government Uses Bug Bounty Programs

Fingerprints, birth dates and social security numbers were stolen from more than 20 million people when hackers breached the Office of Personnel Management in 2015, according to a 2016 report by NPR. More than four million current and former federal employees accounts were hacked before officials discovered the same vulnerabilities exposed millions more who received government background checks, the New York Times reports.

The massive breach exposed security holes and put a spotlight on the government’s overall ability to secure sensitive data. Imagine if hackers breached the Department of Education, Social Security Administration or any branch of the U.S. Military?

The damage would be unmeasurable.

Not only are malicious hackers stealing more data and causing widespread damage, but attacks are increasing at shocking rates.

Between 2006 and 2015, the number of reported attacks against government networks increased by 1,300%, according to the 2017 Government Accountability Office Cybersecurity Report.

A cyber war is underway, and government leaders need to safeguard networks and strengthen cyber defense now. It’s a matter of national security.

That’s why government officials are asking ethical hackers to expose vulnerabilities before malicious hackers do through bug bounty programs.

What are Bug Bounty Programs?

When it comes to illegal hacking, automated tools, scanning technologies and other detection software can fail. Bug bounty contests are providing private and public organizations a cost-effective way to audit their networks and reveal vulnerabilities by asking ethical hackers for help.

The earliest recorded bug bounty program was held in 1983, as noted in The Hacker-Powered Security Report 2017. About a decade later, Netscape reintroduced the model and it was “perfected by Microsoft, Google, Facebook, and Mozilla.” As of 2014, more than 70% of the bug bounty programs facilitated by HackerOne, a security consulting firm, were for technology companies. Over the next few years, they expanded across industries, including financial services, healthcare, transportation, and travel and hospitality.

Bug Bounty Programs Rise in the Government Sector

Today, bug bounty programs are spreading throughout the government sector.

In April 2016, the Department of Defense rolled out a Hack the Pentagon bug bounty through HackerOne, according to a 2016 article published by the U.S. Department of Defense. The pilot program was regarded a success, based on the vulnerabilities uncovered and the cost of the exercise.

In all, the program yielded:

  • More than 1,400 participants
  • More than 250 vulnerabilities reported in the DoDs public-facing websites
  • 138 vulnerabilities determined to be “legitimate”

According to the U.S. Department of Defense, the Hack the Pentagon program cost $150,000.

“It’s not a small sum, but if we had gone through the normal process of hiring an outside firm to do a security audit and vulnerability assessment, which is what we usually do, it would have cost us more than $1 million,” former Defense Secretary Ash Carter said.

Defense Secretary Ash Carter announces the results of the “Hack the Pentagon” pilot program. Photo courtesy of DoD.

The Hack the Pentagon program paved the way for other government-sponsored bug bounty programs, including the Hack the Army, held November 30 through December 21, 2016 and Hack the Air Force, which was held May 30 through June 23, 2017.

The Future: More Funding and Legislation

Ethical hackers should expect even more challenges in the near future.

In May 2017, U.S. Senators introduced a bill to establish a bug bounty pilot program within the Department of Homeland Security, according to a 2017 article published by CNN Tech. The “Hack DHS Act” establishes a framework for bug bounties, including making sure participants who report bugs are not prosecuted under the Computer Fraud and Abuse Act.

“Federal agencies like DHS are under assault every day from cyber-attacks,” Senator Maggie Hassan said in a statement, as reported by CNN.

“These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help.”

While legislators are working to expand the programs, funding is also fueling its growth.

In September 2016, the federal government awarded multimillion-dollar contracts to cybersecurity vendors to organize roughly 14 more bug bounty contests within the federal government’s IT networks, according to a 2016 article published in Federal News Radio.

As long as bug bounty programs continue to receive support, politically and financially, freelancer cybersecurity researchers or ethical hackers can help the government better protect its networks and remain one step ahead of the next cyber attack.

Get program guide
YES! Please send me a FREE brochure with course info, pricing and more!