The Pentagon is offering $150,000 for hackers who can find holes in the Defense Department’s public facing websites, but cyber experts with sketchy pasts needn’t apply: The federal government’s first ever bug bounty program is taking heat for requiring participants to pass a background check.
Registration for the “Hack the Pentagon” pilot program officially opened on Thursday this week, and individuals interested in earning six-figure cash prizes are being encouraged to sign up for the cyber challenge before it begins on April 18.
“This initiative will put the department’s cybersecurity to the test in an innovative, but responsible way,” Defense Secretary Ashton Carter said in a statement. “I encourage hackers who want to bolster our digital defenses to join the competition and take their best shot.”
Not just anyone is invited to Hack the Pentagon. To be eligible for the monthlong pilot program, participants must be able to work in the U.S and successfully pass a security check sanctioned by the Defense Department.
“In addition, successful participants who submit qualifying vulnerability reports will undergo a basic criminal background screening to ensure taxpayer dollars are spent wisely,” the Pentagon’s press office said.
Details regarding what the screening process entails will be communicated to potential participants before they can submit their bugs, the Pentagon said. Individuals who opt out can still participate — albeit without being eligible for a piece of the $150,000 pie that the Pentagon will hand out to hackers.
Security experts were quick to call out the Pentagon for essentially opening up the bounty program only to individuals who can pass a background test — not necessarily an easy feat, especially for hackers who often skirt the fine line between legal and unlawful when looking for vulnerabilities.
“Luckily, all the hackers who can’t pass a background check will stop hacking the Pentagon because they want to follow the rules,” quipped Charlie Miller, a former global network exploitation analyst at the National Security Agency who now researches computer security for ride-share start-up Uber.
The federal government has had its fair share of problems in the past attempting to recruit highly-skilled hackers, and FBI Director James Comey went as far as to suggest during a 2014 interview that the bureau should consider relaxing its rules for marijuana use in order to employ pot-smoking cyber experts who may not otherwise be able to get a government job.
“I have to hire a great work force to compete with those cyber criminals, and some of those kids want to smoke weed on the way to the interview,” Mr. Comey told the FBI at the time.
When bug bounty platform HackerOne announced earlier this month that it would assist with the Pentagon’s pilot program, co-founder Alex Rice told NextGov that there was “no question” that restrictions would exclude a sizable amount of hackers who might otherwise be able to identify security vulnerabilities with Defense Department websites.
“As an experiment, it makes an incredible amount of sense to start with a constrained environment that you have a lot more confidence in,” he said.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.