DOT grateful for extra hands that bug bounty program provided, CIO says
Federal agencies are doing all they can to boost their cybersecurity resources, from reskilling employees to incorporating artificial intelligence into their networks. But those strategies — whether they involve developing new specialties or using technology to make a smaller workforce more efficient — have their limitations.
One way to expand the circle cost-effectively is to bring in the public, specifically through bug bounty programs, as the military has done with Hack the Pentagon. CIOs in civilian agencies have taken notice and started their own programs, said Department of Transportation CIO Vicki Hildebrand Thursday
“We, like other agencies, would like to have more resources focused on this within the agency,” she said at the Billington Cybersecurity Summit. “Without that ability, what we’ve done is reached out to crowdsourcing capabilities like Synack to help us what I’m calling ‘cleanse’ our environment.”
Speaking on a panel about innovation, Hildebrand said that utilizing the company and its base of freelance white-hat hackers to test vulnerabilities in its network and see how fixes could be applied. A recent program showed that technology that seemed “rock solid” actually wasn’t, she said.
The bug bounty industry has grown in popularity since Hack the Pentagon started in 2016, with federal agencies paying civilian hackers tens of thousands of dollars in prizes to uncover vulnerabilities and prescribe potential fixes. The Department of Defense launched its sixth bug bounty program last month with its Hack the Marine Corps exercise, which Thomas Michelli, the DoD’s acting deputy CIO for cybersecurity, said had caught 6,000 vulnerabilities in the service’s public-facing websites.
But Jon Bottarini, a technical program manager at HackerOne, said the focus of these government bug bounty programs is often not to discover new vulnerabilities, but to find ways to patch known holes for agencies who don’t have the resources to do it internally.
“[These issues] could be picked up by a scanner,” he said. “But the ability to take that vulnerability information and transform it into a fix can be really difficult if you have different skillsets or a lack of skillsets, which is really being emphasized by the talent shortage in cybersecurity today.
“One of the main reasons that I think the Department of Defense sided with this model of crowdsourced security is that I think they are trying to leverage the skills and the talents of not just their internal teams, but trying to source the talents of different users around the world who may have some deeper insights into not only the applications, but also the best way to go about fixing them too.”
And while the foundations of ongoing initiatives like IT modernization and new hiring authorities are being laid to provide agencies with long-term strategies for securing their networks, leaders like Hildebrand want to move fast now with methods like crowdsourcing.
“It goes back to being proactive. I don’t want to wait for a bad actor to tell me I’ve got a vulnerability,” she said. “We’ve got to get ahead of this curve.”